django-auth-adfs: Groups is empty

Hello;

I have used django-auth-adfs to log in users on Azure/Entra. The users are correctly authenticated, but unfortunately the list of groups received from Azure is empty. I need the group memberships for my application to work correctly - so unfortunately I am not fully sucesfull yet. With some of my own print() debug in djangu-auth-adfs this is the dialogue between my server and Azure:

[18/Jan/2024 12:51:54] "GET /oauth2/login?next=/ HTTP/1.1" 302 0
Groups: []              <--- My debug
User: user@domain.com   <--- My debug
[18/Jan/2024 12:51:54] "GET /oauth2/callback?code=0.AYIAS3tqt2........ccbe62f15376 HTTP/1.1" 302 0
[18/Jan/2024 12:51:54] "GET / HTTP/1.1" 200 12260

as indicated in the console log the groups list is empty.

I have given the application the permission: GroupMember.Read.All - but apart from that I am not very experienced in Azure/Entra configuration - so the problem might be on that side. Any tips would be highly appreciated.

This is my settings section:

AUTH_ADFS = {
    'AUDIENCE': ENTRA_CLIENT_ID,
    'CLIENT_ID': ENTRA_CLIENT_ID,
    'CLIENT_SECRET': ENTRA_SECRET,
    'CLAIM_MAPPING': {'first_name': 'given_name',
                      'last_name': 'family_name',
                      'email': 'upn'},
    'GROUPS_CLAIM': 'groups',
    'MIRROR_GROUPS': True,
    'USERNAME_CLAIM': 'upn',
    'TENANT_ID': ENTRA_TENANT_ID,
    'RELYING_PARTY_ID': ENTRA_CLIENT_ID,
    "GROUP_TO_FLAG_MAPPING": {"is_staff": ["SomeGroup"],
                              "is_superuser": ["SomeGroup"]},
}

Upvote & Fund

  • We’re using Polar.sh so you can upvote and help fund this issue.
  • We receive the funding once the issue is completed & confirmed by you.
  • Thank you in advance for helping prioritize & fund our backlog.
<picture> <source media="(prefers-color-scheme: dark)" srcset="https://polar.sh/api/github/snok/django-auth-adfs/issues/325/pledge.svg?darkmode=1"> Fund with Polar </picture>

About this issue

  • Original URL
  • State: closed
  • Created 5 months ago
  • Comments: 16 (9 by maintainers)

Most upvoted comments

Hello;

I have now tested this with my colleagues - and it works for them as well - when running on localhost. But - unfortunately it does not work in production. In production I get an error pop in the browser with the message:

AADSTS50011: The redirect URI 'http://sonairmeasurements.azurewebsites.net/oauth2/callback' specified in the 
request does not match the redirect URIs configured for the application

the URI quoted in the error message is with plain http:// - whereas the callback I have configured in Azure is with https://` - so in a sense the error message from Azure is correct - if the payload from my server indeed contains the plain http://?

Update 1: Looking into this issue: https://github.com/snok/django-auth-adfs/issues/69

Update 2: Setting SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") solved the last problem.

Closing this issue as solved!

+1
joakim-hove on Feb 6, 2024

No rush - we definitely want to wait for you to confirm if possible. I’ll leave it open for another 2 weeks if we don’t hear anything back 😊

+1
JonasKs on Jan 31, 2024

If you go into your appreg overview, then click the enterprise registration, you can create a custom role there, only for this appreg. Then you can assign users to it.

Lo and behold - with good guidance and extensive amount of random clicking in the Azure AD portal I have managed to get this into the venerable “Works for me” state - now I’ll “just” have to check that it works for my colleagues on monday 🤞

+1
joakim-hove on Jan 27, 2024

I’ll give you a step by step tomorrow.

That’d be wonderfull 😄

+1
joakim-hove on Jan 27, 2024
Read more comments on GitHub
← destreamer: Keep getting an error when downloading a video.
django-auth-adfs: MSIS9321: Received invalid OAuth request.  →