Adding a rule to return Azure AD Groups for a user logging in

So I have a standard web application and I have followed the ruby on rails guide to connect it up to Auth0 for my companies tenant.

There are existing Enterprise connections in the Tenant, one of which is for Microsoft Azure AD. I have flipped the ‘switch’ to green for my application in Auth0 - so it uses this connection I guess.

I can get my user information back in my Rails app but I want to have all the ad groups I am part of too included in the response from Auth0.

In the Micosoft Azure AD connection, I tried checking the Extended Attributes:

Extended Profile
Get user groups

However this does not seem to add anything to the Auth0 response I am getting back and I can’t see any error messages in the logs.

Weirdly, in the Auth0 console, if i navigate to User Management → Users. I can see the RAW JSON for my own login and it has all my ad groups as part of the json.

How can I get the ad groups added to the Auth0 response so its accessible in the
request.env['omniauth.auth'] as part of the extra → raw_info?

I tried adding extra scopes but it doesn’t seem to affect anything, plus I’m not sure what scopes to use.

If I need a custom rule for this, how do you use the existing Azure AD connection in the rule and could someone explain simply how to do this and pull back the groups and add them to the Auth0 response for a login?

Can they be added to the JSON response rather than the token itself?
Is it possible to have a rule run for a single application and not every application?

edit:
After much reading and experimentation this seems to work in a rule:

function (user, context, callback) {
if (context.clientName === 'My client name from dashboard') {
		const namespace = 'http://something.com/';  // does this have to be a uri?
		context.idToken[namespace + 'groups'] = user.groups; // this will add groups to the token
		callback(null, user, context);
	}
}

Can anyone explain what this name space is and why this works?
Is the check on the client name a good idea to prevent this rule firing for other clients in the tenant?
Thanks

1 Like

Hi @bingobangobongo,

Welcome to the Community!

Glad you were able to solve your initial issue. :grinning_face_with_smiling_eyes:

Namespacing is required to prevent collisions with reserved claims. It is somewhat arbitrary what URI you choose. Here is a doc with more info:

Yes, you can use the client name to prevent the rule from firing for other apps. It is important that you add callback(null, user, context); for cases where the conditional is not triggered. Here is an example

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.