OAuth Claims / Access Scopes

duviful · 29 May 2024 10:04

I am attempting to configure OAuth claims to match groups in Azure AD configuration.
I’m using socialiteproviders/microsoft provider.
We can log in successfully using OAuth, with the default_role global-read.

Next, we should match claims to scopes in order to allow some users belonging to a specific group to be administrators.

I’m having a hard time understanding the limited documentation for this.

If anyone has a useful example to share with me, it would be greatly appreciated.

This is my current socialite configuration:

{
    "redirect": false,
    "register": true,
    "default_role": "global-read",
    "claims": {
        "9b7d0624-xxxx-xxxx-xxxx-63f9d3260xxx": {
            "roles": [
                "admin"
            ]
        }
    },
    "configs": {
        "microsoft": {
            "client_id": "redacted",
            "client_secret": "redacted",
            "tenant": "redacted",
            "listener": "\\SocialiteProviders\\Microsoft\\MicrosoftExtendSocialite",
            "redirect": "https://librenms.redacted.com/auth/microsoft/callback"
        }
    },
    "scopes": [
        "groups"
    ]
}

Under claims I’ve set the ID of the group in Azure AD that should get the admin role.
Under scopes I’ve set the groups an in the documentation example. However, I’m not sure what I should put here.

Thanks.
Regards.

flipsid3 · 20 June 2024 06:39

Hi,

Unfortunately, I have no answer to this as I just reached the same step in my setup and I am also struggling to make the role configuration between LibreNMS and Azure AD.

Please let me know, if you found out the answer. My idea of this was to use group name instead of ID in each claim and then replicate the group name in the scopes section.

duviful · 21 June 2024 07:36

Hello,
I have not yet resolved the issue at this time.

Please tell me whenever you have a solution that works.
Thanks.