Reputation: 779
PHP Azure OAuth JWT App Roles
I've created an application in an Azure AD from a manifest with several appRoles inside of it, and I can assign users to these roles. After a user completes the single sign on, returns to my application and I then request a JSON Web Token from their login. The problem is, there are no assigned roles listed in the token I get back from Azure, as it would suggest there's supposed to be here.
Is there a configuration option I'm missing or is there an alternate way to find out their assigned role through the Azure Graph API?
Update:
After specifying the resource as the App ID URI when requesting the authorisation URL I've managed to get a little further.
I'm now getting back the following error (in the return URL):
"The signed in user '<user email>' is not assigned to a role for the application '<app client id>'."
The user has definitely been assigned a role in the Azure AD control panel for the app, and the app client id in the error message matches the app's client id exactly.
Application config:
User assigned a role:
Error message after logging in and returning to app:
Upvotes: 5
Views: 410
Answers (3)
Reputation: 779
Probably not the answer people want to hear if they're coming across this thread looking for a solution to the issue, but we switched from using OAuth to SAML and we now successfully get app roles in the SAML response.
I can only assume the OAuth implementation of app roles on Azure AD is completely broken because we changed nothing except switching to SAML.
Upvotes: 1
Reputation: 793
The below C# code can query the assigned users your application have using AppRoleAssignedTo attribute. I am not family with php, but I believe it has the similar method. The ActiveDirectoryClient class comes from the Active Directory Graph Client Library.
var Serprincipal = activeDirectoryClient.ServicePrincipals.Where(IServicePrincipal => IServicePrincipal.AppId.Equals("app client id")).ExecuteAsync().Result.CurrentPage.ToList();
var sp = Serprincipal.FirstOrDefault();
var userAssignments = (sp as IServicePrincipalFetcher).AppRoleAssignedTo.ExecuteAsync().Result.CurrentPage.ToList();
foreach (IAppRoleAssignment assignedUser in userAssignments)
{
Console.WriteLine("UserId: {0} Name: {1} ObjectType: {2} ", assignedUser.PrincipalId, assignedUser.PrincipalDisplayName, assignedUser.ObjectType);
}
Upvotes: 0
Reputation: 1207
@Phlip,Could you please try to set your application permission using PowerShell?
#1.down load Azure AD powershell and login in using your user in AD
$msolcred=get-credential
connect-msolservice -credential $msolcred
#2. get principal Id
$ClientIdWebApp = '5b597c35-**-**-ad05-***'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp
# 3. use Add-MsolRoleMember to add it to “Company Administrator” role).
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId
For more information, please refer to this page: https://msdn.microsoft.com/en-us/library/azure/dn919663.aspx and Use this methods to add member into role:
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress "[email protected]"
Any updates or results, please let me know.
Upvotes: 1
Related Questions
- How can I prevent SQL injection in PHP?
- JWT refresh token flow
- How do you parse and process HTML/XML in PHP?
- Deleting an element from an array in PHP
- Reference Guide: What does this symbol mean in PHP? (PHP Syntax)
- How does PHP 'foreach' actually work?
- What are the main differences between JWT and OAuth authentication?
- Why shouldn't I use mysql_* functions in PHP?
- What's the difference between OpenID and OAuth?
- What is the purpose of the implicit grant authorization type in OAuth 2?