Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using AzureAD authentication I cannot get the group members for the user that authenticates #11508

Closed
enribla opened this issue Jan 16, 2023 · 8 comments · Fixed by #13373
Closed

Using AzureAD authentication I cannot get the group members for the user that authenticates #11508

enribla opened this issue Jan 16, 2023 · 8 comments · Fixed by #13373
Assignees
@arthanson
Labels
status: accepted This issue has been accepted for implementation type: feature Introduction of new functionality to the application

Comments

@enribla
Copy link

enribla commented Jan 16, 2023
edited
Loading

NetBox version

v3.3.8

Python version

3.9

Steps to Reproduce

  1. I authenticate using AzureAD with my user
  2. I get authenticated
  3. I check the user groups in admin with a superuser account
  4. I don't see any group even if the user has several groups in AzureAD
  5. I check in the user id_token in User social auths (inside the meny PYTHON SOCIAL AUTH) and I verify that I get the group id

Expected Behavior

The expected behaviour would be to see the member groups related to the user that is authenticated using AzureAD

Observed Behavior

No groups appeared related to the user.

My configurations related with authentication is:

REMOTE_AUTH_BACKEND = 'social_core.backends.azuread.AzureADOAuth2'

SOCIAL_AUTH_AZUREAD_OAUTH2_KEY = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'
SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
SOCIAL_AUTH_REDIRECT_IS_HTTPS = True
@enribla enribla added the type: bug A confirmed report of unexpected behavior in the application label Jan 16, 2023
@enribla enribla changed the title Using AzureAD authentication I cannot get the group members fro the user that authenticates Using AzureAD authentication I cannot get the group members for the user that authenticates Jan 16, 2023
@github-actions
Copy link
Contributor

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Do not attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our contributing guide.

@github-actions github-actions bot added the pending closure Requires immediate attention to avoid being closed for inactivity label Apr 17, 2023
@jeremystretch
Copy link
Member

The expected behaviour would be to see the member groups related to the user that is authenticated using AzureAD

Neither the NetBox documentation nor the documentation for the upstream python-social-auth package suggests that this functionality exists. This should have been submitted as a feature request.

I'm marking this as needs owner for anyone who would like to dig into this, however some preliminary analysis suggests that the upstream Azure AD authentication backend would need to be extended to support group assignment.

@jeremystretch jeremystretch added type: feature Introduction of new functionality to the application status: needs owner This issue is tentatively accepted pending a volunteer committed to its implementation and removed type: bug A confirmed report of unexpected behavior in the application pending closure Requires immediate attention to avoid being closed for inactivity labels Apr 25, 2023
@candlerb
Copy link
Contributor

candlerb commented Apr 28, 2023
edited
Loading

I tried to do it for Keycloak, and it broke things badly. Here's a potted history in case it helps.

In python-social-auth/social-core#668, in an attempt to be helpful I also picked up the "groups" claim and returned it in the user structure from all OIDC responses:

    def get_user_details(self, response):
        username_key = self.setting('USERNAME_KEY', default=self.USERNAME_KEY)
        return {
            'username': response.get(username_key),
            'email': response.get('email'),
            'fullname': response.get('name'),
            'first_name': response.get('given_name'),
            'last_name': response.get('family_name'),
            'groups': response.get('groups'),    # <<<<<<<<< returns a list of strings
        }

But it turns out that if you do this, Django barfs, and this change had to be rolled back: see python-social-auth/social-core#690 / python-social-auth/social-core#692

The actual error from Django is:

Direct assignment to the forward side of a many-to-many set is prohibited. Use groups.set() instead.

If you can work out where that's coming from, you may be able to fix this issue. There's a full backtrace at #8579 (comment)

@jeremystretch
Copy link
Member

Thanks @candlerb, that's very helpful. I suspected that this sort of change would be necessary so it's nice to have that confirmed.

If you can work out where that's coming from, you may be able to fix this issue.

I assume that the dictionary of attributes returned by the backend is being applied to the user instance blindly. groups would cause an issue because it's a reverse manager (rather than a normal attribute). So I'm not sure how it's working (if it's working) for other backends as you pointed out here.

@CTV-2023
Copy link

Hi, just in case that helps, the workaround I found was not using AzureAD but SAML against AzureAD and store groups in SOCIAL_AUTH_SAML_EXTRA_DATA to use them with a custom pipeline. Might be considered as "dirty" (and the code far from perfect)
https://www.reddit.com/r/Netbox/comments/104ouqz/netbox_saml_with_azure_ad_authorization/

@jeremystretch
Copy link
Member

There's now a feature request to implement this ability natively within python-social-auth: python-social-auth/social-core#794

@arthanson arthanson self-assigned this Jul 28, 2023
@arthanson arthanson mentioned this issue Aug 4, 2023
Merged
@arthanson arthanson removed the status: needs owner This issue is tentatively accepted pending a volunteer committed to its implementation label Aug 18, 2023
@jeremystretch jeremystretch added the status: accepted This issue has been accepted for implementation label Aug 21, 2023
jeremystretch added a commit that referenced this issue Aug 21, 2023
@jeremystretch
Changelog for #11508, #13358, #13477, #13478, #13500, #13503
4506269
@BBezaire
Copy link

BBezaire commented Sep 5, 2023

Hi All,

I noticed PR #13373 was reverted.
Can we reopen this issue, or has discussion moved elsewhere?

@enribla
Copy link
Author

enribla commented Sep 8, 2023

Good morning,
If I understand correctly, this functionality has been reverted?
Is not possible to map azureAD groups with netbox groups? Or simply replicate the AzureAD groups on the netbox application?
Thanks

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@arthanson arthanson

Labels
status: accepted This issue has been accepted for implementation type: feature Introduction of new functionality to the application
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

11508 Add group assignments for Azure SSO netbox-community/netbox
6 participants
@candlerb @arthanson @BBezaire @jeremystretch @enribla @CTV-2023