Handle groupmemberships over SAML/JWT limit by following and parsing Graph URI results

[jmartens]

When a large number of memberships is supplied in the auth token the individual groups are not provided anymore. Instead a Graph URI is provided. By following that you should be able to retrieve all group memberships for the user.

AFAICT the limit is 150 for SAML requests and 200 for JWT requests.

A workaround on the Azure side is to configure your application for specific groups only and set the groups claim to only return groups assigned to this application (as can be seen in the screenshot here), but it would be nice if this could be handled by this framework as well by following the Graph URI provided and parsing its results.

[JonasKs]

Hi, this seems like a good suggestion indeed.
PR welcome. 😊

[jmartens]

Not sure if I can find the time, but will see what I can do. Already have a hunch on where to add it in the code, not sure on the implementation details though.

Any preference on how to run rest requests and process the results? Are there helpers or classes in this package you prefer to be used?

[jmartens]

Already have a hunch on where to add it in the code

I am guessing an additional leaf in this if else clause is the proper place to check for and retrieve the Graph Api url:

django-auth-adfs/django_auth_adfs/backend.py

Lines 190 to 198 in 4917d37

	if settings.GROUPS_CLAIM in claims:
	claim_groups = claims[settings.GROUPS_CLAIM]
	if not isinstance(claim_groups, list):
	claim_groups = [claim_groups, ]
	else:
	logger.debug("The configured groups claim '%s' was not found in the access token",
	settings.GROUPS_CLAIM)
	claim_groups = []

[JonasKs]

Yeah, I'd say there too. The graph API has to be optional, though. 😊 It'll add some overhead, so should be opt in.

[JonasKs]

I've never worked on a Azure AD Django project, so i'm not you man to implement this.

Currently writing an Azure AD plug-in for FastAPI, but it won't be as comprehensive as this package.

[jmartens]

It'll add some overhead, so should be opt in.

OK, will see if and how I can create a settings parameter for it.

[jmartens]

The payload of a claim is explained here and this is the specific part for the so-called Groups overage claim

[jmartens]

This SO post might also hold some vital clues to get it working as apparently the application needs for Directory.Read.All permissions to successfully request the group memberships using the returned Graph URI.

[jmartens]

To get the URL for the claim I think this should work:

try:
  claim_name = claims['_claim_names'][settings.GROUPS_CLAIM]
  claim_source = claims['_claim_sources'][claim_name]
  claim_url = claim_source['endpoint']
except KeyError as e:
  logger.error(f"Key not found: {e}")

[JonasKs]

This is also related to #10. Both of you want a Graph integration.

[stefanoostwegel]

Has anyone got an update regarding this issue?
Would love to see the graph integration work as we have far to many users with to many groups.
Now we have to administer azure AD and Django, in stead of only django.

[JonasKs]

Not much update to give, other than a PR is welcome.