Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Azure JWT with property "hasgroups=true" instead of groups property object

Tags:

azure-web-app-service

azure-active-directory

I have an Azure Web Application with Azure Active Directory authentication (made with adal-angular);

In the application manifest i have set "groupMembershipClaims": "SecurityGroup"

The strange thing is that for some days, for just a user, it does not have the group claim in the AAD token with the list of group membership objectIds, but instead there's a property named hasgroups with value true.

Can I do something about it? For now I'm going to check if there's one property or the other and then call GraphAPI for direct group membership.

like image 336
MicheleT Avatar asked Aug 04 '17 08:08

MicheleT

People also ask

Does Azure AD support nested groups?

Nested groups in Azure AD are not supported within all scenarios. When you select a list of groups, you can assign a group expiration policy to a maximum of 500 Microsoft 365 groups. There is no limit when the policy is applied to all Microsoft 365 groups.

What is group claims in Azure AD?

Group Claims automatically add the user to a group or remove the user from group memberships when the group claim in the SAML token contains a matching group in NetDocuments. Administrators only need to update group memberships in one place.

What is group membership in Azure AD?

Azure AD Security Groups are analogous to Security Groups in on-prem Windows Active Directory. They are Security Principals, which means they can be used to secure objects in Azure AD. They can be created natively in Azure AD, or synced from Windows AD with Azure AD Connect.

Does Azure AD use JWT?

Token types. Azure AD B2C supports the OAuth 2.0 and OpenID Connect protocols, which makes use of tokens for authentication and secure access to resources. All tokens used in Azure AD B2C are JSON web tokens (JWTs) that contain assertions of information about the bearer and the subject of the token.

1 Answers

hasGroups=true is returned in the case where there the user belongs to "too many groups". I don't know what the exact threshold is (20? 200?) but effectively what you need to do in your code is something along the lines of (pseudocode):

if (hasGroups)
  Call the Graph to inquire:
    Either about the full group membership OR 
    About membership to a particular group
else
  Access groups directly from the token

Get all the groups a users belongs to:

https://graph.windows.net/myorganization/users/{user_id}/$links/memberOf?api-version

Inquire whether the user belongs to a specific group:

https://graph.windows.net/myorganization/users/{user_id}/isMemberOf?api-version
like image 79
Saca Avatar answered Oct 31 '22 22:10

Saca
Sign in to Comment

Related questions

Web API app with OWIN 'SystemWeb' on Azure App Service
What does the Azure Web Apps architecture look like?
Can I re-use an Azure host name?
Is it possible to scale Azure app services programmatically
asp.net core 2.0 publish to azure get IIS 502.5 Error
Is it possible to recycle app pool for a Azure web app
Add SSL binding to Azure custom domain
Azure WebJobs - where hosted? Are they safe as long-running processes?
How to push to azure app service from a branch other than master?
Azure App Service - write to filesystem - ASP.NET web application
Maximum number of domains supported in Azure Websites
Why do i have a wrong (sha1) immediate startcom certificate in my chain on azure website?
Configure Azure SQL Database Firewall for just my Web App
Keep a node application running on azure app service
How to get access to azure app service instances directly
New-AzureRmResourceGroup : 'this.Client.SubscriptionId' cannot be null
Deploying IdentityServer4 Quickstart to Azure Web app returns 404 on index page but other routes work
Change Azure website web hosting plan mode using Powershell
How to FTP to a Azure WebApp Deployment Slot file system
Azure web App .net core OpenID redirect_uri issue

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!