From ad6cae9646180db341b1fb528d7f261ad8cb6030 Mon Sep 17 00:00:00 2001 From: Yi Liu Date: Mon, 19 Apr 2021 09:24:12 +0800 Subject: [PATCH] add group attributes info (#20733) --- .../README.md | 15 +++++++++++++-- .../README.md | 14 +++++++++++++- 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-webapp/README.md b/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-webapp/README.md index 5cbdec39e996..d92e81127ca3 100644 --- a/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-webapp/README.md +++ b/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-webapp/README.md @@ -25,8 +25,19 @@ In order to try the authorization action with this sample with minimum effort, [ ## Advanced features ### Support access control by id token in web application -If you want to use `id_token` for authorization, we can use `appRoles` feature of AAD to generate id_token's `roles` claim and then create `GrantedAuthority` from `roles` to implement access control. -Note the `roles` claim generated from `appRoles` is decorated with prefix `APPROLE_`. +If you want to use `id_token` for authorization, the `appRoles` feature of AAD is supported which is presented in id_token's `roles` claim. By following below configurations, `GrantedAuthority` can be generated from `roles` claim. + +Note: + - The `roles` claim generated from `appRoles` is decorated with prefix `APPROLE_`. + - When using `appRoles` as `roles` claim, please avoid configuring group attribute as `roles` at the same time. The latter will override the claim to contain group information instead of `appRoles`. Below configuration in manifest should be avoided: + ``` + "optionalClaims": { + "idtoken": [{ + "name": "groups", + "additionalProperties": ["emit_as_roles"] + }] + } + ``` Follow the guide to [add app roles in your application](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps). diff --git a/sdk/spring/azure-spring-boot-starter-active-directory/README.md b/sdk/spring/azure-spring-boot-starter-active-directory/README.md index d68c479cecfe..ca08c98d0e79 100644 --- a/sdk/spring/azure-spring-boot-starter-active-directory/README.md +++ b/sdk/spring/azure-spring-boot-starter-active-directory/README.md @@ -387,7 +387,19 @@ Here are some examples about how to use these properties: #### Support access control by id token in web application This starter supports creating `GrantedAuthority` from id_token's `roles` claim to allow using `id_token` for authorization in web application. Developers can use the -`appRoles` feature of Azure Active Directory to create `roles` claim and implement access control. Note the `roles` claim generated from `appRoles` is decorated with prefix `APPROLE_`. +`appRoles` feature of Azure Active Directory to create `roles` claim and implement access control. + +Note: + - The `roles` claim generated from `appRoles` is decorated with prefix `APPROLE_`. + - When using `appRoles` as `roles` claim, please avoid configuring group attribute as `roles` at the same time. The latter will override the claim to contain group information instead of `appRoles`. Below configuration in manifest should be avoided: + ``` + "optionalClaims": { + "idtoken": [{ + "name": "groups", + "additionalProperties": ["emit_as_roles"] + }] + } + ``` Follow the guide to [add app roles in your application and assign to users or groups](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps).