[MGNLSSO-4] Usergroup Resolution - groups cannot be parsed with default json parser - create a hook Created: 30/Oct/18 Updated: 21/Feb/19 Resolved: 21/Feb/19 |
|
| Status: | Closed |
| Project: | Single Sign On |
| Component/s: | None |
| Affects Version/s: | 2.0 Incubator |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major |
| Reporter: | Jörg Wirsig | Assignee: | Lars Fischer |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Independent |
||
| Attachments: |
|
| Template: |
|
| Acceptance criteria: |
Empty
|
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
| Date of First Response: |
| Description |
|
We are trying to connect to an Azure AD with the new OAuth module and use the external groups resolution feature. It seems that Microsoft AD does not format it's response valid. When requesting the userinfo to extract the groups, the names that should be a JSON Array are a String
{
"aio": "...",
"amr": "[\"pwd\"]",
"email": "...",
"idp": "...",
"ipaddr": "...",
"name": "...",
"oid": "...",
"pwd_exp": "67488",
"pwd_url": "...",
"roles": "[\"tester\"]",
"sub": "..",
"tid": "..",
"unique_name": "..",
"uti": "..",
"ver": "..."
}
The value within roles (we use it as groups) is not a valid json so the Parser in UserAccountUtils.createUserProperties cannot handle it correctly. For example I think it would be a gread idea to be able to use a custom class at the point UserAccountUtils converts the OICResponse. |
| Comments |
| Comment by Lars Fischer [ 07/Nov/18 ] |
|
Thanks for the feedback!
So far this has been an experimental feature not tested with Azure - we will consider your proposal but I cannot give you a date yet when this will be implemented.
|
| Comment by Jörg Wirsig [ 01/Feb/19 ] |
|
Can you give any information about when this improvement could be available? |
| Comment by Lars Fischer [ 21/Feb/19 ] |
|
I am working on a aolution to get a users's groups with Azure AD. In Azure, the correct way to get a user's group memberships, seems to be to query a specific web service for that information with the token you retrieved after the user verification. There seems to be no way to have the same information with just one call like in Keycloak (user and group names). Even if you would manage to get group information, then you would only retrieve the IDs and not the names and that's of no use on the Magnolia side. I am working to get this working in the code soon and then provide a documentation on how I retrieved group membership in Azure. This should be available soon if tests go well (please keep in mind we are not Azure experts and this module is not part of Magnolia EE). If you want to go a non-standard way then your only option would be to change the source code yourself to adapt it to your needs.
|
| Comment by Lars Fischer [ 21/Feb/19 ] |
|
The module was updated with external group handling for Azure AD. See version 2.2.0-SNAPSHOT (master branch). See the two attached documents for documentation. Resolving roles as described in the ticket is and will not be supported (and it's still not clear how ot get that result from Azure configuration but I am an absolute Azure beginner...). MCS-165417921-210219-1619-4702.pdf MCS-176785907-210219-1619-4700.pdf
|