django-auth-adfs icon indicating copy to clipboard operation
django-auth-adfs copied to clipboard

Published 20 hours ago verified publisher icon snok

Handle groupmemberships over SAML/JWT limit by following and parsing Graph URI results

Open jmartens opened this issue 3 years ago • 12 comments

When a large number of memberships is supplied in the auth token the individual groups are not provided anymore. Instead a Graph URI is provided. By following that you should be able to retrieve all group memberships for the user.

AFAICT the limit is 150 for SAML requests and 200 for JWT requests.

A workaround on the Azure side is to configure your application for specific groups only and set the groups claim to only return groups assigned to this application (as can be seen in the screenshot here), but it would be nice if this could be handled by this framework as well by following the Graph URI provided and parsing its results.

Fund with Polar

jmartens avatar Aug 11 '21 15:08 jmartens

Hi, this seems like a good suggestion indeed.
PR welcome. :blush:

JonasKs avatar Aug 11 '21 15:08 JonasKs

Not sure if I can find the time, but will see what I can do. Already have a hunch on where to add it in the code, not sure on the implementation details though.

Any preference on how to run rest requests and process the results? Are there helpers or classes in this package you prefer to be used?

jmartens avatar Aug 11 '21 19:08 jmartens

Already have a hunch on where to add it in the code

I am guessing an additional leaf in this if else clause is the proper place to check for and retrieve the Graph Api url: https://github.com/snok/django-auth-adfs/blob/4917d379153beeb2d9942a9b938e3b75816b1266/django_auth_adfs/backend.py#L190-L198

jmartens avatar Aug 11 '21 19:08 jmartens

Yeah, I'd say there too. The graph API has to be optional, though. 😊 It'll add some overhead, so should be opt in.

JonasKs avatar Aug 11 '21 19:08 JonasKs

I've never worked on a Azure AD Django project, so i'm not you man to implement this.

Currently writing an Azure AD plug-in for FastAPI, but it won't be as comprehensive as this package.

JonasKs avatar Aug 11 '21 19:08 JonasKs

It'll add some overhead, so should be opt in.

OK, will see if and how I can create a settings parameter for it.

jmartens avatar Aug 11 '21 19:08 jmartens

The payload of a claim is explained here and this is the specific part for the so-called Groups overage claim

jmartens avatar Aug 12 '21 10:08 jmartens

This SO post might also hold some vital clues to get it working as apparently the application needs for Directory.Read.All permissions to successfully request the group memberships using the returned Graph URI.

jmartens avatar Aug 12 '21 10:08 jmartens

To get the URL for the claim I think this should work:

try:
  claim_name = claims['_claim_names'][settings.GROUPS_CLAIM]
  claim_source = claims['_claim_sources'][claim_name]
  claim_url = claim_source['endpoint']
except KeyError as e:
  logger.error(f"Key not found: {e}")

jmartens avatar Aug 12 '21 10:08 jmartens

This is also related to #10. Both of you want a Graph integration.

JonasKs avatar Aug 27 '21 18:08 JonasKs

Has anyone got an update regarding this issue? Would love to see the graph integration work as we have far to many users with to many groups. Now we have to administer azure AD and Django, in stead of only django.

stefanoostwegel avatar Jul 05 '22 09:07 stefanoostwegel

Not much update to give, other than a PR is welcome.

JonasKs avatar Jul 05 '22 10:07 JonasKs