I use Microsoft Graph API to list users in my Azure AD B2C tenant. When I try to get it ordered by surname (lastname) I get this error:
Unsupported sort property 'surname' for 'User'.
What's supported is 'displayName', which may contain person name in the form of [firstName lastName] or [lastName firstName]. I wonder if there's any way to get the list ordered by last name.
The code, just in case:
IGraphServiceUsersCollectionRequest usersRequest = GraphClient.Users.Request()
.Select(u => new {u.Id, u.DisplayName, u.Mail, u.GivenName, u.UserPrincipalName, u.AccountEnabled, u.Surname}).OrderBy("displayName");
Unfortunately, you cannot use orderby parameter with surname in either standard Azure AD or Azure AD B2C tenants as of now.
You may post a feedback regarding this feature at Azure Feedback Portal, which is monitored by the product team for product enhancements.
Related
I have created an app which is using Azure AD authentication. After user is authenticated, I want to get the user's unique Id and get the group information which I want to save in a session so then that group information can be fetched in any controller action.
One good place to do that would be right SignIn() method method but this code does not execute because of the cache and user can get to the default page.
So what would be the best possible solution to create the session prior to user start any activity on the application after user is authenticated?
In this page i should be able to check if user is authenticated, username and also get users unique id as follow:
var userName = System.Security.Claims.ClaimsPrincipal.Current.FindFirst("name").Value;
var IsAuthenticated = HttpContext.User.Identity.IsAuthenticated;
var uniqueId = system.Security.Claims.ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
Please Include below in application manifest in azure portal
"groupMembershipClaims": "All",
Change this to "SecurityGroup" to get security groups and Azure AD roles
Or change to "ApplicationGroup". This includes only groups that are assigned to the application.
See groupmembershipclaims-attribute.
Access the group info from controller before routing it to any other controller/ redirect uri in the startup before app authorization.
[Route("api/[controller]")]
[ApiController]
public class CurrentUserController : ControllerBase
{
[HttpGet("groups")]
[ProducesResponseType(typeof(IEnumerable<ClaimsViewModel>), (int)HttpStatusCode.OK)]
public IActionResult Groups()
{
return Ok(User.Claims.Where(claim => claim.Type == "groups").Select(c => new ClaimsViewModel() { Type = c.Type, Value = c.Value }));
}
}
In case where users have more than 5 AD groups, you may have to query the groups manually using MS Graph or save those separately with other alternatives.
References:
net - Get a list of groups that Azure AD user belongs to in claims- Stack Overflow
asp.net - Claim data missing for authenticated users - Stack
Overflow /Azure Web App Authentication using Azure AD – how to get
user’s groups - Stack Overflow
After many tests I can't figure out how to add claim to userinfo / id token / access token based on the SCIM 2.0 format for the attributes column inside accounts table.
Curity 6.6.0
Mysql configured as the default datasource also for user management
Mysql attributes query configured in the datasource : SELECT * FROM accounts WHERE username = :subject
User added through the User SCIM endpoint have their data inside the 'attributes' column of the accounts table (seems to be by design when the onyl one DS exists in Curity)
family_name, given_name appears correctly in the id token as the connected user
I'm using BFF Token handler SPA code (nodejs) with the overall flow validated
Step by step :
Create a claim named 'user_type'
select the default-account-manager associates with a claim provider
in the 'select value' combo search and add userType (all attributes of the SCIM 2.0 schema are referenced in the combo)
Add the claim to a custom scope & profile scope
Configure the claim to be in the userInfo & Id Token & access token
Commit
--> No user_type field in any token or userInfo
I have tried with (return attributes.userType) and without any mapping, but no way...
The only working test is the one with a mock : return {userType: 'test'} or return 'test'.
It seems that the attributes query SELECT * FROM accounts WHERE username = :subject does'nt allow to use children fields of the attributes column.
Despite the fact that it seems to work correctly in https://curity.io/resources/learn/claims-from-authenticated-subject/ subject attributes in authentication with code
function transform(attributes) {
//Transform the attributes and return the appropriate value for the claim
if(attributes.emails !== undefined
&& attributes.emails.length > 0
&& attributes.emails[0].value !== null) {
//return {"email" : attributes.email};
return attributes.emails[0].value;
}
return null;
}
Any help will be greatly appreciate to point out what I'm doing wrong
Sounds like you got most of it right, but some details to tweak.
