staticwebdev / roles-function Goto Github PK

Hi!

We are using this solution for our template repo, and we have noticed some trouble with the role assignment. From within the same AD group, most users receive the custom role we defined, but a few don't. I believe the problem is caused by there being a max limit of 100 objects being returned when calling the graph-API. After that, you have to use paging.

By playing around in the graph-explorer, I tried modifying the JS-code by instead calling const url = new URL(`https://graph.microsoft.com/v1.0/me/memberOf/${groupId}`);, hoping that the API would only return the relevant object. This worked in the graph-explorer, but did unfortunately not solve the issue for my users.

In the js example the accessToken is pulled from req.body.accessToken

In C# the req.Body is a Stream which is empty every time I try to read from it.

I have used the auth as part of my staticwebapp.config.json. and added GetRoles to my api folder. I have done all the setup on Azure as well. I have a Falcon project which I can login (authorized) with the strategy explained here: https://docs.microsoft.com/en-us/azure/static-web-apps/assign-roles-microsoft-graph.

But I cannot get authenticated! /.auth/me only return the default roles; none of the roles I defined in GetRoles/index.js under roleGroupMappings are picked!

Hi,
I am hosting the back end in azure app container. I'm trying to host there the get roles api too.
Is that possible?
I tried with both v1 and v2 versions config for the azure active directory (see below) but i always get an empty request body.
I'm receiving an empty req.body. Do you know if it is possible?
Is it related to this?
Azure/static-web-apps#988

"auth": {
        "rolesSource": "/api/getroles",
        "identityProviders": {
          "azureActiveDirectory": {
            "registration": {
              "openIdIssuer": "https://login.microsoftonline.com/<tenantid>/v2.0",
              "clientIdSettingName": "AZURE_CLIENT_ID",
              "clientSecretSettingName": "AZURE_CLIENT_SECRET"
            },
            "login": {
              "loginParameters": [
                "scope=openid profile email https://graph.microsoft.com/User.Read"
              ]
            }
          }
        }
      }

and

"auth": {
        "rolesSource": "/api/getroles",
        "identityProviders": {
            "azureActiveDirectory": {
                "userDetailsClaim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
                "registration": {
                    "openIdIssuer": "https://login.microsoftonline.com/<tenantid>",
                    "clientIdSettingName": "AZURE_CLIENT_ID",
                    "clientSecretSettingName": "AZURE_CLIENT_SECRET"
                },
                "login": {
                    "loginParameters": [
                        "resource=https://graph.microsoft.com"
                    ]
                }
            }
        }
    },

The example in the tutorial and this repo use the OpenID 1.0 protocol, with high-level access to resources. As MS now recommends using the newer version, can this tutorial be updated to reflect this?

I ask because I've not been able to get this to work successfully.

    "auth": {
        "rolesSource": "/api/getRoles",
        "identityProviders": {
            "azureActiveDirectory": {
                "userDetailsClaim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
                "registration": {
                    "openIdIssuer": "https://login.microsoftonline.com/[TENANT_ID]/v2.0",
                    "clientIdSettingName": "AAD_CLIENT_ID",
                    "clientSecretSettingName": "AAD_CLIENT_SECRET"
                },
                "login": {
                    "loginParameters": [
                        "scope=https%3A%2F%2Fgraph.microsoft.com%2Fopenid%20https%3A%2F%2Fgraph.microsoft.com%2Fprofile"
                    ]
                }
            }
        }
    }

A request like this, moving to v2 openIdIssuer and swapping the loginParameters from resource to scope gives me a 403 and being unable to log in to the application as it doesn't have an email.

Is there a way to get this to work?