-
Notifications
You must be signed in to change notification settings - Fork 374
Groups claim missing in token #239
Comments
@Cheang-Hoong If it is returned from the authorization server, then it should be present in this.user.profile. Are you authenticating against AAD? |
@tushargupta51 Yes, I am authenticating against AAD. After I changed the value for the "groupMembershipClaims" setting in the manifest, the "hasgroups" claim is added to the "profile". I have found out from this blog that the Groups claim is not in the token for response over Fragment, which I believe that's ADAL-JS flow. And have you had successfully response with Groups claims? |
@Cheang-Hoong Yes, it seems that "groups" claim is not supported for all authentication flows. Id-token sent as a fragment will not contain this claim because of url limitation. The alternative way to get "groups" claim is to query Azure AD graph API. Following links explain how you can do that: |
Closing this issue since group claims are supported in oauth implicit flow. |
@tushargupta51 Just to clarify. Your closing comment should have said "aren't supported". Right? |
Group claims are supported in oauth implicit flow. See here for more details: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/ https://azure.microsoft.com/en-gb/resources/samples/active-directory-dotnet-webapp-groupclaims/ |
The 3rd link you provided doesn't use adal.js. Did you mean to post a different sample? In the second link you posted they have a list of flows that includes the following:
Adal.js uses the Implict Grant Flow doesn't it? Hoping someone has some insight on how they got this working. Thanks. |
Hi, Thanks, |
I get the groups claim when I authenticate against an Azure AD tenant which is not federated with on-premise AD. When I authenticate against an Azure AD tenant which is federated with on-premise AD, I only get the hasgroups claim. I have a support ticket open with Microsoft to investigate this discrepancy. I'll post an update here when it is resolved. |
@shaynevanasperen Hi, do you have any update on this? Struggling with the same problem. Thanks |
@RensBonnez Yes. Microsoft have responded to my support request and the answer is that group claims are only returned in the token when there are 5 or less of them (contrary to the almost nonexistent documentation on the matter). It has nothing to do with whether or not the Azure AD tenant is federated with on-premise AD. It is purely a maximum of 5 group claims. Their suggestion is to use application roles instead, which I am a little weary of because they might also cause the token length to become too long if the user has a large number of application roles. This is also compounded by the fact that Azure administration of application roles via modification of the manifest JSON is buggy (it doesn't let you delete application roles, even if they aren't associated with any users). Another alternative is to use the Graph API to query for the users groups, but the unfortunate side effect of that is that your server would have to introduce session state to keep track of which users it has already queried so that it doesn't need to query again on each request. Very disappointing, I know. We should all have a big fat moan at Microsoft for this sorry state of affairs. |
@shaynevanasperen for your issue with the manifest and deleting app roles. I just had this issue tonight. Try to update the manifest through: https://apps.dev.microsoft.com |
I have same issue. it is a multi-tenant App. I am using ADAL.js, and is trying to find a good way to find groups and users, both the member of group of the currently logged user, but also a full list of users/groups from the directory. the issue is that to do that, the app needs permissions that require admin consent, which then requires all our customers to go through an admin constent page. But from what I read in docs, a user should have access to read the directory. it does not seem to work using ADAL.acquiretoken, when using acquiretoken, the users needs the admin permissions and it does not seem that the requests is using the users basic permissions, but only the App permissions. here is a snippet of my code:
...` So how can I, WITHOUT requiring admin consent:
Thanks! |
I would like to get the Groups claim in the JWT, but only "hasgroups" claim is in the response fragment. Is there a way to achieve this?
Thanks
The text was updated successfully, but these errors were encountered: