Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add support for Group Membership with Azure AD and other IDP's

See original GitHub issue

Description 📓

Hello,

Currently using AzureAD authentication provider and works as expected. I wanted to make a feature request / pull request as I see ‘group membership’ is included in the profile being returned:

here is azure ad profile22 {
  clientId: 'f8d59e1a-e8b6-4467-ad1e-b7a24d661db1',
  clientSecret: 'p6J7Q~jkNAFhmvetjTsFdzPqaCV6r~5ym~YjU',
  tenantId: '7cefaccc-3411-42c4-a9db-ac12d2987f1a',
  includeGroups: true
} {
  aud: 'f8d59e1a-e8b6-4467-ad1e-b7a24d661db1',
  iss: 'https://login.microsoftonline.com/7cefaccc-3411-42c4-a9db-ac12d2987f1a/v2.0',
  iat: 1653149605,
  nbf: 1653149605,
  exp: 1653153505,
  email: '<userName>@example.com',
  groups: [
    '5eb1e26f-53de-466b-b8a8-3a8bf0e5392e',
    '865b080b-65a4-4d9f-bb99-ecf9d10d8aa4',
    '49035a1a-50eb-47c1-9156-f8224c191442',
    'cd1915a4-4c0c-45fb-abfa-45eacf11752d'
  ],
  name: 'FirstName LastName',
  oid: 'dce917c9-a4b9-46a6-8bde-96e1f14cb7c9',
  preferred_username: <userName>@example.com',
  rh: '0.ARMAzKzvfBE0xEKp26wS0ph_Ghqe1fi26GdErR63ok1mHbETALQ.',
  sub: 'xF1uIcD8fQn0Xn4_aKB7ZpCk06rQ3ZviF8_QYoeA9o8',
  tid: '7cefaccc-3411-42c4-a9db-ac12d2987f1a',
  uti: 'QI3lDlT3k0qqBMH53s11AA',
  ver: '2.0'
}

Trying to return this into the session does not seem to be working:

        return {
          id: profile.sub,
          name: profile.name,
          email: profile.email,
          groups: profile.groups
        };

It would be good if we can create a flag on the options that is being set for this provider (and others that are directory services) to be able to get group membership. When writing enterprise applications the group membership is key as most permissions are segregated by group access.

unfortunately setting the ‘profile.groups’ does not allow me to gain access to the groups from client side.

many thanks!

-Jonathan

How to reproduce ☕️

add ‘profile.groups’ as an option to be retunable via the AzureAD provider

Contributing 🙌🏽

Yes, I am willing to help implement this feature in a PR

Issue Analytics

State:
Created a year ago
Comments:7 (4 by maintainers)

Top GitHub Comments

1reaction

balazsorban44commented, May 31, 2022

You should be getting the whole object in the jwt callback https://next-auth.js.org/configuration/callbacks#jwt-callback and easily persist groups there. profile is usually only needed if you use a database adapter.

The signIn callback should not be used to mutate the user. It is a method. This causes confusion, and I would like to rename this method in the next major release to something like authorized, to align with next-auth/middleware: https://next-auth.js.org/configuration/nextjs#callbacks

1reaction

ThangHuuVucommented, May 25, 2022

I haven’t used Azure AD yet but it seems like you need to add the groups claim (cc @ndom91 via #2818) See: https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#payload-claims

The table below shows the claims that are in most ID tokens by default (except where noted). However, your app can use optional claims to request more claims in the ID token. Optional claims can range from the groups claim to information about the user’s name.