Pode icon indicating copy to clipboard operation
Pode copied to clipboard
verified publisher icon Badgerati

optional claims in Azure Auth

Open mintminttea opened this issue 4 years ago • 4 comments

Question

Hi, I want to know is Pode able receive the optional claims information was set in Azure AD to pass? If yes, how to do it? I tried to add some in the optional claims but I still only see the name, given name and email. https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

mintminttea avatar Jul 13 '21 07:07 mintminttea

Hey @mintminttea,

I assume you're using Pode's inbuilt Azure AD authentication?

In which case the access token that Azure AD returns is also passed to the scriptblock for Add-PodeAuth:

$scheme = New-PodeAuthAzureADScheme -ClientID '<clientId>' -ClientSecret '<clientSecret>' -Tenant '<tenant>'

$scheme | Add-PodeAuth -Name 'Login' -FailureUrl '/login' -SuccessUrl '/' -ScriptBlock {
    param($user, $accessToken, $refreshToken)

    # check if the user is valid

    return @{ User = $user }
}

The $accessToken will be a valid JWT, so passing it into the following function will return back a JSON object with the claims:

function ConvertFrom-Jwt
{
    param(
        [Parameter(Mandatory=$true)]
        [string]
        $Value
    )

    $Value = ($Value -isplit '\.')[1]

    # map chars
    $Value = ($Value -ireplace '-', '+')
    $Value = ($Value -ireplace '_', '/')

    # add padding
    switch ($Value.Length % 4) {
        1 { $Value = $Value.Substring(0, $Value.Length - 1) }
        2 { $Value += '==' }
        3 { $Value += '=' }
    }

    # convert base64 to string
    try {
        $Value = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Value))
    }
    catch {
        throw "Invalid Base64 encoded value found in JWT"
    }

    # return json
    try {
        return ($Value | ConvertFrom-Json)
    }
    catch {
        throw "Invalid JSON value found in JWT"
    }
}

I'm not in a position to verify it just at the moment, but it should return what you're after; if so, I'll have to expose Pode's private JWT converter function.

Badgerati avatar Jul 13 '21 18:07 Badgerati

Hi @Badgerati I can see there is additional information inside the access token (But not all or the optional one I added in Azure portal, possible just due to my limited knowledge). Will it be good if putting these information inside $webevent?

mintminttea avatar Jul 14 '21 06:07 mintminttea

I'm not overly familiar with the setup for Azure AD and claims myself, but some people seem to have the same issue with optional claims not being in the access token:

  • https://stackoverflow.com/questions/57891682/optional-claims-in-access-token-of-azure-missing-for-in-corp-vnet-etc
  • https://social.msdn.microsoft.com/Forums/azure/en-US/3e5114b6-24d6-4c60-b72b-b4c90baeecac/access-token-missing-optional-claims-that-are-schema-extensions-implicit-grant-flow
  • https://social.msdn.microsoft.com/Forums/azure/en-US/4263a894-aac8-49a8-bdd9-252483613c80/missing-role-claims-in-issues-jwt-token

^ perhaps one of these might help? The claims according to Azure's documentation should be in the access token. The top link does also suggest that if you're using AD Sync then the claims might not work properly.

Badgerati avatar Jul 14 '21 08:07 Badgerati

Not quite sure, I was trying to obtain the groups claim which suppose having value there. I will further check on some user account optional claims to make sure it contains value first and see if it contains in token.

mintminttea avatar Jul 14 '21 09:07 mintminttea