[keycloak-user] Mapping Azure Ad token_id groups to users roles

Wed Apr 5 16:54:21 EDT 2017

Hi,

I have posted a question few weeks ago on similar topic - how to
retrieve Azure AD groups and roles, but nobody has answered.

So maybe you can tell me how you have your AD configured that you get
groups info in the token.

Thanks,
Andrius
>>>

I have created OpenId identity provider with Azure Active directory and it
works. What I am failing is to retrieve any group or role information from
Azure, so I can assign corresponding roles in Keycloak.

In their documentation, https://docs.microsoft.com/en-
us/azure/active-directory/develop/active-directory-token-and-claims I see
that if response_type is specified as "id_token" additional claims "roles"
and "groups" should be returned.

But Keycloak's redirect to authorization URL in Azure contains parameter
response_type=code and there is no way to overwrite it.

Azure AD's openId configuration https://login.microsoftonline.
com/e061e904-dda8-491c-9f2f-d1e3051a5191/.well-known/openid-configuration
returns "response_types_supported":["code","id_token","code
id_token","token id_token","token"] but in "claims_supported" don't mention
"groups" nor "roles" claims.

So question - is it possible to change response_type to include id_token,
so groups or roles claims are retrieved and can be used in mapper to assign
corresponding roles in Keycloak. If not - what is a suggested approach -
store the token and retrieve them separately?
Andrius Karpavičius
tel.: +54 9 3546 482150,
skype: andriuskarpavicius

>
>
> Date: Wed, 5 Apr 2017 09:12:01 +0200
> From: Adrien Voisin <adrien.voisin.be at gmail.com>
> Subject: [keycloak-user] Mapping Azure Ad token_id groups to users
>          roles
> To: keycloak-user at lists.jboss.org
> Message-ID:
>
> Hi all,
>
>
> I have the following configuration :
>
>
> *My application :*
>
> Front : Angular 2
>
> Backend : Springboot rest api
>
>
> *Auth:*
>
> Keycloak 3.0.0
>
> Windows Azure AD
>
>
> The goal is to use Keyloack and Windows Azure for authentication and
> permissions management of my web app.
>
> (I followed this tutorial :
> http://slackspace.de/articles/authentication-with-spring-
boot-angularjs-and-keycloak/
> )
>
>
> *Windows Azure AD* : I registered my webapp into Azure AD
>
> *Keycloak *: I added two clients (front & back) + an identity provider
> (Azure).
>
>
> The authentication part works well. (Each request is redirected to the
> Microsoft auth, then a user in Keycloak is added (first login).
>
>
> Now I would like to use information of the token of Azure (doc :
> https://docs.microsoft.com/en-us/azure/active-directory/
develop/active-directory-token-and-claims)
> for permissions management.
>
>
> A token from azure ad looks like below :
>
>
> {
>   typ: "JWT",
>   alg: "RS256",
>   x5t: "kriMPdmBvx68skT8-mPAB3BseeA"
> }.
> {
>   aud: "https://contoso.onmicrosoft.com/scratchservice",
>   iss: "https://sts.windows.net/b9411234-09af-49c2-b0c3-653adc1f376e/",
>   iat: 1416968588,
>   nbf: 1416968588,
>   exp: 1416972488,
>   ver: "1.0",
>   tid: "b9411234-09af-49c2-b0c3-653adc1f376e",
>   amr: [
>    "pwd"
>   ],
>   roles: [
>    "Admin"
>   ],
>   oid: "6526e123-0ff9-4fec-ae64-a8d5a77cf287",
>   upn: "sample.user at contoso.onmicrosoft.com",
>   unique_name: "sample.user at contoso.onmicrosoft.com",
>   sub: "yf8C5e_VRkR1egGxJSDt5_olDFay6L5ilBA81hZhQEI",
>   family_name: "User",
>   given_name: "Sample",
>   *groups: [
>    "0e129f6b-6b0a-4944-982d-f776000632af",
>    "323b13b3-1851-4b94-947f-9a4dacb595f4",
>    "6e32c250-9b0a-4491-b429-6c60d2ca9a42",
>    "f3a161a7-9a58-4e8f-9d47-b70022a07424",
>    "8d4c81b2-b1ad-476d-9574-544d155aa6ff",
>    "1bf80164-ff24-4866-b19c-6212e5b9a847",
>    "76f80127-f2cd-46f4-8c52-8edd8bc749b1",
>    "0ba27160-44d0-42b5-b90c-47b3fcc48e35"
>   ],*
>   appid: "b075ddef-0efa-123b-997b-de1337c29185",
>   appidacr: "1",
>   scp: "user_impersonation",
>   acr: "1"
> }.