Groups claim missing in token

[Cheang-Hoong]

I would like to get the Groups claim in the JWT, but only "hasgroups" claim is in the response fragment. Is there a way to achieve this?

Thanks

[tushargupta51]

@Cheang-Hoong If it is returned from the authorization server, then it should be present in this.user.profile. Are you authenticating against AAD?

[Cheang-Hoong]

@tushargupta51 Yes, I am authenticating against AAD. After I changed the value for the "groupMembershipClaims" setting in the manifest, the "hasgroups" claim is added to the "profile".

I have found out from this blog that the Groups claim is not in the token for response over Fragment, which I believe that's ADAL-JS flow.
http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/

And have you had successfully response with Groups claims?

[tushargupta51]

@Cheang-Hoong Yes, it seems that "groups" claim is not supported for all authentication flows. Id-token sent as a fragment will not contain this claim because of url limitation. The alternative way to get "groups" claim is to query Azure AD graph API. Following links explain how you can do that:

1. http://www.cloudidentity.com/blog/2013/01/22/group-amp-role-claims-use-the-graph-api-to-get-back-isinrole-and-authorize-in-windows-azure-ad-apps/
2. https://msdn.microsoft.com/library/azure/ad/graph/api/groups-operations#getgroups

[tushargupta51]

Closing this issue since group claims are supported in oauth implicit flow.

[mikesigs]

@tushargupta51 Just to clarify. Your closing comment should have said "aren't supported". Right?

[shaynevanasperen]

Group claims are supported in oauth implicit flow. See here for more details:

https://www.simple-talk.com/cloud/security-and-compliance/azure-active-directory-part-4-group-claims/

http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/

https://azure.microsoft.com/en-gb/resources/samples/active-directory-dotnet-webapp-groupclaims/

[mikesigs]

The 3rd link you provided doesn't use adal.js. Did you mean to post a different sample?

In the second link you posted they have a list of flows that includes the following:

Auth flow supported by Azure				|  AD Groups claim issued?
------------------------------------------------------------------------------------
OpenIDConnect SSO (id token). Response over POST	|  Yes – in the id token
OAuth Implicit Grant Flow				|  No

Adal.js uses the Implict Grant Flow doesn't it?
At any rate, I cannot get the group claims in my request. I actually switched to using app roles defined in the manifest. But I don't get those either!

Hoping someone has some insight on how they got this working.

Thanks.

[ischrei]

Hi,
As Tushar mentioned, the groups claim will not be added to the token due to URL limitations.
And as you mentioned the "hasgroups" claim is added instead. This claim is in fact a hint to your server that the user is a member in some groups, and in case the sever needs those groups, it is able to request those directly from AAD.

Thanks,
Ido.

[shaynevanasperen]

I get the groups claim when I authenticate against an Azure AD tenant which is not federated with on-premise AD. When I authenticate against an Azure AD tenant which is federated with on-premise AD, I only get the hasgroups claim. I have a support ticket open with Microsoft to investigate this discrepancy. I'll post an update here when it is resolved.

[RensBonnez]

@shaynevanasperen Hi, do you have any update on this? Struggling with the same problem. Thanks

[shaynevanasperen]

@RensBonnez Yes. Microsoft have responded to my support request and the answer is that group claims are only returned in the token when there are 5 or less of them (contrary to the almost nonexistent documentation on the matter). It has nothing to do with whether or not the Azure AD tenant is federated with on-premise AD. It is purely a maximum of 5 group claims.

Their suggestion is to use application roles instead, which I am a little weary of because they might also cause the token length to become too long if the user has a large number of application roles. This is also compounded by the fact that Azure administration of application roles via modification of the manifest JSON is buggy (it doesn't let you delete application roles, even if they aren't associated with any users).

Another alternative is to use the Graph API to query for the users groups, but the unfortunate side effect of that is that your server would have to introduce session state to keep track of which users it has already queried so that it doesn't need to query again on each request.

Very disappointing, I know. We should all have a big fat moan at Microsoft for this sorry state of affairs.

[hitmanpc]

@shaynevanasperen for your issue with the manifest and deleting app roles. I just had this issue tonight. Try to update the manifest through: https://apps.dev.microsoft.com
There I was able to get back a more meaningful error. The process I did was first update all the "isEnabled": true to a "isEnabled":false value then I was able to remove the appRoles.
Let me know if this worked or works for you in the future.

[JakobGSvendsen]

I have same issue.

it is a multi-tenant App.
I need to use app roles for permission level access and group claims to limit each resource to specific users/groups.

I am using ADAL.js, and is trying to find a good way to find groups and users, both the member of group of the currently logged user, but also a full list of users/groups from the directory.
It can be faily easily done with getting a key for graph API using acquiretoken, then use this key to read users/groups and me/memberof

the issue is that to do that, the app needs permissions that require admin consent, which then requires all our customers to go through an admin constent page.

But from what I read in docs, a user should have access to read the directory.
I believe this is when we are access graph API AS the user (on behalf of auth maybe? or maybe we can do it somehow using the ADAL.js library?),

it does not seem to work using ADAL.acquiretoken, when using acquiretoken, the users needs the admin permissions and it does not seem that the requests is using the users basic permissions, but only the App permissions.

here is a snippet of my code:
` //AAdpicker
ADAL.acquireToken("https://graph.microsoft.com",
function(error, idtoken) {

                if (error || !idtoken) {
                    console.log('ADAL error occurred: ' + error);
                } else {
                    console.log('idtoken: ' + idtoken);

                    //sessionStorage.graphAccessToken = ADAL.getCachedUsers().profile.id;
                    sessionStorage.graphAccessToken = idtoken;

                    //GET user Groups
                    getLoggedUserGroupsFromGraphAPI();

...`

So how can I, WITHOUT requiring admin consent:

1. Get the current logged users group claims or just IDs of memberOf groups?
2. Browse users and groups to be able to share/limit resources to them.?

Thanks!