Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

az ad app update for app roles erases saml2Token optional claims

See original GitHub issue

Describe the bug

I have application manifest that has optional claims that look like this:

{
  "optionalClaims": {
    "idToken": [],
    "accessToken": [],
    "saml2Token": [
      {
        "name": "groups",
        "source": null,
        "essential": false,
        "additionalProperties": ["sam_account_name"]
      }
    ]
  }
}

As far as I understood from other opened issues, this az-cli doesn’t support update of saml2Token

However!, when I update application roles (don’t do anything with optional claims), saml2Token gets erased:

{
  "optionalClaims": {
    "idToken": [],
    "accessToken": [],
    "saml2Token": []
  }
}

To Reproduce

Put something in optionalClaims.saml2Token

az ad app update --id <id> --app-roles @manifest.json

Verify optionalClaims.saml2Token is empty now

Expected behavior Well, changes in roles applied, and other fields shouldn’t be touched.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:6 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
jiaslicommented, Feb 1, 2021

I got your concern. This is definitely something that should be fixed. However, the reason is complicated (shown below).

As AD Graph API is already deprecated, we are not actively maintaining the REST spec anymore. az rest should be the right path.

Too long; don’t read

If you are interested, the code (introduced by #9616) is actually at

https://github.com/Azure/azure-cli/blob/74ea23bc805d57e3cf68cc9a4396141975acb580/src/azure-cli/azure/cli/command_modules/role/custom.py#L1037-L1043

which copies all existing properties into ApplicationUpdateParameters so that az ad app update complies with generic update, otherwise --remove will error out due to non-existing attribute.

saml2Token will be saved in additional_properties of the parent optional_claims attribute. However, as the SDK doesn’t define additional_properties for OptionalClaims like RequiredResourceAccess does,

OptionalClaims:

    _attribute_map = {
        'id_token': {'key': 'idToken', 'type': '[OptionalClaim]'},
        'access_token': {'key': 'accessToken', 'type': '[OptionalClaim]'},
        'saml_token': {'key': 'samlToken', 'type': '[OptionalClaim]'},
    }

RequiredResourceAccess:

    _attribute_map = {
        'additional_properties': {'key': '', 'type': '{object}'},
        'resource_access': {'key': 'resourceAccess', 'type': '[ResourceAccess]'},
        'resource_app_id': {'key': 'resourceAppId', 'type': 'str'},
    }

saml2Token gets lost during serialization,

                if attr_name == "additional_properties" and attr_desc["key"] == '':
                    if target_obj.additional_properties is not None:
                        serialized.update(target_obj.additional_properties)
                    continue

therefore also lost when the application is patched back:

{
    "appRoles": [],
    ...
    "optionalClaims": {
        "idToken": [],
        "accessToken": []
    },
    ...
}

Possible Solutions

The REST spec of OptionalClaims should define either:

  • saml2Token
  • additional_properties

so that saml2Token can be preserved during az ad app update.

0reactions
AndriiOmelianenkocommented, Feb 1, 2021

@jiasli I see. I personally expected it to do something like a patch operation on approles only, without touching other parts of manifest.

for now I’ve doing workaround like this: az rest --method PATCH --uri https://graph.microsoft.com/v1.0/applications/{object_id} --headers Content-Type=application/json --body {"appRoles": {...}} and it works fine. it changes only approles in manifest, without changing anything else.

Read more comments on GitHub >

github_iconTop Results From Across the Web

az ad app - Microsoft Learn
Delete an application's password or certificate credentials. ... az ad app create --display-name mytestapp --optional-claims @manifest.json ("manifest.json" ...
Read more >
Az.Resources - PowerShell Gallery
When creating or updating an app role, this must be set to true (which is the ... [Saml2Token <IMicrosoftGraphOptionalClaim[]>]: The optional claims ......
Read more >
Add scopes to Azure AD via Azure CLI - Frode Hus
You can create AppRoles via --app-roles , but there's a --scopes missing. Instead, they at least provide you with. Generic Update Arguments -- ......
Read more >
Work with users, groups, and roles in custom apps and APIs
Role -based access control (RBAC) is a popular mechanism to enforce authorization in applications. The administrator assigns roles to ...
Read more >
Microsoft.Graph.xml - Index of /
Identifies the role of the service used by this endpoint. ... Application developers can configure optional claims in their Azure AD applications to...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

UnrecognizedArgumentError: unrecognized arguments: --auto-upgrade-channel stable

Next page

Can not use "--network-profile" with IP address type "Public"