Auto Mapping of Roles/Groups into Oqtane - Azure B2C + Entra ID

[mattkwid]

Greetings,

So after some experimentation my collegue and myself have been able to successfully get the OIDC external authorization to work after configuring Azure B2C + Entra ID. We have created new properties on a User that immediately mapped to their Profile within Oqtane and all works extremely well and good.

Azure B2C + Entra ID SSO

The last part of the configuration we are struggling with however is the mapping of Azure AD Groups to Oqtane Roles. I want the Azure IT administrator to be able to assign an Azure User Role so that when this person logs in using their SSO, the Roles in Azure are automatically configured within Oqtane.

We are at the point where we have created the Group, placed myself as a User within the Group and when I perform an 'User Accounts->Settings->External Login Settings->Review Claims' for tracing what his happeing, I can see the the Group in the Event Log debug text however it is only identified by its Object ID GUID and not by it's name.

"...,groups":"3e04bf1f-b2d7-4b5b-9c6c-5287d91027f3","groups":"ccab529c-0c4a-402c-9cf5-0a826e6597fb",...

Any and all information on this would be appreciated.

~Matt

[sbwalker]

@mattkwid this might help you:

https://learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles#groups-and-app-roles

Oqtane expects that there is a single claim provided by the IDP where the various role names for the user are identified. These names need to match the role names within Oqtane for the role mapping to function as expected.

[mattkwid]

And for anyone else finding this post, we also found the Microsoft Entra Admin Center that makes this whole process a lot clearer.
https://entra.microsoft.com/

Thank you for the response Shaun. We are very much appreciating the use of your framework so far on our project.

I will leave this thread open until we can get all the way there to using the Roles and I will share anything else that may be helpful for others.

[mattkwid]

Topic Update:

My collegue ended up writing the code to get Entra Id Roles/Groups to map to the Internal UserRoles table in Oqtane. In the end we did not see the code in Oqtane that provided the mapping and custom code was written to handle this.

[ChadSolberg]

Interested in sharing this code? This will be a much needed function for enterprise level institutions trying to use Oqtane

[sbwalker]

@ChadSolberg Oqtane already contains logic for mapping roles from external login providers. However @mattkwid may have encountered an issue with the current implementation.

Basically in User Settings you can specify the Role Claim - which is essentially the name of the claim type returned by the IDP which contains the list of roles (ie. "roles": ["Admin", "SuperUser"]).

The OIDC configuration in Oqtane uses this value to set the options.TokenValidationParameters.RoleClaimType

Then when the IDP returns the JWT token it uses this value to parse the roles from the claim:

                    // external roles
                    if (!string.IsNullOrEmpty(httpContext.GetSiteSettings().GetValue("ExternalLogin:RoleClaimType", "")))
                    {
                        if (claimsPrincipal.Claims.Any(item => item.Type == ClaimTypes.Role))
                        {
                            foreach (var claim in claimsPrincipal.Claims.Where(item => item.Type == ClaimTypes.Role))
                            {
                                if (!identity.Claims.Any(item => item.Type == ClaimTypes.Role && item.Value == claim.Value))
                                {
                                    identity.AddClaim(new Claim(ClaimTypes.Role, claim.Value));
                                }
                            }
                        }
                        else
                        {
                            _logger.Log(LogLevel.Error, "ExternalLogin", Enums.LogFunction.Security, "The Role Claim {ClaimType} Does Not Exist. Please Use The Review Claims Feature To View The Claims Returned By Your Provider.", httpContext.GetSiteSettings().GetValue("ExternalLogin:RoleClaimType", ""));
                        }
                    }

however it appears there may be an issue in the above logic - as it is using the default ClaimTypes.Role rather than the type name specified in the ExternalLogin:RoleClaimType User Setting option when extracting the role claims. I will fix this logic.

It should also be noted that the above logic assumes the role names returned from the IDP match the role names specified in Oqtane (ie. there is no "mapping" of the external role name to an internal role name). Oqtane could certainly be enhanced to include a configuration for Role Claim Mapping where you could specify "admin:Administrators,private:Registered Users", etc... (similar to the Profile Claim Types mappings)

[sbwalker]

@mattkwid I am not sure why I thought this was fully implemented and working - I tested it this week and there were definitely some gaps. #4609 improves the support for roles from external login:

1. If you want to integrate roles with your external login provider you need to specify the Roles Claim type name
2. Roles must be defined in the Oqtane site in order for them to be supported through external login
3. Host roles are not supported as external login integration is for a specific site - not an entire installation
4. Identity providers sometimes provide different role names than what your site is using, In these specific cases you can use the Role Claim Mapping (which uses a format similar to Profile Claims).
5. You can optionally choose to Synchronize Roles? The default is false because this option is destructive and will remove any site roles which are not passed by the identity provider (ie. it treats the identity provider as the source of truth) - so you would want to ensure the users in your identity provider are configured properly before enabling this option

@ChadSolberg I tested this with Microsoft Entra and it works well