lua-resty-openidc icon indicating copy to clipboard operation
lua-resty-openidc copied to clipboard
verified publisher icon zmartzone

Azure AD JWT groups/roles example

Open lukasmrtvy opened this issue 7 years ago • 1 comments

Can you please provide an example of Azure AD integration with group/roles claims from JWT? https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code

Thanks

lukasmrtvy avatar Aug 09 '18 21:08 lukasmrtvy

FWIW, here's what I do:

  • In Azure
    • Registered app > Certificates & secrets: Create a new secret, and jot it down for later
    • Registered app > App roles: Create a role with "Allowed member types" = "Users/Groups"
    • Enterprise app > Users and groups: Assign a group or a flat DL to the role that you created
  • In nginx.conf (untested bits cobbled together from my full configuration):
local opts = {
    discovery = "https://login.microsoftonline.com/"..tenant_id.."/v2.0/.well-known/openid-configuration",
    client_id = client_id,
    client_secret = client_secret,
    redirect_uri = "/.oidc/login",
    logout_path = "/.oidc/logout",
    session_contents = {id_token=true},
}
local res, err = resty_openidc.authenticate(opts)
if err then return ngx.exit(500) end

local name = res.id_token.name
local email = res.id_token.email
local roles = res.id_token.roles

-- iterate through the roles looking for the one used to gate access to your upstream service
local authorized = false
for i, role in pairs(roles) do
    if role == "grafana" then authorized = true end
end
if authorized == false then return ngx.exit(403) end

lukeyeager avatar Jul 13 '23 16:07 lukeyeager