How to get group claims?

[philipsd6]

I'm trying to get group information into my FastAPI app from MSAL, but I can't see that it's supported.

Describe the solution you'd like I want to add group claims in my token configuration and have them show up in the UserInfo model for use in authorizations in my endpoints.

Describe alternatives you've considered I've configured my token configuration in my AZ AD App to "emit groups as role claims" for ID and Access types.

Additional context None.

[dudil]

Hi @philipsd6,

Sorry for the delay, busy days. Can you please elaborate if you are trying to use AAD B2B or AAD B2C? From my experience they are different in the details they provide.

BTW - I have another project in work which could provide the groups via MS Graph. I'm pretty much delayed with it but if this works for you I'll try to push that into a stable version this week.

Cheers!

[philipsd6]

I actually don't know for sure which I'm using! I just followed the quick start you linked to, and also based on running these CLI commands:

TENANT=$(az login --query "[?isDefault].tenantId|[0]" -o tsv)
CLIENT_ID=$(az ad app create --display-name "TestingApp" \
                             --reply-urls http://localhost:8000/docs/oauth2-redirect \
                             --query appId -o tsv)
CLIENT_CREDENTIAL = $(az ad app credential reset --id $CLIENT_ID \
                                                 --query password -o tsv

Which I then customized in the portal by adding group claims in varying configurations to see what/if any worked. But looking at your UserInfo model — there's no group fields in it, so wouldn't they be stripped out anyway?

I look forward to seeing your other project! Thanks for putting all this MSAL stuff together in a reusable FastAPI fashion!

[dudil]

Hi @philipsd6 - I wasn't around this project for a while. If this is still relevant, I published a more complete py365 package for handling the Microsoft Graph API, including groups I believe. You should try it out! https://github.com/dudil/py365

I can't recall if this is the latest version I have on my computer that includes the fastapi_msal integration. If not, please let me know and I'll look into update it.

[steffenschumacher]

So in my case I'm using plain AAD, and the app have been setup so that the token includes the roles of the user directly in the ID token. This means that token_claims : dict in clients/async_conf_clients.py contains a roles: list[str] after decoding:

    async def validate_id_token(self, id_token: str, nonce: OptStr = None) -> IDTokenClaims:
        token_claims: OptStrsDict = await self.__execute_async__(
            self._cca.client.decode_id_token, id_token=id_token, nonce=nonce
        )
        return IDTokenClaims.model_validate(token_claims)

So in practice, since IDTokenClaims is inheriting from UserInfo, it would only be a question of adding:

class UserInfo(BaseModel):
 ...
    roles: Optional[list[str]] = Field(None)  # add this somewhere

Since then it would be automatically set right?

This would make it super easy to implement RBAC, and there's no need to query graph or anything like that.. Pretty please?

[dudil]

Issue is now closed with release latest of version 2.1.2 🙏