Entra Application OIDC-based Single Sign-On Attributes & Claims

microsoftgraph / msgraph-bicep-types

Repo contains Microsoft Graph resource types to integrate with bicep templates.

MIT License

45 stars 7 forks source link

Entra Application OIDC-based Single Sign-On Attributes & Claims #188

Open DavidMrLane opened 3 weeks ago

DavidMrLane commented 3 weeks ago

It is possible to configure the oidc single sign-on attributes & claims using bicep? The ones in the screenshot above were done manually.

In a Microsoft.Graph/applications@v1.0, adding items to idToken in optionalClaims only adds claims under the token configuration and I can't see any other relevant section.

dkershaw10 commented 3 weeks ago

Thanks for reporting @DavidMrLane. I'm not convinced that this is a bug. It's more of a missing Bicep type. From what I gather, custom claims are described here:https://learn.microsoft.com/entra/identity-platform/reference-claims-customization#claims-customization-using-a-policy. It looks like there are two APIs for this, and https://learn.microsoft.com/graph/api/resources/customclaimspolicy?view=graph-rest-beta appears to be used by the UI you have screenshots for. The second one is https://learn.microsoft.com/graph/api/resources/claimsmappingpolicy?view=graph-rest-1.0.

Neither of these resources are exposed in Microsoft Graph Bicep Types, and I would need to find the owners for these types to understand if we are planning to keep both APIs - however the second one - clams mapping policy is GA and available in all supported national clouds.

shenglol commented 3 weeks ago

@dkershaw10 - Does the Graph extension validate types, or does it function as a passthrough? If it’s the latter, would it make sense to update the Graph type loader to emit a warning instead of an error for unrecognized properties? This approach would let users work with these properties while awaiting a new type package release. For reference, we handle Azure resources similarly, emitting warnings rather than errors for resource type issues:

dkershaw10 commented 3 weeks ago

@shenglol That seems orthogonal to this issue. Anyways, I believe that the extension functions more like a passthrough - it won't error and I don't think it even emits a warning. @jason-dou do we emit any warnings when trying to deploy a template with unrecognized properties?

jason-dou commented 2 weeks ago

@dkershaw10 The Graph extension functions as a passthrough but the request won't reach the extension if deploying a Bicep template. Bicep compiler will throw an error and fail the deployment if the resource contains unrecognized properties.

dkershaw10 commented 2 weeks ago

@jason-dou I've created a separate issue to track change the type loader to emit a warning rather than an error - #191 cc: @shenglol