KalleOlaviNiemitalo
commented
2 years ago According to Add app roles and get them from a token, app roles go to the "roles" claim. According to Microsoft identity platform ID tokens, the value of the "roles" claim is an array of strings, so I think it could be extracted the same way as "groups" here: https://github.com/jenkinsci/azure-ad-plugin/blob/437429002c6b313b8d3a1c6903c13726b7a7bea6/src/main/java/com/microsoft/jenkins/azuread/AzureAdUser.java#L95
where getStringListClaimValue is implemented in jose.4.j.
A minimal implementation without support for Microsoft Graph API could perhaps just put the role IDs in the same list as group IDs, and they could then be used for authorization within Jenkins.
However, I have not checked what the "roles" claim looks like in practice. Maybe there is some easy way to log all the claims in order to check this, before attempting to implement anything there.
timja
Dependencies
Feature Request
I currently have a fork of azure-ad-plugin that I'm trying to implement this when I have time (I am not a Java dev by far however) https://github.com/reasland/azure-ad-plugin/tree/dev/src/main/java/com/microsoft/jenkins/azuread
But I want to throw out a feature request to support Azure AD App Roles in addition to the current Security Groups
https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
Basically App Roles (maybe still in preview) are a App specific Security Group that is limited to only the App, so it does not require adding Microsoft Graph permissions to extend support for giving the App permissions to look at all Security Groups, etc...