Open lukasmrtvy opened 6 years ago
FWIW, here's what I do:
Registered app > Certificates & secrets
: Create a new secret, and jot it down for laterRegistered app > App roles
: Create a role with "Allowed member types" = "Users/Groups"Enterprise app > Users and groups
: Assign a group or a flat DL to the role that you created
local opts = {
discovery = "https://login.microsoftonline.com/"..tenant_id.."/v2.0/.well-known/openid-configuration",
client_id = client_id,
client_secret = client_secret,
redirect_uri = "/.oidc/login",
logout_path = "/.oidc/logout",
session_contents = {id_token=true},
}
local res, err = resty_openidc.authenticate(opts)
if err then return ngx.exit(500) end
local name = res.id_token.name local email = res.id_token.email local roles = res.id_token.roles
-- iterate through the roles looking for the one used to gate access to your upstream service local authorized = false for i, role in pairs(roles) do if role == "grafana" then authorized = true end end if authorized == false then return ngx.exit(403) end
Can you please provide an example of Azure AD integration with group/roles claims from JWT? https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code
Thanks