Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Using AAD Group #74

Answered by RyanPicco
lune94 asked this question in Q&A
Discussion options

In a context of a web app I am using this library in order to authenticate my users via Azure Active Directory. I'd like to filter the access to pages according to AAD groups a user belongs to.
Example :
/index accessible only for members from AAD group 'project_users'
/admin accessible only for members from AAD groups 'project_contributor' and 'project_admin'

Does this library allow to do that ?

Regards
You must be logged in to vote

@lune94 Though I'm not using groups in this exact way, you can define app roles in the manifest

So after defining the roles you can assign roles to your users (or in your case groups) which are allowed access, then their role will be returned in id_token_claims as "roles", from there you should be able to gate access based on their role value being in a list of acceptable roles, you could write this into a decorator /w args for easy application to each endpoint.

Replies: 3 comments

Comment options

@navyasric pointed out that we did not document this scenario in our docs, though a Java sample did that. This Python web app sample does not currently provide such behavior out-of-box.

Perhaps you can look into the claims of the id token acquired by MSAL, probably with some additional claims, and then use its "groups" claim to decide whether your web app would serve/reject the request.
You must be logged in to vote
0 replies
Comment options

@lune94 We do not currently have a Python web app sample for that, but this ".Net web app using groups" sample and this video "Using Security Groups and Application Roles in your apps" will give you a good understanding on the details.
You must be logged in to vote
0 replies
Comment options

@lune94 Though I'm not using groups in this exact way, you can define app roles in the manifest

So after defining the roles you can assign roles to your users (or in your case groups) which are allowed access, then their role will be returned in id_token_claims as "roles", from there you should be able to gate access based on their role value being in a list of acceptable roles, you could write this into a decorator /w args for easy application to each endpoint.
You must be logged in to vote
0 replies
Answer selected by rayluo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
question Further information is requested Answered
Converted from issue

This discussion was converted from issue #23 on January 22, 2022 00:54.

AltStyle によって変換されたページ (->オリジナル) /