First, to use the attribute query, you can't use an Account Manager claims provider, that one uses the account query for the lookup and is not configurable. Instead, use the Data Source Claims Provider.
Second, the claim config can't query in multiple steps, so you'll need to transform your result.
In the picture below, I'm using a data source provider with your query, and putting the value from my attributes.timezone in the "email" claim.
Note the logger.warn, it's useful to find out what you get back from the datasource.
I tried to retrieve my eventbrite events using an API private token and my organization ID found in :
https://www.eventbrite.fr/organizations/info/profile/456xxxxxxx so I took this organisation ID and I plugged it in :
$eventbrite->get('organizations/'.$id_organisation.'/events/', ['status' => 'live']); .
This didn't yield any result.
Finally, I managed to retrieve the list of my eventbrite events using the same private token but with an organisation ID that I got from the URL https://www.eventbrite.fr/u/123xxxxxxx/favorites/events. What makes me wonder is that why did the API call manage to get me the events using an ID that is not id of the organization ? It is some sort of user id no ?
This might answer your question. From Eventbrite docs:
If you don't belong to any Organizations, your user_id is your default Organization ID.
https://www.eventbrite.com/platform/docs/organizations
The application I'm currently working on is a huge ASP.NET MVC web application which uses traditional Windows Authentication model. We are trying to migrate to Single Sign On model using Identity Server 3 and Open ID Connect.
Coming to my question, is there any way/work around to provide access on a user group basis when using Identity Server? The problem here is that the my user groups could either be role based or Active directory groups. I'm looking for something like InMemoryGroup (similar to InMemoryUser).
Something that mimicks the following for a Group of users that can be role based or not:
new InMemoryUser
{
Username = "harry",
Password = "thisispassword#123",
Subject = "1",
Claims = new Claim[]
{
new Claim(Constants.ClaimTypes.Name, "Harry Potter"),
new Claim(Constants.ClaimTypes.GivenName, "Harry"),
new Claim(Constants.ClaimTypes.FamilyName, "Potter"),
new Claim(Constants.ClaimTypes.Email, "harry.potter#hogwarts.com"),
new Claim(Constants.ClaimTypes.EmailVerified, "true", ClaimValueTypes.Boolean),
new Claim(Constants.ClaimTypes.Role, "Administrator"),
}
}
I'm relatively new to Identity Server and Open ID Connect and not able to find anything online and would really appreciate any leads.
To represent the fact that a user is a member of a group you just add a claim. You could add:
new Claim("Group", "Hogwarts Student")
to your in memory user. The claim indicates that Harry is a member of the "Hogwarts Student" group. There is a couple of things going on here you want to be aware of. The constructor being called is:
new Claim(string claimType, string claimValue)
There Identity Server provides some standard ones in the Constants class but you can make up your own. Also, you can have multiple group claims, so you could have
new Claim("Group", "Hogwarts Student"),
new Claim("Group", "Gryffindor House)
If you wanted to see if Harry was in the "Gryffindor House" group, you'd just search through is list of claims where the claim type is equal to "Group" and the claim value is equal to "Gryffindor House".
Finally, the difference between groups and roles is generally more a matter of application semantics that a physical difference in how they are stored. In general, the set of users that can perform the "Administrator" role for an application is just a group of users. It is the way that an application treats users of a group that makes the group a role.
We are authenticating our MVC application using Azure Active Directory but the only information we get back in our ClaimsPrincipal is the Name and Group Memberships.
We need access to the users given name and last name as well. Any pointers on how we can resolve this?
OpenID Connect introduces an id_token (This is a JWT).
Looking at the documentation, the id_token contains some claims that could match :
given_name: Provides the first or "given" name of the user, as set on the Azure AD user object.
family_name: Provides the last name, surname, or family name of the user as defined in the Azure AD user object.
unique_name: Provides a human readable value that identifies the subject of the token. This value is not guaranteed to be unique within a tenant and is designed to be used only for display purposes.
So in your controller you can access these claims like that:
using System.Security.Claims;
...
var identity = (ClaimsIdentity)User.Identity;
var lastName = identity.Claims.First(
c => c.Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname").Value;
var firstName = identity.Claims.First(
c => c.Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname").Value;
var displayName = identity.Claims.First(c => c.Type == "name").Value;
These claims correspond to the First Name, Last Name and Display Name in your Azure AD :