Open ebreton opened 2 years ago
JonasKs
commented
2 years ago Hi! I'm out skiing so I'll give you a little tip, and we can troubleshoot more another day.
If you want to make a user super user based on a group, you can use this setting:
'GROUP_TO_FLAG_MAPPING': {
'is_staff': 'MyAdminGroup'
},
ebreton
commented
2 years ago Thanks for the quick answer, on the skiing slopes β·οΈ
I have setup Groups in Azure and the settings accordingly, but I still have something astray with the token
DEBUG 2022-02-05 16:19:42,583 django_auth_adfs The configured groups claim 'roles' was not found in the access token
DEBUG 2022-02-05 16:19:42,583 django_auth_adfs The configured group claim was not found in the access tokenI will try again to look at the user flow configuration in the meantime :)
Cheers
JonasKs
commented
2 years ago π
In Azure you have application roles and group claims. I recommend using application roles π
https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
If you have groups, you need to configure them to be in the token I believe. Should be under app registration -> token configuration. They will not be under the roles claim though. Decode the token to see π
ebreton
commented
2 years ago Hi @JonasKs ,
TLDR;
I managed to setup the workaround through groups and app roles efficiently on Azure AD (not B2C). Thanks a lot for unblocking me π₯
That would probably a nice addition to the doc, I can make a PR if you want.
My more detailed findings:
The blocking issue I face is that you simply do not have the features available. Here is a screenshot of an app, from the Registration Application menu:
Compared to what is in the Azure AD :
No Token configuration entry, no App role entry in B2C
π I put it aside for now, but if you have any experience with it, that will be very welcomed !
I face another issue with the USERNAME_CLAIM, which is upn for local members, but email for invited ones
π¬ What about supporting a list of USERNAME_CLAIMS where you could try the multiple keys ?
I am happy to make a PR if that makes sense for you
I am still lost on how you can define properties in Azure AD, and pass them to the app through claims. Any insight is welcomed again. I guess that remains the main topic of the discussion :)
Cheers, Emmanuel
JonasKs
commented
2 years ago Hi, first of, Thank you for the detailed explanations. It is so much easier to help people who put an effort into explaining. π
I'm not on a PC this weekend, but I think #166 already solves your use case for usernames? Could you check that out?
As for the rest, I'll read through again tomorrow and see if I have any input n
ebreton
commented
2 years ago My pleasure :)
I have tried the GUEST_USERNAME_CLAIM It looks like exactly what I need... but... the account I am testing sonehow has the same tenant id (how come????)... hence I am not satisfying all conditions, therefore I am still getting the User claim's doesn't have the claim 'upn' in his claims
I am not sure how it comes since I am using a professionnal AD with my personnal microsoft account, therefore not related to the AD before I invited myself. When double-checking in the AD, I can see that my personnal email is flagged as invited: emmanuel@xxx.ch#EXT#@xxxx.onmicrosoft.com
I tried another account (my github one). Following the sign-in process, I first got this error message:
AADSTS50020: User account 'manu@xxx.com' from identity provider 'live.com'
does not exist in tenant 'Hymexia AD' and cannot access the application
'xxxxxx'(Hymexia Fleet Manager) in that tenant. The account needs to be added
as an external user in the tenant first. Sign out and sign in again with a different
Azure Active Directory user account.Therefore I invited this account, which looks as straightforward as it could be :)
I go through the invitation process and hit the same error as before, because the tenant id is the same as the AD.
What could explain is that I had to kind of register into Hymexia AD during the the invitation process, including setting a password (which makes no sense since I have then logged with my github account)
End of the story: I am definitively lacking knowledge on Azure AD itself... π
Hi folks,
Firstofall, thanks for the amazing lib. I find it clean and efficient. π€©
Documentation is great too, and I could setup the basics in Azure thanks to the explicit tutorial. Thanks a lot !
I wanted to go further, and I was looking for setting up user rights through
BOOLEAN_CLAIM_MAPPING, and I am hitting the Azure wall of a-kilometer-high documentation.Hence my question : could you add a section in the doc that describes the steps...
π§ Status Point
Here are my findings of the last 24 hours trying to make it work on my own (being completely newbie with Azure)
I started from the settings reference in the project doc, about
BOOLEAN_CLAIM_MAPPINGI did not find such section in the Azure AD I created, neither in the Azure AD B2C :(
π Regarding AD:
The posts I have found redirect to the token configuration page, showing how to add optional claims, but only existing ones apparently...
Therefore I searched how to define my claims, i.e. my new attributes on the users, but I only found an azure feature custom security attribute which require a license and is still in PREVIEW.
It appears I am not on the good track
π Therefre I looked at AD B2C:
There, it looks simple to adjust the user attribute configuration (only availalbe on AD B2C though)
But... there is no "token configuration" page as mentioned in a lot of places. I found the reason in the Microsoft doc
Regarding the claims token configuration, it appears that I have to use user flows or policies (https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-user-flow)
But that did not look like the way to go either
π΅οΈββοΈ Conclusion:
I am pretty sure I am just getting lost in Azure labyrithn and missing an obvious configuration.
Hence the my issue, and the suggestion about extending the Tutorial :)
If this process sounds trivial or is well-known to anyone, I am glad for any help
Cheers, Emmanuel