Azure Active Directory Group Claim #599

chris468 · 2021-06-07T23:03:05Z

chris468
Jun 7, 2021

With Azure Active Directory groups will be returned as a distributed claim when it is too long. When that happens, authorization based on the groups claim doesn't work. I believe mod_auth_openidc is checking for distributed claims returned from the UserInfo endpoint, but not in the id_token. And it doesn't look like AAD can be configured to return the groups claim from UserInfo.

Is there a reason mod_auth_openidc doesn't check the id_token for distributed claims? Or is there something else I'm missing?

Thanks

Answered by zandbelt

Jun 8, 2021

right, there's no good reason for not doing that, just an omission...

View full answer

zandbelt · 2021-06-08T06:33:02Z

zandbelt
Jun 8, 2021
Maintainer

right, there's no good reason for not doing that, just an omission...

1 reply

chris468 Jun 8, 2021
Author

Thanks for confirming. I started prototyping a fix here, but probably won't get back to it for a few weeks. It's not working yet - for AAD I think it needs to handle claim sources that don't specify access tokens.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Azure Active Directory Group Claim #599

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Azure Active Directory Group Claim #599

chris468 Jun 7, 2021

Replies: 1 comment · 1 reply

zandbelt Jun 8, 2021 Maintainer

chris468 Jun 8, 2021 Author

chris468
Jun 7, 2021

Replies: 1 comment 1 reply

zandbelt
Jun 8, 2021
Maintainer

chris468 Jun 8, 2021
Author