search

staticwebdev / roles-function

https://docs.microsoft.com/azure/static-web-apps/assign-roles-microsoft-graph
8 stars 11 forks source link

Sample application using OpenID 2.0 #6

Closed steveworkman closed 2 years ago

steveworkman commented 2 years ago

The example in the tutorial and this repo use the OpenID 1.0 protocol, with high-level access to resources. As MS now recommends using the newer version, can this tutorial be updated to reflect this?

I ask because I've not been able to get this to work successfully.

    "auth": {
        "rolesSource": "/api/getRoles",
        "identityProviders": {
            "azureActiveDirectory": {
                "userDetailsClaim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
                "registration": {
                    "openIdIssuer": "https://login.microsoftonline.com/[TENANT_ID]/v2.0",
                    "clientIdSettingName": "AAD_CLIENT_ID",
                    "clientSecretSettingName": "AAD_CLIENT_SECRET"
                },
                "login": {
                    "loginParameters": [
                        "scope=https%3A%2F%2Fgraph.microsoft.com%2Fopenid%20https%3A%2F%2Fgraph.microsoft.com%2Fprofile"
                    ]
                }
            }
        }
    }

A request like this, moving to v2 openIdIssuer and swapping the loginParameters from resource to scope gives me a 403 and being unable to log in to the application as it doesn't have an email.

Is there a way to get this to work?

jouz3 commented 2 years ago

Add the "openid profile email" scopes to your scope login parameter, since it seems to be replacing the default ones.

I have my auth section as such:

"auth": {
    "rolesSource": "/api/UserRoles",
    "identityProviders": {
      "azureActiveDirectory": {
        "registration": {
          "openIdIssuer": "https://login.microsoftonline.com/<TENANT_ID>/v2.0",
          "clientIdSettingName": "AZURE_CLIENT_ID",
          "clientSecretSettingName": "AZURE_CLIENT_SECRET"
        },
        "login": {
          "loginParameters": [
            "scope=openid profile email https://graph.microsoft.com/User.Read"
          ]
        }
      }
    }
  }

Seems to be working like this.

steveworkman commented 2 years ago

That works for me - thanks! I couldn't find the syntax for the scope parameter anywhere