roles, and scp(scope) doesnt included in returned id_token - Githubissues

python-social-auth / social-app-django

Python Social Auth - Application - Django

BSD 3-Clause "New" or "Revised" License

2.04k stars 380 forks source link

roles, and scp(scope) doesnt included in returned id_token #399

Open kesalomamatka opened 2 years ago

kesalomamatka commented 2 years ago

Expected behaviour

Roles and scope should in returned id_token.

Actual behaviour

Im using python social auth library with Azure AD authentication.

I tried with "AzureADTenantOAuth2" and "AzureADOAuth2", after login and redirect back to application. Then I tried to put returned user id token to jwt.io, but the "id_token" of user doesnt contains "scope" and "roles".

From the application, the "SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_SCOPE" / "SOCIAL_AUTH_AZUREAD_OAUTH2_SCOPE" replaced by [xxxxxxxx/user_impersonation', 'openid', 'profile', 'offline_access'].

What are the steps to reproduce this issue?

Input clear steps to reproduce the issue for a maintainer.

use AzureADTenantOAuth2 / AzureADOAuth2
add required argument in settings.py e.g. "SOCIAL_AUTH_AZUREAD_OAUTH2_KEY"
do azure AD oauth2 authentication and redirect back to application
check returned user id token (doesnt contain scp and roles)

Any logs, error output, etc?

No error, the code running fine, but token wasnt.

themysteq commented 8 months ago

@kesalomamatka have you got chance to use V2 version of this backend? see https://github.com/python-social-auth/social-core/blob/master/social_core/backends/azuread_tenant.py#L110 It works for me