yrro
commented
1 year ago FYI (with my Azure AD application administrator hat on here) I would not want an id token to contain a groups claim with every group that the user is a member of. This can number hundreds of groups, nearly all of which will fall into the category of "information that the application does not need to know". Therefore it's not proper to use groups in this manner. There are also practical concerns (e.g., at least with Azure AD, once there are too many groups to fit into the groups claim, groups will be randomly dropped and an additional claim meaning "this group list is incomplete; you need to query MS Graph for the full list".
What I would like instead is for applications to be able to use the roles claim. Identity providers (such as Azure AD) allow a list of roles to be configured on an application, and then users and groups can be assigned to those roles; when a user signs their token will have a roles claim with a list of roles. The application should use that list to determine the user's permissions within the application.
Expected behaviour
Group assignments to be automatically replicated from via Microsoft Azure AD
Actual behaviour
The Microsoft Azure AD authentication backend is not group-aware: It has no mechanism for handling the assignment of groups learned via Azure AD authentication and is currently, limited to deriving the username, email address, and first & last name of the authenticated account.
What are the steps to reproduce this issue?
Any logs, error output, etc?
No logs as the functionality doesn't exist yet.
Any other comments?
We would like to submit a fix for this:
Create a custom backend to extend and replace the built-in Azure AD backend to provide this ability in Python Social Auth
We are happy to do the work and support it moving forward, but we would like some clarity around: