HOWTO set up is_staff and is_superuser from Azure to App

[ebreton]

Hi folks,

Firstofall, thanks for the amazing lib. I find it clean and efficient. 🤩

Documentation is great too, and I could setup the basics in Azure thanks to the explicit tutorial. Thanks a lot !

I wanted to go further, and I was looking for setting up user rights through BOOLEAN_CLAIM_MAPPING, and I am hitting the Azure wall of a-kilometer-high documentation.

Hence my question : could you add a section in the doc that describes the steps...

1. to declare and set the attribute user_is_staff and user_is_superuser in Azure
2. add the claims in the token
3. (and get them, but it looks like this part is already working fine :)

🧭 Status Point

Here are my findings of the last 24 hours trying to make it work on my own (being completely newbie with Azure)

I started from the settings reference in the project doc, about BOOLEAN_CLAIM_MAPPING

You can find the short name for the claims you configure in the ADFS management console underneath ADFS ➜ Service ➜ Claim Descriptions

I did not find such section in the Azure AD I created, neither in the Azure AD B2C :(

📔 Regarding AD:

The posts I have found redirect to the token configuration page, showing how to add optional claims, but only existing ones apparently...

Therefore I searched how to define my claims, i.e. my new attributes on the users, but I only found an azure feature custom security attribute which require a license and is still in PREVIEW.

It appears I am not on the good track

📚 Therefre I looked at AD B2C:

There, it looks simple to adjust the user attribute configuration (only availalbe on AD B2C though)

But... there is no "token configuration" page as mentioned in a lot of places. I found the reason in the Microsoft doc

The UI option Token configuration blade is not available for apps registered in an Azure AD B2C tenant which can be configured by modifying the application manifest. For more information see Add claims and customize user input using custom policies in Azure Active Directory B2C

Regarding the claims token configuration, it appears that I have to use user flows or policies (https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-user-flow)

But that did not look like the way to go either

🕵️‍♂️ Conclusion:

I am pretty sure I am just getting lost in Azure labyrithn and missing an obvious configuration.

Hence the my issue, and the suggestion about extending the Tutorial :)

If this process sounds trivial or is well-known to anyone, I am glad for any help

Cheers,
Emmanuel

[JonasKs]

Hi! I'm out skiing so I'll give you a little tip, and we can troubleshoot more another day.

If you want to make a user super user based on a group, you can use this setting:

'GROUP_TO_FLAG_MAPPING': {
        'is_staff': 'MyAdminGroup'
    },

[ebreton]

Thanks for the quick answer, on the skiing slopes ⛷️

I have setup Groups in Azure and the settings accordingly, but I still have something astray with the token

DEBUG 2022-02-05 16:19:42,583 django_auth_adfs The configured groups claim 'roles' was not found in the access token
DEBUG 2022-02-05 16:19:42,583 django_auth_adfs The configured group claim was not found in the access token

I will try again to look at the user flow configuration in the meantime :)

Cheers

[JonasKs]

😊

In Azure you have application roles and group claims. I recommend using application roles 😊

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps

If you have groups, you need to configure them to be in the token I believe. Should be under app registration -> token configuration. They will not be under the roles claim though. Decode the token to see 😊

[ebreton]

Hi @JonasKs ,

TLDR;
I managed to setup the workaround through groups and app roles efficiently on Azure AD (not B2C). Thanks a lot for unblocking me 🥇

That would probably a nice addition to the doc, I can make a PR if you want.

My more detailed findings:

1. Azure AD B2C is definitively a whole different beast to configure.

The blocking issue I face is that you simply do not have the features available. Here is a screenshot of an app, from the Registration Application menu:

Compared to what is in the Azure AD :

No Token configuration entry, no App role entry in B2C

🆘 I put it aside for now, but if you have any experience with it, that will be very welcomed !

2. Azure AD

I face another issue with the USERNAME_CLAIM, which is upn for local members, but email for invited ones

🔬 What about supporting a list of USERNAME_CLAIMS where you could try the multiple keys ?

I am happy to make a PR if that makes sense for you

3. Last but not least, user attributes...

I am still lost on how you can define properties in Azure AD, and pass them to the app through claims. Any insight is welcomed again. I guess that remains the main topic of the discussion :)

Cheers,
Emmanuel

[JonasKs]

Hi, first of, Thank you for the detailed explanations. It is so much easier to help people who put an effort into explaining. 😊

I'm not on a PC this weekend, but I think #166 already solves your use case for usernames? Could you check that out?

As for the rest, I'll read through again tomorrow and see if I have any input n

[ebreton]

My pleasure :)

I have tried the GUEST_USERNAME_CLAIM It looks like exactly what I need... but... the account I am testing sonehow has the same tenant id (how come????)... hence I am not satisfying all conditions, therefore I am still getting the User claim's doesn't have the claim 'upn' in his claims

I am not sure how it comes since I am using a professionnal AD with my personnal microsoft account, therefore not related to the AD before I invited myself. When double-checking in the AD, I can see that my personnal email is flagged as invited: [email protected]#EXT#@xxxx.onmicrosoft.com

I tried another account (my github one). Following the sign-in process, I first got this error message:

AADSTS50020: User account '[email protected]' from identity provider 'live.com' 
does not exist in tenant 'Hymexia AD' and cannot access the application 
'xxxxxx'(Hymexia Fleet Manager) in that tenant. The account needs to be added 
as an external user in the tenant first. Sign out and sign in again with a different 
Azure Active Directory user account.

Therefore I invited this account, which looks as straightforward as it could be :)

I go through the invitation process and hit the same error as before, because the tenant id is the same as the AD.

What could explain is that I had to kind of register into Hymexia AD during the the invitation process, including setting a password (which makes no sense since I have then logged with my github account)

End of the story: I am definitively lacking knowledge on Azure AD itself... 🙄