3:54 p.m.
Hi,
I have posted a question few weeks ago on similar topic - how to
retrieve Azure AD groups and roles, but nobody has answered.
So maybe you can tell me how you have your AD configured that you get
groups info in the token.
Thanks,
Andrius
>>
I have created OpenId identity provider with Azure Active directory and it
works. What I am failing is to retrieve any group or role information from
Azure, so I can assign corresponding roles in Keycloak.
In their documentation, https://docs.microsoft.com/en-
us/azure/active-directory/develop/active-directory-token-and-claims I see
that if response_type is specified as "id_token" additional claims
"roles"
and "groups" should be returned.
But Keycloak's redirect to authorization URL in Azure contains parameter
response_type=code and there is no way to overwrite it.
Azure AD's openId configuration https://login.microsoftonline.
com/e061e904-dda8-491c-9f2f-d1e3051a5191/.well-known/openid-configuration
returns
"response_types_supported":["code","id_token","code
id_token","token id_token","token"] but in
"claims_supported" don't mention
"groups" nor "roles" claims.
So question - is it possible to change response_type to include id_token,
so groups or roles claims are retrieved and can be used in mapper to assign
corresponding roles in Keycloak. If not - what is a suggested approach -
store the token and retrieve them separately?
Andrius Karpavičius
tel.: +54 9 3546 482150,
skype: andriuskarpavicius
Date: Wed, 5 Apr 2017 09:12:01 +0200
From: Adrien Voisin <adrien.voisin.be(a)gmail.com>
Subject: [keycloak-user] Mapping Azure Ad token_id groups to users
roles
To: keycloak-user(a)lists.jboss.org
Message-ID:
Hi all,
I have the following configuration :
*My application :*
Front : Angular 2
Backend : Springboot rest api
*Auth:*
Keycloak 3.0.0
Windows Azure AD
The goal is to use Keyloack and Windows Azure for authentication and
permissions management of my web app.
(I followed this tutorial :
http://slackspace.de/articles/authentication-with-spring-
boot-angularjs-and-keycloak/
)
*Windows Azure AD* : I registered my webapp into Azure AD
*Keycloak *: I added two clients (front & back) + an identity provider
(Azure).
The authentication part works well. (Each request is redirected to the
Microsoft auth, then a user in Keycloak is added (first login).
Now I would like to use information of the token of Azure (doc :
https://docs.microsoft.com/en-us/azure/active-directory/
develop/active-directory-token-and-claims)
for permissions management.
A token from azure ad looks like below :
{
typ: "JWT",
alg: "RS256",
x5t: "kriMPdmBvx68skT8-mPAB3BseeA"
}.
{
aud: "https://contoso.onmicrosoft.com/scratchservice",
iss: "https://sts.windows.net/b9411234-09af-49c2-b0c3-653adc1f376e/",
iat: 1416968588,
nbf: 1416968588,
exp: 1416972488,
ver: "1.0",
tid: "b9411234-09af-49c2-b0c3-653adc1f376e",
amr: [
"pwd"
],
roles: [
"Admin"
],
oid: "6526e123-0ff9-4fec-ae64-a8d5a77cf287",
upn: "sample.user(a)contoso.onmicrosoft.com",
unique_name: "sample.user(a)contoso.onmicrosoft.com",
sub: "yf8C5e_VRkR1egGxJSDt5_olDFay6L5ilBA81hZhQEI",
family_name: "User",
given_name: "Sample",
*groups: [
"0e129f6b-6b0a-4944-982d-f776000632af",
"323b13b3-1851-4b94-947f-9a4dacb595f4",
"6e32c250-9b0a-4491-b429-6c60d2ca9a42",
"f3a161a7-9a58-4e8f-9d47-b70022a07424",
"8d4c81b2-b1ad-476d-9574-544d155aa6ff",
"1bf80164-ff24-4866-b19c-6212e5b9a847",
"76f80127-f2cd-46f4-8c52-8edd8bc749b1",
"0ba27160-44d0-42b5-b90c-47b3fcc48e35"
],*
appid: "b075ddef-0efa-123b-997b-de1337c29185",
appidacr: "1",
scp: "user_impersonation",
acr: "1"
}.
2:20 a.m.
New subject: Mapping Azure Ad token_id groups to users roles
Hi Andrius,
To set groups into the token_id, you have to go into your azure portal.
Then in your app registration settings, edit the "manifest" file. And for
the parameter ""groupMembershipClaims": set "SecurityGroup" or
"All".
Doc microsoft :
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-di...
