Azure AD JWT groups/roles example

[lukasmrtvy]

Can you please provide an example of Azure AD integration with group/roles claims from JWT? https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code

Thanks

[lukeyeager]

FWIW, here's what I do:

• In Azure
  • Registered app > Certificates & secrets: Create a new secret, and jot it down for later
  • Registered app > App roles: Create a role with "Allowed member types" = "Users/Groups"
  • Enterprise app > Users and groups: Assign a group or a flat DL to the role that you created
• In nginx.conf (untested bits cobbled together from my full configuration):

  
  local opts = {
  discovery = "https://login.microsoftonline.com/"..tenant_id.."/v2.0/.well-known/openid-configuration",
  client_id = client_id,
  client_secret = client_secret,
  redirect_uri = "/.oidc/login",
  logout_path = "/.oidc/logout",
  session_contents = {id_token=true},
  }
  local res, err = resty_openidc.authenticate(opts)
  if err then return ngx.exit(500) end

local name = res.id_token.name local email = res.id_token.email local roles = res.id_token.roles

-- iterate through the roles looking for the one used to gate access to your upstream service local authorized = false for i, role in pairs(roles) do if role == "grafana" then authorized = true end end if authorized == false then return ngx.exit(403) end