0

We are trying to use the built-in Authentication from an Azure Web App. The first part of it seems so simple and painless, but after the user is authenticated, we’re having no success in reading their group membership so that our app can present the right experience.

What we have working

  • Azure Web App – authentication o Authenticating to AAD – used the “express” setup to configure
  • We get the X-MS-X-MS-TOKEN-AAD-ACCESS-TOKEN (and it’s friends) from the header and can decode the claim we want (email address) and use it in the app

What we have not been able to figure out:

  • How to use these headers to request their record from Azure AD to determine their group membership and other claims not passed in the token (for security reasons)
  • How (or if?) to refresh their token so they aren’t kicked out of the app before they are finished when their token expires. There’s an X-MS-TOKEN-AAD-REFRESH-TOKEN available in the headers. What we don’t know is if the Azure Web App Authentication handles refreshes for us, or if we have to do something with it ourselves.

Authentication up to this point has been way simpler than the “roll your own” we have been working on, so I’m hopeful that the built in Azure Web App Authentication is an easy solution.

(The web app contains an application written in ColdFusion deployed on Lucee in a Container. But I suspect that any solution to this is likely very cross platform.)

Any suggestions?

Cam
  • 95
  • 8

1 Answers1

0

You can configure the Azure AD Application Registration for group attributes. Modify the "groupMembershipClaims" field in application manifest:

"groupMembershipClaims": "SecurityGroup"

Then the token will contain the Ids of the groups that the use belongs to like below :

{
  "groups": ["group id"]
}

You can also use Microsoft Graph user: getMemberGroups to check the groups the user is a member of AFTER the user is authenticated.

You can refresh the token with MSAL method AcquireTokenSilentAsync. See this answer for more details.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20
  • Still working on things. We are now using the X-MS-X-MS-TOKEN-AAD-ACCESS-TOKEN. We decode it, and contained in it is a list of the group IDs. We are using this to determine group membership. This is good. Still working through the refresh. It seems Azure WebApp Authentication might handle refresh automatically. Initial token has a 65 minute expiry, and when I let that sit overnight, a refresh of the page shows a new token has been issued. The problem I am working on is that after 90 minutes, I have the expired token and not a refresh, but Web App Authentication still lets me through. – Cam Mar 24 '21 at 19:12
  • @Cam Looks like the original issue is resolved now right? If my answer is helpful for you, you can accept it as answer. Thank you. For your new question, it's recommended to add a new post with more details for more attention. – Allen Wu Mar 25 '21 at 02:37