All geek questions in one place

Application Roles for Azure OAuth JWT PHP

I created an application in Azure AD from a manifest with several appRoles inside it, and I can assign users to these roles. After the user completes single sign-on, he will return to my application, and then I will ask him to use JSON Web Token. The problem is that the token that I get from Azure has no assigned roles, as this assumes what is supposed to be here .

Is there a configuration option that I skip, or is there an alternative way to find out their assigned role through the Azure API?

Update:

After specifying resource as the URI of the application identifier when I requested the authorization URL, I managed to get a little further.

Now I am returning the following error (in the return URL):

 "The signed in user '<user email>' is not assigned to a role for the application '<app client id>'."

The user was definitely assigned a role in the Azure AD control panel for the application, and the application client identifier in the error message exactly matches the application client identifier.

Application Configuration:

Azure AD Application Configuration Screen

The user has assigned a role:

Azure AD Application User Role Assignments

Error message after logging in and returning to the application:

Azure AD Authentication Error Message

+5
source share
3 answers

This is probably not the answer that people want to hear if they encounter this thread looking for a solution to the problem, but we have moved from using OAuth to SAML, and now we are successfully getting application roles in the SAML response.

I can only assume that the implementation of the OAuth role in Azure AD is completely broken, because we have not changed anything except switching to SAML.

0
source

@Phlip. Could you try setting the resolution of your application using PowerShell?

 #1.down load Azure AD powershell and login in using your user in AD $msolcred=get-credential connect-msolservice -credential $msolcred #2. get principal Id $ClientIdWebApp = '5b597c35-**-**-ad05-***' $webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp # 3. use Add-MsolRoleMember to add it to "Company Administrator" role). Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId

For more information, please refer to this page: https://msdn.microsoft.com/en-us/library/azure/dn919663.aspx and use these methods to add a member to the role:

 Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress " user@contoso.com "

Any updates or results, please let me know.

+1
source

Below C # code may request designated users for whom your application uses the AppRoleAssignedTo attribute. I am not a family with php, but I believe that it has a similar method. The ActiveDirectoryClient class comes from the Active Directory Graph Client Library .

 var Serprincipal = activeDirectoryClient.ServicePrincipals.Where(IServicePrincipal => IServicePrincipal.AppId.Equals("app client id")).ExecuteAsync().Result.CurrentPage.ToList(); var sp = Serprincipal.FirstOrDefault(); var userAssignments = (sp as IServicePrincipalFetcher).AppRoleAssignedTo.ExecuteAsync().Result.CurrentPage.ToList(); foreach (IAppRoleAssignment assignedUser in userAssignments) { Console.WriteLine("UserId: {0} Name: {1} ObjectType: {2} ", assignedUser.PrincipalId, assignedUser.PrincipalDisplayName, assignedUser.ObjectType); }
0
source

Source: https://habr.com/ru/post/1245332/

More articles:


All Articles