Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable B2B auth for Azure provider by supporting either `oid` or `upn` claim in the token #172

Merged
merged 6 commits into from Jul 7, 2018

Conversation

Projects
None yet
2 participants
@amanohar
Copy link
Collaborator

commented Jul 7, 2018

User's identity can exist in their organization's AAD tenant (T1) and their AAD application + groups can live in another tenant (T2).

This change enables B2B auth scenario where AAD returns a token that's missing upn and only contains oid so that either upn or oid claim can be used get user's group memberships.

Issue: #170

amanohar and others added some commits Apr 30, 2018

Add paging to get around directoryObjects.getByIds limit of 1000
When trying to detailed description of AAD membership groups using API getbyids: https://github.com/microsoftgraph/microsoft-graph-docs/blob/master/api-reference/v1.0/api/directoryobject_getbyids.md if AAD member has more than 1000 group memerships

AAD returns:
    "code": "Request_BadRequest",
    "message": "Number of included identifiers cannot exceed '1000'.",

Therefore, guard needs to do page queries to get details of all groups the user belong to. But getbyids does not support query options like $top and $expand and returns error:

    "code": "Request_BadRequest",
    "message": "The following query options are not supported by this request method or cannot be applied to the requested resource: $filter,$expand,$orderby,$count,$inlinecount,$select,$skiptoken,$skip,$top"

So in this case guard cannot rely on AAD to do paging and needs to do paging itself to fetch membership group details from AAD.

Github issue: #132
Some cleanup
- Avoid re-allocations for groupNames array
- Simplify the loop over groupIDs
- glog.Infof appends \n automatically
Support B2B auth for Azure provider by supporting both `oid` or `upn`…
… claims in the token

Support B2B auth for Azure provider by supporting both `oid` or `upn` claims in the token

@amanohar amanohar changed the title Support B2B auth for Azure provider by supporting both `oid` or `upn` claims in the token Enable B2B auth for Azure provider by supporting either `oid` or `upn` claim in the token Jul 7, 2018

@amanohar amanohar requested a review from tamalsaha Jul 7, 2018

@tamalsaha tamalsaha merged commit cb6d252 into appscode:master Jul 7, 2018

1 check failed

continuous-integration/travis-ci/pr The Travis CI build failed
Details
@tamalsaha

This comment has been minimized.

Copy link
Member

commented Jul 7, 2018

Thanks @amanohar !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.