FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    OIDC and Azure AD Groups

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    3
    4
    648
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      matthewh
      last edited by

      Hi. I have setup an OIDC Identity provider to an Azure AD instance.
      Login is working fine for me, but I am looking into ways to add more info the JWT token.
      Specifically I would like to obtain some AD groups for the logged in user and add them to the token. For example, calling the List memberOf API from a lambda?
      Has anyone done this sort of thing before with FusionAuth?

      Thanks,
      Matt

      danD 1 Reply Last reply Reply Quote 0
      • danD
        dan @matthewh
        last edited by

        @matthewh

        This seems like the issue you are facing: https://github.com/FusionAuth/fusionauth-issues/issues/222 (different API call, but same idea).

        Just yesterday we released a feature that allows you to make HTTP Requests for a lambda. More info here: https://fusionauth.io/blog/2022/03/10/announcing-fusionauth-1-35

        Note that this feature requires an Essentials or Enterprise licensed edition of FusionAuth.

        Another alternative is to enrich the token outside of FusionAuth, by passing the token to your code, which can then call arbitrary APIs and perhaps use the JWT Vending API to recreate a token signed as expected.

        Hope this helps.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • B
          bradley.kite
          last edited by bradley.kite

          Hi,

          I'm trying to get this working - specifically to fetch the Azure AD Groups list.

          The LAMBDA does not have the required information in order to make the requested API calls into Azure though - we need the "access_token". It is shown in the debug for the external identity provider, but I need it to be passed into the Lambda so that I can use it to make further API calls into Azure (specifically https://learn.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http)

          Is there a way I can get an access token from within the Lambda?

          OpenID Connect IdP Response Debug Log for [Cybanetix Azure AD] [00c92a11-475e-4207-ae33-XXXXXXXXXXXXX]

