liferay-oidc-plugin icon indicating copy to clipboard operation
liferay-oidc-plugin copied to clipboard

Published 20 hours ago verified publisher icon finalist

Issues with AzureAD groups

Open ryanbenedetti opened this issue 7 years ago • 3 comments
trafficstars

This plug-in has been great for us for authenticating through Azure AD, however we have noticed that Liferay is not synching/updating a user's AD groups memberships on login. Has anyone else experienced an issue with this and the plug-in?

ryanbenedetti avatar Jul 17 '18 20:07 ryanbenedetti

Hi Ryan, Thanks for using the plugin. You're correct in the observation that the plugin does not process any group memberships. In the plain OpenID Connect protocol, there's no such concept of group membership. So although both AD and Liferay can handle them, the protocol itself does not cater for it. That's the reason the Liferay plugin does not support it yet. But, since a lot of users of the plugin actually integrate with Azure AD, it would certainly be interesting to have that feature added. Maybe you can help a bit with this? If you debug/inspect the communication between Azure AD and Liferay and/or the browser, do you see any actual group information passed along? Or are you aware of another OAuth 2.0 'scope' that should be added to the authorization flow to have them be provided by Azure AD? This can help me decide what the right way would be to sync the group membership on the Liferay side.

Thanks! Geert

gvanderploeg avatar Jul 18 '18 07:07 gvanderploeg

Thanks, as always, for the speedy response, Geert!

You can get security group permissions, using Microsoft's "admin-restricted scopes" and admin endpoint: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes

Here is the section of interest: "Admin-restricted scopes Some high-privilege permissions in the Microsoft ecosystem can be set to admin-restricted. Examples of these kinds of scopes include the following permissions:

Read an organization's directory data by using Directory.Read Write data to an organization's directory by using Directory.ReadWrite Read security groups in an organization's directory by using Groups.Read.All Although a consumer user might grant an application access to this kind of data, organizational users are restricted from granting access to the same set of sensitive company data. If your application requests access to one of these permissions from an organizational user, the user receives an error message that says they are not authorized to consent to your app's permissions.

If your app requires access to admin-restricted scopes for organizations, you should request them directly from a company administrator, also by using the admin consent endpoint, described next.

When an administrator grants these permissions via the admin consent endpoint, consent is granted for all users in the tenant."

We may end up just synching regularly with LDAP to get group memberships and using the plug-in for auth.

ryanbenedetti avatar Jul 18 '18 17:07 ryanbenedetti

Hi Ryan,

Thanks for the documentation. Looks doable to me, but not particularly small. Let's keep this issue open as a feature request, but please do not expect it in the short term.

gvanderploeg avatar Jul 23 '18 13:07 gvanderploeg