Open reasland opened 3 years ago
According to Add app roles and get them from a token, app roles go to the "roles" claim. According to Microsoft identity platform ID tokens, the value of the "roles" claim is an array of strings, so I think it could be extracted the same way as "groups" here: https://github.com/jenkinsci/azure-ad-plugin/blob/437429002c6b313b8d3a1c6903c13726b7a7bea6/src/main/java/com/microsoft/jenkins/azuread/AzureAdUser.java#L95
where getStringListClaimValue
is implemented in jose.4.j.
A minimal implementation without support for Microsoft Graph API could perhaps just put the role IDs in the same list as group IDs, and they could then be used for authorization within Jenkins.
However, I have not checked what the "roles" claim looks like in practice. Maybe there is some easy way to log all the claims in order to check this, before attempting to implement anything there.
break point in a debugger is pretty easy to do and you can see everything.
Should permission entries for Azure app roles have AuthorizationType.GROUP (source) or something new?
Group I think is what it maps to here, e.g. not sure if you get a uuid or a display name but if 12313-213121-12313-1231
is returned, you're using that to allow multiple people to get say the Job/Build
permission
Dependencies
Feature Request
I currently have a fork of azure-ad-plugin that I'm trying to implement this when I have time (I am not a Java dev by far however) https://github.com/reasland/azure-ad-plugin/tree/dev/src/main/java/com/microsoft/jenkins/azuread
But I want to throw out a feature request to support Azure AD App Roles in addition to the current Security Groups
https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
Basically App Roles (maybe still in preview) are a App specific Security Group that is limited to only the App, so it does not require adding Microsoft Graph permissions to extend support for giving the App permissions to look at all Security Groups, etc...