Get the User Group as part of the Authentication Process
twcarnahan opened this issue · 13 comments
How can we find out what group the user is member of during the Authentication Process - basically in the Startup_Auth.cs
I have a problem as how to make the graph call as admin during the authentication process.
Again, thank you for your direction, Tim:
Hi Tim. This would be a good discussion to have on Stack Overflow. Agreed that it would be useful to know certain things once you get the token, like if the user is an admin or if it's a personal or work/school account. Maybe there are things that you can do by parsing the token that we don’t know about. Can you please open a question about this, and tag it with [azure-active-directory] and [microsoftgraph]?
I don't believe there is an answer for it --- but I posted it on Stack Overflow; Basically, we need to have OU Organizational Units on the Azure AD, if not then we can try to use Groups but need to perform logic at authentication process as we did with LDAP and get user distinguished name. This is my question to you, is there anything like "distinguished name" in Azure?
Vr, Tim:
Thanks for doing that. Adding a link to the question for others who might benefit:
https://stackoverflow.com/questions/42797166/authentication-process-get-azure-group-the-user-is-member-of-and-do-logic
Can you please help on this one --- I didn't get anywhere with stackflow. Much appreciated, Tim;
This works with a basic new MVC 5 project - but not with your snippets.
If you add this to the Startup.Auth.cs you get an exception - silent one :)
```
SecurityTokenValidated = (context) =>
{
// If your authentication logic is based on users then add your logic here
string issuer = context.AuthenticationTicket.Identity.FindFirst("iss").Value;
HttpContext.Current.Session.Add("issuer", issuer);
string UPNameIdentifier = context.AuthenticationTicket.Identity.FindFirst (ClaimTypes.NameIdentifier).Value;
HttpContext.Current.Session.Add("UPNameIdentifier", UPNameIdentifier);
string UPName = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.Name).Value;
HttpContext.Current.Session.Add("UPName", UPName);
string tenantID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
HttpContext.Current.Session.Add("tenant", tenantID);
return Task.FromResult(0);
},
=====Use the below in a View to show result -- but it fails using this snippet
<h1><label> @System.Web.HttpContext.Current.Session["UPNameIdentifier"]</label></h1>
<h1><label> @System.Web.HttpContext.Current.Session["issuer"]</label></h1>
<h1><label> @System.Web.HttpContext.Current.Session["tenant"]</label></h1>
<h1><label> @System.Web.HttpContext.Current.Session["UPName"]</label></h1>
Hi @twcarnahan . I'll see if I can get this working in the Snippets sample.
Hi Tim. I'm not sure this is what you were asking for, but I changed ClaimTypes.Name to "name" in your code and it runs in the sample. I made that change to match the claims I'm getting. Otherwise, the code throws an Object reference not set... exception. Is this what you're seeing?
Hello DianeD, I'm just trying to use the SecurityTokenValidated process - just like this example https://github.com/Azure-Samples/active-directory-dotnet-webapp-multitenant-openidconnect/blob/master/TodoListWebApp/App_Start/Startup.Auth.cs ; the code above is what I'm trying to get to work in your snippet example which uses MSAL. As for getting the exception, Yes, I get an exception on the above code as it's like nothing is there get unlike what the documentation states. Very much appreciate you looking into this because something is missing or different with MSAL or the syntax or somehow you have to "preload" your token request with what you want back. Nevertheless, you should by default get the above UPN which is different from the NameIdentifier.
Vr, Tim:
Hi Tim. I don't know how you control which claims you get back, other than as discussed in the stackoverflow question. In my tests, I can run your code in the Snippets sample and get claims info (after changing the ClaimsType.Name key because I don't get that claim).
Here's what get by default.
Note: Although the preferred_username claim in this example looks like a UPN, I'm not sure that will always be the case.
Ok --- Do you use the "SecurityTokenValidated = (context) => " section of the Authentication Process in StartUp_Auth.cs I used in the other cited sample? I know that they are coming back but actually getting them back during the Authentication Process is where I'm stuck. I don't know if it's syntax or not but with the snippets sample, using MSAL, is the only difference between the cited other sample. Did you actually add the code above and get the results?
Very much appreciate your time, Tim:
Can you post your code snippet?
Tim:
The Startup_Auth.cs class with SecurityTokenValidated notification handler is here: https://gist.github.com/DianeD/8b95fc3c3b6479bd9227a5183d1aa181
I added your HTML snippet to index.cshtml, and the claims values are displayed after the user signs in. I tested with two work/school accounts and one personal account.
Hi @twcarnahan . Closing this issue. Please reopen if you are still having problems. Thanks!