New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to get group claims? #11
Comments
Hi @philipsd6, Sorry for the delay, busy days. BTW - I have another project in work which could provide the groups via MS Graph. Cheers! |
I actually don't know for sure which I'm using! I just followed the quick start you linked to, and also based on running these CLI commands: TENANT=$(az login --query "[?isDefault].tenantId|[0]" -o tsv)
CLIENT_ID=$(az ad app create --display-name "TestingApp" \
--reply-urls http://localhost:8000/docs/oauth2-redirect \
--query appId -o tsv)
CLIENT_CREDENTIAL = $(az ad app credential reset --id $CLIENT_ID \
--query password -o tsv
Which I then customized in the portal by adding group claims in varying configurations to see what/if any worked. But looking at your I look forward to seeing your other project! Thanks for putting all this MSAL stuff together in a reusable FastAPI fashion! |
Hi @philipsd6 - I wasn't around this project for a while. I can't recall if this is the latest version I have on my computer that includes the fastapi_msal integration. If not, please let me know and I'll look into update it. |
So in my case I'm using plain AAD, and the app have been setup so that the token includes the roles of the user directly in the ID token. This means that async def validate_id_token(self, id_token: str, nonce: OptStr = None) -> IDTokenClaims:
token_claims: OptStrsDict = await self.__execute_async__(
self._cca.client.decode_id_token, id_token=id_token, nonce=nonce
)
return IDTokenClaims.model_validate(token_claims) So in practice, since IDTokenClaims is inheriting from UserInfo, it would only be a question of adding: class UserInfo(BaseModel):
...
roles: Optional[list[str]] = Field(None) # add this somewhere Since then it would be automatically set right? This would make it super easy to implement RBAC, and there's no need to query graph or anything like that.. |
Issue is now closed with release latest of version 2.1.2 🙏 |
I'm trying to get group information into my FastAPI app from MSAL, but I can't see that it's supported.
Describe the solution you'd like
I want to add group claims in my token configuration and have them show up in the UserInfo model for use in authorizations in my endpoints.
Describe alternatives you've considered
I've configured my token configuration in my AZ AD App to "emit groups as role claims" for ID and Access types.
Additional context
None.
The text was updated successfully, but these errors were encountered: