Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Groups are not added to the claim #1452

Open
egor-yudkin opened this issue Mar 20, 2024 · 2 comments
Open

Groups are not added to the claim #1452

egor-yudkin opened this issue Mar 20, 2024 · 2 comments

Comments

@egor-yudkin
Copy link

This issue is for a: (mark with an x)

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Any log messages given by the failure

Expected/desired behavior

OS and Version?

azd version?

run azd version and copy paste here.

Mention any other details that might be useful

I've followed the Login and ACL setup document to set up authentication and document-level security.

Server app has the optional groups claim added to token configuration.
image

But the ID Token Claims table in the Settings doesn't display any groups. There is no "groups" row at all. I'm assuming the application itself also doesn't see any groups for logged in user. So when I enable "Use groups security filter" it simply doesn't answer any questions because all items in my index have groups populated with group ids.

Can you please suggest how to fix this or maybe how to troubleshoot?
@egor-yudkin
Copy link
Author

Okay, I think I figured it out on my own. The groups claim should be added to the Client app, not the Server app as the documentation says.
@mattgotteiner Does it make sense? Would you be able to fix the document?
And also why enabling group claims is optional? Is there any disadvantage of having it added by default?
Wouldn't it be better done during deployment of the Client App Registration if authentication is enabled, otherwise it's just an extra manual step one has to make. And if one is following the documentation's Automatic Setup section, it's not obvious that adding group claim still needs to be done manually.

@cforce
Copy link
Contributor

cforce commented Oct 26, 2024
edited
Loading

@mattgotteiner @pamelafox According to the docs it shall be done on Server API, but according to @egor-yudkin it only works when done on Client APP. See https://github.com/Azure-Samples/azure-search-openai-demo/blame/0946893fe904cab1e89de2a38c4421e38d508608/docs/login_and_acl.md#L90

@egor-yudkin I think too it shall be added by default . The manageacl.py script shall set group claims when AZURE_ENFORCE_ACCESS_CONTROL=true elsewise ACL can never be enforced on users, does it?

I have following claims on my server SPI

image

And still in my bearer token after login i don't have an "groups" attribute, which underlines @egor-yudkin point that it does not work as documented, does it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cforce @egor-yudkin