Reputation: 79
Azure AD - Check for security group membership - (Node.js, passport, Azure Web App)
We are trying to set up an authentication/authorization-process with the following requirements:
- Authentication: Done by Azure AD.
- Authorization: Only members of a specific security groups should be allowed to access the app.
While the authentication part seems to work without problems, we are stuck at the authorization part. We are using Express and Passport.
Azure AD some tokens to req.headers, e.g.
- x-ms-token-aad-access-token
- x-ms-token-aad-refresh-token
- x-ms-token-aad-id-token
We are currently using the id-token together with the passport-azure-ad BearerStrategy to check the security groups of the user against the allowed security groups.
The problem is: As soon as the id-token expires, the application won't let us access the app. Assuming setting {session: true} in passport could solve this issue, we enabled the session, but no luck.
Doing some more research I found this post: How to refresh an ID Token from Azure AD in a Web App?, which states that only access-tokens can be refreshed, but ID tokens cannot and should not.
Examining the x-ms-token-aad-access-token and the x-ms-token-aad-refresh-token, we found that they don't have the JWT-structure, e.g
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1THdqcHdBSk9NOW4tQSJ9.eyJhdWQiOiJodHRwczovL3NlcnZpY2UuY29udG9zby5jb20vIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvN2ZlODE0NDctZGE1Ny00Mzg1LWJlY2ItNmRlNTdmMjE0NzdlLyIsImlhdCI6MTM4ODQ0MDg2MywibmJmIjoxMzg4NDQwODYzLCJleHAiOjEzODg0NDQ3NjMsInZlciI6IjEuMCIsInRpZCI6IjdmZTgxNDQ3LWRhNTctNDM4NS1iZWNiLTZkZTU3ZjIxNDc3ZSIsIm9pZCI6IjY4Mzg5YWUyLTYyZmEtNGIxOC05MWZlLTUzZGQxMDlkNzRmNSIsInVwbiI6ImZyYW5rbUBjb250b3NvLmNvbSIsInVuaXF1ZV9uYW1lIjoiZnJhbmttQGNvbnRvc28uY29tIiwic3ViIjoiZGVOcUlqOUlPRTlQV0pXYkhzZnRYdDJFYWJQVmwwQ2o4UUFtZWZSTFY5OCIsImZhbWlseV9uYW1lIjoiTWlsbGVyIiwiZ2l2ZW5fbmFtZSI6IkZyYW5rIiwiYXBwaWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctODkwYS0yNzRhNzJhNzMwOWUiLCJhcHBpZGFjciI6IjAiLCJzY3AiOiJ1c2VyX2ltcGVyc29uYXRpb24iLCJhY3IiOiIxIn0.JZw8jC0gptZxVC-7l5sFkdnJgP3_tRjeQEPgUn28XctVe3QqmheLZw7QVZDPCyGycDWBaqy7FLpSekET_BftDkewRhyHk9FW_KeEz0ch2c3i08NGNDbr6XYGVayNuSesYk5Aw_p3ICRlUV1bqEwk-Jkzs9EEkQg4hbefqJS6yS1HoV_2EsEhpd_wCQpxK89WPs3hLYZETRJtG5kvCCEOvSHXmDE6eTHGTnEgsIk--UlPe275Dvou4gEAwLofhLDQbMSjnlV5VLsjimNBVcSRFShoxmQwBJR_b2011Y5IuD6St5zPnzruBbZYkGNurQK63TJPWmRd3mbJsGM0mf3CUQ
They don't contain any dots and thus don't pass the JWT-verification.
Resulting in the following question:
- What is the correct way to check security groups of a user against specified allowed security groups?
Upvotes: 4
Views: 3876
Answers (2)
Reputation: 2105
You can do it through passport in one call, you do not need to do extra calls to other api layers, as seams to be suggested in multiple posts online. Using the v2 endpoint and defining a scope you can choose what you have access to and what you receive back in the token. Some options, including security group do require you to modify the manifest, see below.
In your Azure Active Directory go to the App registration you are using the authenticate users. In the manifest for that app registration change the groupMembershipClaims from null to "SecurityGroup" or "All" if want to include office groups etc.
{
"id": "some-id",
"accessTokenAcceptedVersion": null,
"allowPublicClient": false,
"appId": "some-id",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2018-11-15T17:49:23Z",
"groupMembershipClaims": "SecurityGroup",
"identifierUris": [ ...............
It then populates the Groups field with an array of the groups using their Object ID.
So you can get the array at req.user._json.groups
if (req.user._json.groups.indexOf('some-group-Object-ID') > -1) {
//In Group
} else {
//Not in Group
}
Upvotes: 9
Reputation: 27538
Apart from checking group claims in ID token , you could also call microsoft graph api to get the groups that the user is a direct member of :
POST https://graph.microsoft.com/beta/me/getMemberGroups
Content-type: application/json
Content-length: 33
{
"securityEnabledOnly": true
}
Or using Auzre AD Graph api :
POST https://graph.windows.net/myorganization/{resource_collection}/{resource_id}/getMemberGroups?api-version
Content-Type: application/json
{
"securityEnabledOnly": false
}
For how an App Service Web, Mobile, or API app can be configured to call the Azure Active Directory Graph API on behalf of the logged-in user. You could refer to below document which show detail steps:
https://cgillum.tech/2016/03/25/app-service-auth-aad-graph-api/
After authentication, access token can be fetched directly from a built-in request header (x-ms-token-aad-access-token) and you could make a http request to call graph api to get the group information .
Upvotes: 3
Related Questions
- NodeJS authentication problem with Active Directory B2C using passport.js
- Access to azure web-app using passport-azure-ad-oauth2
- Having trouble getting Azure AD user's groups
- Verify access_token provided by Azure Active Directory OAuth provider in Node.js
- Node Passport-azure-ad error: "unknown authentication strategy "oauth-bearer""
- Group authorization using Azure AD ADAL.JS - NodeJS, ReactJS
- Azure Active Directory Delegated Nodejs App
- passport-azure-ad, validation of tokens
- Check if user exists in specific On Prem AD Security Group in Azure
- node active directory authenticate and group membership