Br,
Adrien
2017-04-05 22:54 GMT+02:00 Andrius Karpavičius <
andrius.karpavicius(a)opencellsoft.com>:
Hi,
I have posted a question few weeks ago on similar topic - how to
retrieve Azure AD groups and roles, but nobody has answered.
So maybe you can tell me how you have your AD configured that you get
groups info in the token.
Thanks,
Andrius
>>>
I have created OpenId identity provider with Azure Active directory and it
works. What I am failing is to retrieve any group or role information from
Azure, so I can assign corresponding roles in Keycloak.
In their documentation, https://docs.microsoft.com/en-
us/azure/active-directory/develop/active-directory-token-and-claims I see
that if response_type is specified as "id_token" additional claims
"roles"
and "groups" should be returned.
But Keycloak's redirect to authorization URL in Azure contains parameter
response_type=code and there is no way to overwrite it.
Azure AD's openId configuration https://login.microsoftonline.
com/e061e904-dda8-491c-9f2f-d1e3051a5191/.well-known/openid-configuration
returns
"response_types_supported":["code","id_token","code
id_token","token id_token","token"] but in
"claims_supported" don't mention
"groups" nor "roles" claims.
So question - is it possible to change response_type to include id_token,
so groups or roles claims are retrieved and can be used in mapper to assign
corresponding roles in Keycloak. If not - what is a suggested approach -
store the token and retrieve them separately?
Andrius Karpavičius
tel.: +54 9 3546 482150,
skype: andriuskarpavicius
>
>
> Date: Wed, 5 Apr 2017 09:12:01 +0200
> From: Adrien Voisin <adrien.voisin.be(a)gmail.com>
> Subject: [keycloak-user] Mapping Azure Ad token_id groups to users
> roles
> To: keycloak-user(a)lists.jboss.org
> Message-ID:
>
> Hi all,
>
>
> I have the following configuration :
>
>
> *My application :*
>
> Front : Angular 2
>
> Backend : Springboot rest api
>
>
> *Auth:*
>
> Keycloak 3.0.0
>
> Windows Azure AD
>
>
> The goal is to use Keyloack and Windows Azure for authentication and
> permissions management of my web app.
>
> (I followed this tutorial :
> http://slackspace.de/articles/authentication-with-spring-
boot-angularjs-and-keycloak/
> )
>
>
> *Windows Azure AD* : I registered my webapp into Azure AD
>
> *Keycloak *: I added two clients (front & back) + an identity provider
> (Azure).
>
>
> The authentication part works well. (Each request is redirected to the
> Microsoft auth, then a user in Keycloak is added (first login).
>
>
> Now I would like to use information of the token of Azure (doc :
> https://docs.microsoft.com/en-us/azure/active-directory/
develop/active-directory-token-and-claims)
> for permissions management.
>
>
> A token from azure ad looks like below :
>
>
> {
> typ: "JWT",
> alg: "RS256",
> x5t: "kriMPdmBvx68skT8-mPAB3BseeA"
> }.
> {
> aud: "https://contoso.onmicrosoft.com/scratchservice",
> iss: "https://sts.windows.net/b9411234-09af-49c2-b0c3-653adc1f376e/",
> iat: 1416968588,
> nbf: 1416968588,
> exp: 1416972488,
> ver: "1.0",
> tid: "b9411234-09af-49c2-b0c3-653adc1f376e",
> amr: [
> "pwd"
> ],
> roles: [
> "Admin"
> ],
> oid: "6526e123-0ff9-4fec-ae64-a8d5a77cf287",
> upn: "sample.user(a)contoso.onmicrosoft.com",
> unique_name: "sample.user(a)contoso.onmicrosoft.com",
> sub: "yf8C5e_VRkR1egGxJSDt5_olDFay6L5ilBA81hZhQEI",
> family_name: "User",
> given_name: "Sample",
> *groups: [
> "0e129f6b-6b0a-4944-982d-f776000632af",
> "323b13b3-1851-4b94-947f-9a4dacb595f4",
> "6e32c250-9b0a-4491-b429-6c60d2ca9a42",
> "f3a161a7-9a58-4e8f-9d47-b70022a07424",
> "8d4c81b2-b1ad-476d-9574-544d155aa6ff",
> "1bf80164-ff24-4866-b19c-6212e5b9a847",
> "76f80127-f2cd-46f4-8c52-8edd8bc749b1",
> "0ba27160-44d0-42b5-b90c-47b3fcc48e35"
> ],*
> appid: "b075ddef-0efa-123b-997b-de1337c29185",
> appidacr: "1",
> scp: "user_impersonation",
> acr: "1"
> }.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2832
days inactive
2833
days old
1 comments
2 participants
participants (2)
-
Adrien Voisin -
Andrius Karpavičius