Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing groups #361

Open
stefanoostwegel opened this issue Feb 12, 2025 · 6 comments
Open

Missing groups #361

stefanoostwegel opened this issue Feb 12, 2025 · 6 comments
Labels
question

Comments

@stefanoostwegel
Copy link

We use Microsoft Entra ID on microsoft azure.
We send all posisble group sin the token, but we keep missing a lot of groups. Some users have over 150 groups! We cannot figer out what to do for the group configuration to arrive completely.
This is the setting:

AUTH_ADFS = {
'AUDIENCE': client_id,
'CLIENT_ID': client_id,
'CLIENT_SECRET': client_secret,
'CLAIM_MAPPING': {'first_name': 'given_name',
'last_name': 'family_name',
'email': 'upn'},
'GROUPS_CLAIM': 'groups',
'MIRROR_GROUPS': True,
'USERNAME_CLAIM': 'upn',
'TENANT_ID': tenant_id,
'RELYING_PARTY_ID': client_id,
'LOGIN_EXEMPT_URLS': [
'^api',
],
}

In Entra ID:

in tokenconfiguration we have the groupclaim:
Securitygroups
Directory roles
All groups
Groups configured for applications

We believe everything is complete, but it turns out that a specific user who has 200 groups according to entra ID, only shows up with 100 groups in Django.
I cannot find something like a cutoff (groups run form a to z) but we are missing vital groups.

Can anyone explain me how we have to fix this, so that everything shows up?
@tim-schilling
Copy link
Member

tim-schilling commented Feb 12, 2025
edited
Loading

Have you looked at overriding the get_group_memberships_from_ms_graph method here https://github.com/snok/django-auth-adfs/blob/main/django_auth_adfs/backend.py#L110?

@stefanoostwegel
Copy link
Author

Thank you so much for the fast reply.
I fiddled around with this, but i couldnt figure out to enforce this.
I tried to enforce this according to: process_user_groups
By having the GROUPS_CLAIM not part of the claims, i would go into the elif on line 239.
But there, i needed to have _claim_names in the claims (i couldn't figure out how to), so i got stuck.
Any suggestion how to change the configuration to make that work?

@tim-schilling
Copy link
Member

Did you add the groups claim in Entra for the app registration?

Also you can always override process_user_groups and do something custom as needed.

@stefanoostwegel
Copy link
Author

Well, i think i did add the groups claim in Entra for the app registration.
That still doesn't allow me to force the the get_group_memberships_from_ms_graph.
How would the overide work if i want to do that without altering the code?

@tim-schilling
Copy link
Member

Sorry, I don't have the time to help implement a custom solution. I believe the hook is available for you to do what you're looking for.

@stefanoostwegel
Copy link
Author

I fully understand you don't have time for it.
I'm trying to not customize the implementation, but to use the standard way to always use Microsoft graph.
Based on some settings, i understand the code only uses the JWT. I need to know the default way to use Microsoft graph, since i cannot find that in the documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tim-schilling @stefanoostwegel