Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Obtain Application roles from idToken

See original GitHub issue

I’m submitting a…


[ ] Regression (a behavior that used to work and stopped working in a new release)
[ ] Bug report  
[ ] Performance issue
[ ] Feature request
[x] Documentation issue or request
[ ] Other... Please describe:

Browser:

Chrome version 75
Firefox version XX
IE version XX
Edge version 76
Safari version XX

Library version


Library version: 1.0.2

Current behavior

Once SSO is successful I know who the user is but not which roles he has assigned.

Expected behavior

Once the SSO is successful I would expect to be able to get user roles from the idToken in order to restrict parts of the applications or actions to admin users only.

Minimal reproduction of the problem with instructions

I created an example in codesandbox.io: https://codesandbox.io/s/vue-template-evqjg The code is also checked in at https://github.com/RecuencoJones/Vue-Azure-SSO-example

Previous steps to setup Azure AD

Create an Azure AD directory.
Create an App Registration on Azure AD.
On Advanced settings, check both Access tokens and ID tokens for Implicit grant.

Edit following manifest fields:

  "accessTokenAcceptedVersion": 2,
  "appRoles": [
    {
      "allowedMemberTypes": [
        "User",
        "Application"
      ],
      "description": "Admin user for the application",
      "displayName": "Administrator",
      "id": "ccf2cb33-c1d2-4101-a1e8-b88e1d3806b2",
      "isEnabled": true,
      "lang": null,
      "origin": "Application",
      "value": "AdminUser"
    },
    {
      "allowedMemberTypes": [
        "User",
        "Application"
      ],
      "description": "Common user for the application",
      "displayName": "User",
      "id": "2ca47286-7be9-47b8-9c76-1369b3021506",
      "isEnabled": true,
      "lang": null,
      "origin": "Application",
      "value": "RegularUser"
    }
  ],
  "groupMembershipClaims": "All",
  "oauth2AllowIdTokenImplicitFlow": true,
  "oauth2AllowImplicitFlow": true,
  "signInAudience": "AzureADandPersonalMicrosoftAccount",

Create an Enterprise Application bound to previous App Registration
Add your user to the Enterprise Application and assign Admin role.

Test:

Fork the sandbox https://codesandbox.io/s/vue-template-evqjg
Update App registration Redirect URIs to add https://<sandbox-id>.codesandbox.io as Web type.
Copy Application Client ID from App registration and replace the value of clientId in config/auth.js with it.
Open the live preview in a new tab (codesandbox does not allow redirect within their embedded preview).
Attempt to SSO.
Check developer console for Account object and browse idToken entry.
No claims related to roles can be found.

Issue Analytics

State:
Created 4 years ago
Comments:10 (5 by maintainers)

Top GitHub Comments

1reaction

RecuencoJonescommented, Jul 22, 2019

On another hand (maybe should create another issue for this one?) once the auth.loginRedirect() returns with success I’m able to access auth.getAccount().idToken – decoded already.

Would it be possible to also add the property rawIdToken to it without having to use auth.acquireTokenSilent() and/or auth.acquireTokenRedirect()?

0reactions

sameeragcommented, Oct 23, 2019

Closing this. Please open a new issue if there are further questions.