Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Processing of claim mappings

See original GitHub issue

Wondering how best to handle this a situation where the claim data needs to be transformed into something useable. By default, Microsoft AD sends Object GUIDs (UUIDs) as base64 encoded strings in little-endian byte order.

In this example, this was the only place for use to convert / transform that GUID into something usable.

import base64
import uuid

from django_auth_adfs.backend import AdfsAccessTokenBackend


class CustomAdfsAccessTokenBackend(AdfsAccessTokenBackend):
    def validate_access_token(self, access_token):
        claims = super().validate_access_token(access_token=access_token)

        # Transform base64 objectGUID to a legit UUID
        if claims['objectGUID']:
            claims['objectGUID'] = uuid.UUID(bytes_le=base64.b64decode(claims['objectGUID']))

        return claims

This needs to be transformed / converted before create_user as it’s needed by custom create_user method.

One idea is allow a person to set a callable on the mappings:

import uuid

def transform_objectguid(value):
        return uuid.UUID(bytes_le=base64.b64decode(value)

'CLAIM_MAPPING': {
    'first_name': 'FirstName',
    'last_name': 'LastName',
    'email': 'Email',
    'phone_number': 'TelephoneNumber',
    'ad_object_guid': {
        'name': 'objectGUID',
        'transform':  transform_objectguid
   },
}

Another idea is a post_validate_access_token_hook:

import uuid

def post_validate_access_token(claims):
        # Transform base64 objectGUID to real UUID
        if claims['objectGUID']:
            claims['objectGUID'] = uuid.UUID(bytes_le=base64.b64decode(claims['objectGUID']))

        return claims

'CLAIM_MAPPING': {
    'first_name': 'FirstName',
    'last_name': 'LastName',
    'email': 'Email',
    'phone_number': 'TelephoneNumber',
    'ad_object_guid':  'objectGUID'
}
'POST_VALIDATE_ACCESS_TOKEN_FUNCTION': post_validate_access_token  # or 'dot.path.to.function' takes claims dict

Issue Analytics

  • State:open
  • Created 3 years ago
  • Comments:6 (4 by maintainers)

github_iconTop GitHub Comments

2reactions
peterfarrellcommented, May 24, 2021

@AUitto I haven’t had time to implement a PR yet. Current workaround is to create custom backends. Then be sure to use your custom backends in your Settings.py instead of the ones provided by Django Auth ADFS directly.

import base64
import uuid
from django_auth_adfs.backend import AdfsAuthCodeBackend, AdfsAccessTokenBackend

class CustomAdfsAuthCodeBackend(AdfsAuthCodeBackend):
    def validate_access_token(self, access_token):
        claims = super().validate_access_token(access_token=access_token)

        # Transform base64 objectGUID to real UUID
        if claims['objectGUID']:
            claims['objectGUID'] = uuid.UUID(bytes_le=base64.b64decode(claims['objectGUID']))


class CustomAdfsAccessTokenBackend(AdfsAccessTokenBackend):
    def validate_access_token(self, access_token):
        claims = super().validate_access_token(access_token=access_token)

        # Transform base64 objectGUID to real UUID
        if claims['objectGUID']:
            claims['objectGUID'] = uuid.UUID(bytes_le=base64.b64decode(claims['objectGUID']))

        return claims
1reaction
AUittocommented, May 24, 2021

Aight, thanks for a swift response. I’ll have a look at the workaround.

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to Build a Claims Infrastructure | Claims Explained - Curity
The Claims Mapper maps the claims to tokens by aggregating them according to the configuration that has been set up. This means that...
Read more >
How to Perform Claim Mapping or Prepare EOU Charts?
A claim chart is a graphical or tabular representation that analyzes each patent claim by breaking it up into its constituent elements or...
Read more >
Customize Azure AD tenant app claims (PowerShell)
Claims customization supports configuring claim-mapping policies for the WS-Fed, SAML, OAuth, and OpenID Connect protocols.
Read more >
Mapping of Patent Claims - Intellectual Property Expert Group
Patent claims mapping is a legal and technical method which is used to support critical business decisions. It is about clearly linking a...
Read more >
Process mapping for microinsurance operations
In order to make process-mapping concepts more 'real', this manual uses a fictitious case study of medical claims processing to walk the reader...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Getting a token on the client side, rest framework

Next page

Support for multiple IDPs?