K
Kinde5w ago
Neurath

Entra AD - How can I get AD group information?

How can get the AD groups an Entra login is in?
9 Replies
TotalScrub
TotalScrub5w ago
I believe this comes across when you turn on the setting for it the connectors configuration.
No description
Neurath
NeurathOP4w ago
I have those settings ticked, but where does it go how can you then find it for your user? Is the group information meant to be in the token? Because I can't see it Do you need to add groups on the Entra side that allow this to be visable?
TotalScrub
TotalScrub4w ago
Sorry I can't help much further as I don't use the groups functionality, but yes I would imagine that if AAD isn't sending the groups across that Kinde would need that data. I'm not sure what claims they are mapping from AAD for it.
Neurath
NeurathOP4w ago
Me either and the documentation doesn't really tell me the only bit I think does is this Access group info in tokens Link to this section ID token - ext_provider > claims > profile > groups Access token - ext_groups But I have no idea what that eludes too
TotalScrub
TotalScrub4w ago
I believe there is JSON data in https://graph.microsoft.com/v1.0/$metadata#users/$entity (which gets added when you tick include extended user profile). Could the groups be inside that JSON? (The claim contains a separate JSON payload IIRC)
Neurath
NeurathOP4w ago
I don't see my groups in there
Neurath
NeurathOP4w ago
No description
Neurath
NeurathOP4w ago
I have gone though the documentation from Kinde and MS many times ticked and unticked boxes to see if I can get the infromation I'm assuming it in the token which I look up jwt.io but I can't see it there The graph app manifest for my tenent is this "optionalClaims": { "accessToken": [ { "additionalProperties": [], "essential": false, "name": "groups", "source": null } ], "idToken": [ { "additionalProperties": [], "essential": false, "name": "groups", "source": null } ], "saml2Token": [ { "additionalProperties": [], "essential": false, "name": "groups", "source": null } ] }, So it all looks correct and I have ticked all the boxes in Kinde to able to use this too Ok so I have found the problem (I'm using the option: Use your own sign-up and sign-in screens) for some reason with the Entra Login it doesn't return the added token information Ok I have worked out where the issues is So I recently starting using the Entra ID login as our clients have request this. I noticed I wasn't getting the ext_group (group) information in the access token. I'm using my own login option which I have done already with google, microsoft etc and have no issues having said that I haven't tried sending back ext information on the token with those options. So I get the correct information back in the access token {ext_group: [guids]} when I use the kinde powered login page. On my custom login page I'm using the react {login} hook. The react library using this library to setup the provider but the provider automatically sets the login url to https://{domain}/oauth2/auth using this url the access token doesn't return the extra information. The kind login page uses https://{domain}/authentication/authentication_social as the login url which does return the correct information in the token. I'm wondering if we would be able to change or add a way to use this url with the react login hook? Or fix the /oauth2/auth kinde backend to return the correct token as it does on the /authentication/authentication_social url.
Ages
Ages2w ago
Hi @Neurath , Thanks for the detailed explanation. I'll take a look at this and investigate further to see how we can resolve the issue with the token information on your custom login page. I'll get back to you shortly with an update. Best regards, Ages
Want results from more Discord servers?
Add your server