          7/1/2023 07:33:38 AM Z Call the configured Token endpoint [https://login.microsoftonline.com/5f6cb372-3153-4b59-b2ab-XXXXXXXXXXXXX/oauth2/token]
          7/1/2023 07:33:38 AM Z Endpoint returned status code [200]
          7/1/2023 07:33:38 AM Z Access Token Response:
          {
          "token_type" : "Bearer",
          "expires_in" : "3599",
          "ext_expires_in" : "3599",
          "expires_on" : "1688200418",
          "access_token" : "YYYYYYYYYYYYYYYYYYYYYYYYYYY",
          "refresh_token" : "HHHHHHHHHHHHHHHHHHHHHHHHH",
          "id_token" : "KKKKKKKKKKKKKKKKKKKKKKKKKKKK"
          }
          7/1/2023 07:33:38 AM Z Call the configured Userinfo endpoint [https://login.microsoftonline.com/5f6cb372-3153-4b59-b2ab-XXXXXXXXXX/openid/userinfo]
          7/1/2023 07:33:38 AM Z Endpoint returned status code [200]
          7/1/2023 07:33:38 AM Z Build a new user object from the returned Userinfo response:
          {
          "amr" : "["pwd"]",
          "family_name" : "Kite",
          "given_name" : "Bradley",
          "ipaddr" : "1.2.3.4",
          "name" : "Bradley Kite",
          "oid" : "f8e0dca2-7d1f-4a30-9f69-JJJJJJJJJJJJJ",
          "onprem_sid" : "S-1-5-21-4038623597-1531512353-3070216767-1103",
          "rh" : "NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN",
          "sub" : "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
          "tid" : "5f6cb372-3153-4b59-b2ab-XXXXXXXXXXXXXXXX",
          "unique_name" : "bradley.kite@cybanetix.com",
          "upn" : "bradley.kite@cybanetix.com",
          "uti" : "KKKKKKKKKKKKKKKKKKKKKKKKK",
          "ver" : "1.0",
          "wids" : "["62e90394-69f5-4237-9190-012177145e10","b79fbf4d-3ef9-4689-8143-76b194e85509"]",
          "groups" : [ "["66d8de0b-511c-40f6-9bb4-336fa94490a2","7e3bec0e-7061-4b1d-8a7e-69ad326e393e","c1f5f027-3b4b-49a5-8dee-069ef62ae9f9","7cb99d2c-1474-480e-8717-760c540b6eb6","d6058a35-9ae3-4be6-9c84-95e58a2f9a29","d7d34237-a871-4aad-babf-e8e19ab03726","5ba09a3f-4568-41ac-a06b-2b28c7fd411e","4a326844-c011-4935-b44d-4ded98b7cfa3","0cb0665b-23c4-46d6-b397-56a94c99799b","67ecc67c-2b6c-41d2-89a6-e317794c410b","04282083-1a01-4f1e-a7d5-22bc6c2e6027","146973ae-64e3-41a5-9ab0-e8c89aa07a0a","d3d652c4-a54b-4213-982f-487d4f363a32","8545dff2-70e3-4b2f-ab29-dac881c39a9a","5deb9bf5-5abc-41ad-ab29-b7fa24e29176","aa665544-e3eb-4594-80f3-4f7964e6af05","3d18328f-1293-48cd-b218-b6a8d3a703e3","c564dd61-6d1b-43c7-8ec0-33f79707dcfa","15548cd8-65c1-4889-b978-a04d1f630e97","84d0320c-beb3-4012-a565-1696982d12b5","f74fc2bd-7995-4a14-be9e-6302716df420","0bc5a7a3-6d2b-444f-824b-5e73c5fbe471","a1d330da-388e-4b55-9f46-97376aab5422","95c361ce-b2b3-413f-bdb5-ab198cb5e689","3ee4b754-9660-45cf-96a0-eb341cf11ea2","3561d960-9354-4cee-bd34-06b72ffd1ee1","8b523c9e-1786-48e7-b7b6-14afe2b615d9","ff3c0a70-62c6-48f1-aaff-3df958e0bb6c"]" ]
          }
          7/1/2023 07:33:38 AM Z Linking strategy [LinkByEmail]
          7/1/2023 07:33:38 AM Z Resolved email to [null]
          7/1/2023 07:33:38 AM Z Resolved username to [null]
          7/1/2023 07:33:38 AM Z Resolved unique Id to [jwSpJK9odbqmZkzqO5HzCLvUgKKksvUz1b5qsX7JxXA]
          7/1/2023 07:33:38 AM Z Identity provider returned a unique Id [jwSpJK9odbqmZkzqO5HzCLvUgKKksvUz1b5qsX7JxXA].
          7/1/2023 07:33:38 AM Z User with Id [cfb8a0fc-b0b0-448b-869b-efd8a0955887] is linked to this external user.
          7/1/2023 07:33:38 AM Z Invoke configured lambda with Id [89e4f359-83b8-4ca5-9e7f-272d4bae9262]
          7/1/2023 07:33:38 AM Z Updating user:
          {
          "active" : true,
          "breachedPasswordLastCheckedInstant" : 1647404340012,
          "breachedPasswordStatus" : "None",
          "connectorId" : "e3306678-a53a-4964-9040-AAAAAAAAAAAA",
          "data" : { },
          "email" : "bradley.kite@cybanetix.com",
          "firstName" : "Bradley",
          "fullName" : "Bradley Kite",
          "id" : "cfb8a0fc-b0b0-448b-869b-GGGGGGGGGG",
          "insertInstant" : 1598377522115,
          "lastLoginInstant" : 1688196656636,
          "lastName" : "Kite",
          "lastUpdateInstant" : 1688196656636,
          "memberships" : [ {
          "data" : { },
          "groupId" : "12e1f396-885f-45d0-9eb1-b69b5820ea19",
          "id" : "e9b4f8cd-61f1-41e8-a270-06ddcf293d47",
          "insertInstant" : 1647365944503
          } ],
          "passwordChangeRequired" : false,
          "passwordLastUpdateInstant" : 1647365944496,
          "preferredLanguages" : [ ],
          "registrations" : [ ],
          "tenantId" : "863a8e18-7ae4-8ad7-4fa0-XXXXXXXXXXXX",
          "twoFactor" : {
          "methods" : [ ],
          "recoveryCodes" : [ ]
          },
          "uniqueUsername" : "bradley.kite",
          "username" : "bradley.kite",
          "usernameStatus" : "ACTIVE",
          "verified" : true
          }
          7/1/2023 07:33:38 AM Z User is already registered for application with Id [6784dd47-e284-4425-8394-8c3b1d031468].
          7/1/2023 07:33:39 AM Z User has successfully been reconciled and logged into FusionAuth.
          7/1/2023 07:33:39 AM Z Authentication type: OPENID_CONNECT
          7/1/2023 07:33:39 AM Z Authentication state: Authenticated

          danD 1 Reply Last reply Reply Quote 0
          • danD
            dan @bradley.kite
            last edited by

            @bradley-kite said in OIDC and Azure AD Groups:

            Is there a way I can get an access token from within the Lambda?

            👋 hiya @bradley-kite !

            I haven't tested this, but there should be a refresh token stored in the identity provider link (since you are using OIDC). If you can retrieve that, you should be able to get a new access token, and then present that to azure ad.

            https://fusionauth.io/docs/v1/tech/apis/identity-providers/links#retrieve-a-link

            Look for identityProviderLink.token.

            --
            FusionAuth - Auth for devs, built by devs.
            https://fusionauth.io

            1 Reply Last reply Reply Quote 0
            • First post
              Last post