Open ebreton opened 2 years ago
Hi! I'm out skiing so I'll give you a little tip, and we can troubleshoot more another day.
If you want to make a user super user based on a group, you can use this setting:
'GROUP_TO_FLAG_MAPPING': {
'is_staff': 'MyAdminGroup'
},
Thanks for the quick answer, on the skiing slopes β·οΈ
I have setup Groups in Azure and the settings accordingly, but I still have something astray with the token
DEBUG 2022-02-05 16:19:42,583 django_auth_adfs The configured groups claim 'roles' was not found in the access token
DEBUG 2022-02-05 16:19:42,583 django_auth_adfs The configured group claim was not found in the access token
I will try again to look at the user flow configuration in the meantime :)
Cheers
π
In Azure you have application roles and group claims. I recommend using application roles π
https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
If you have groups, you need to configure them to be in the token I believe. Should be under app registration -> token configuration. They will not be under the roles
claim though. Decode the token to see π
Hi @JonasKs ,
TLDR;
I managed to setup the workaround through groups
and app roles
efficiently on Azure AD (not B2C). Thanks a lot for unblocking me π₯
That would probably a nice addition to the doc, I can make a PR if you want.
My more detailed findings:
The blocking issue I face is that you simply do not have the features available. Here is a screenshot of an app, from the Registration Application
menu:
Compared to what is in the Azure AD :
No Token configuration
entry, no App role
entry in B2C
π I put it aside for now, but if you have any experience with it, that will be very welcomed !
I face another issue with the USERNAME_CLAIM
, which is upn
for local members, but email
for invited ones
π¬ What about supporting a list of USERNAME_CLAIMS
where you could try the multiple keys ?
I am happy to make a PR if that makes sense for you
I am still lost on how you can define properties in Azure AD, and pass them to the app through claims. Any insight is welcomed again. I guess that remains the main topic of the discussion :)
Cheers, Emmanuel
Hi, first of, Thank you for the detailed explanations. It is so much easier to help people who put an effort into explaining. π
I'm not on a PC this weekend, but I think #166 already solves your use case for usernames? Could you check that out?
As for the rest, I'll read through again tomorrow and see if I have any input n
My pleasure :)
I have tried the GUEST_USERNAME_CLAIM
It looks like exactly what I need... but... the account I am testing sonehow has the same tenant id (how come????)... hence I am not satisfying all conditions, therefore I am still getting the User claim's doesn't have the claim 'upn' in his claims
I am not sure how it comes since I am using a professionnal AD with my personnal microsoft account, therefore not related to the AD before I invited myself. When double-checking in the AD, I can see that my personnal email is flagged as invited: emmanuel@xxx.ch#EXT#@xxxx.onmicrosoft.com
I tried another account (my github one). Following the sign-in process, I first got this error message:
AADSTS50020: User account 'manu@xxx.com' from identity provider 'live.com'
does not exist in tenant 'Hymexia AD' and cannot access the application
'xxxxxx'(Hymexia Fleet Manager) in that tenant. The account needs to be added
as an external user in the tenant first. Sign out and sign in again with a different
Azure Active Directory user account.
Therefore I invited this account, which looks as straightforward as it could be :)
I go through the invitation process and hit the same error as before, because the tenant id is the same as the AD.
What could explain is that I had to kind of register into Hymexia AD during the the invitation process, including setting a password (which makes no sense since I have then logged with my github account)
End of the story: I am definitively lacking knowledge on Azure AD itself... π
Hi folks,
Firstofall, thanks for the amazing lib. I find it clean and efficient. π€©
Documentation is great too, and I could setup the basics in Azure thanks to the explicit tutorial. Thanks a lot !
I wanted to go further, and I was looking for setting up user rights through
BOOLEAN_CLAIM_MAPPING
, and I am hitting the Azure wall of a-kilometer-high documentation.Hence my question : could you add a section in the doc that describes the steps...
π§ Status Point
Here are my findings of the last 24 hours trying to make it work on my own (being completely newbie with Azure)
I started from the settings reference in the project doc, about
BOOLEAN_CLAIM_MAPPING
I did not find such section in the Azure AD I created, neither in the Azure AD B2C :(
π Regarding AD:
The posts I have found redirect to the token configuration page, showing how to add optional claims, but only existing ones apparently...
Therefore I searched how to define my claims, i.e. my new attributes on the users, but I only found an azure feature custom security attribute which require a license and is still in PREVIEW.
It appears I am not on the good track
π Therefre I looked at AD B2C:
There, it looks simple to adjust the user attribute configuration (only availalbe on AD B2C though)
But... there is no "token configuration" page as mentioned in a lot of places. I found the reason in the Microsoft doc
Regarding the claims token configuration, it appears that I have to use user flows or policies (https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-user-flow)
But that did not look like the way to go either
π΅οΈββοΈ Conclusion:
I am pretty sure I am just getting lost in Azure labyrithn and missing an obvious configuration.
Hence the my issue, and the suggestion about extending the Tutorial :)
If this process sounds trivial or is well-known to anyone, I am glad for any help
Cheers, Emmanuel