-
-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added ability to obtain groups from MS Graph when there are too many #247
Conversation
Codecov Report
@@ Coverage Diff @@
## master #247 +/- ##
========================================
- Coverage 86.0% 85.4% -0.6%
========================================
Files 11 11
Lines 515 556 +41
========================================
+ Hits 443 475 +32
- Misses 72 81 +9
|
What other permissions / setup / configuration does this change require? Those should be documented. I'm thinking not everyone would want to have this request be made during authentication, so it may be best to put it behind a flag. |
Good question, so for starters this extra API call will only run in the following circumstances:
Currently, when this happens in the plugin, it will just assume it can't find the groups claim and errors on that. All this change does is make sure that in such failure cases, one extra check is done to check if the claim can be obtained via an OBO request in these specific circumstances. So it won't alter any existing behaviour, but should only target this very specific failure case. In terms of what changes the user needs, for this OBO request to succeed they need to make sure that their Azure AD app is configured to have the GroupMember.Read.All permission enabled. Not sure if there is documentation about adding permissions to an AD app? If so, where / how can I update this? Edit: I also do have a check in the code that will raise a permission error if they do not have this permission enabled in Azure, so when someone is setting this up for the first time, they will be identify the problem from the logs.
|
Thank you so much for this! I won't be able to review before Monday, unfortunately. If you want to bump versions in |
Thank you for the explanations! I think the documentation page that may need to be updated is https://github.com/snok/django-auth-adfs/blob/master/docs/azure_ad_config_guide.rst. Since you have an error that catches this permission error, I'd say that eliminates a fair amount of the documentation work. If you could please change the message to:
Ideally we want the error message to contain all the information the user needs. By explicitly mentioning the permission required, hopefully we'll reduce the number of issues on the repo of people claiming there's a bug. |
No problem, done. |
Thanks for the guidance, updated the message and also updated the docs. |
Sorry, didn’t have time to look into this today, and I’m out tomorrow. I’ll get back to you ASAP though. |
Thank you so much. This looks great! |
I would ideally have test coverage not drop a whole 5%. Could you add a unit test to |
Agreed, didn't realise we had this test coverage thing running in the pipeline so didn't notice the drop. Will add more tests when I get a chance and report back. |
Sorry for the delay, I'm maxed out these past two weeks. Have added some more tests now, coverage seems much better. |
Thanks a lot! So sorry for the delay. |
Released here. PyPI should be out as soon as pipelines are done. |
This pull request adds the ability to be able to query the user groups via MS Graph if they do not fit in the initial JWT access token (in the case where the user has too many groups). This only applies for Azure AD logins.
This should resolve #232