starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-13 22:03:32 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Using AzureAD authentication I cannot get the group members for the user that authenticates #7521

New Issue
Closed
opened 2025-12-29 20:24:39 +01:00 by adam · 8 comments
adam commented 2025-12-29 20:24:39 +01:00
Owner
Copy Link

Originally created by @enribla on GitHub (Jan 16, 2023).

Originally assigned to: @arthanson on GitHub.

NetBox version

v3.3.8

Python version

3.9

Steps to Reproduce

  1. I authenticate using AzureAD with my user
  2. I get authenticated
  3. I check the user groups in admin with a superuser account
  4. I don't see any group even if the user has several groups in AzureAD
  5. I check in the user id_token in User social auths (inside the meny PYTHON SOCIAL AUTH) and I verify that I get the group id

Expected Behavior

The expected behaviour would be to see the member groups related to the user that is authenticated using AzureAD

Observed Behavior

No groups appeared related to the user.

My configurations related with authentication is:

REMOTE_AUTH_BACKEND = 'social_core.backends.azuread.AzureADOAuth2'

SOCIAL_AUTH_AZUREAD_OAUTH2_KEY = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'
SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
SOCIAL_AUTH_REDIRECT_IS_HTTPS = True

Originally created by @enribla on GitHub (Jan 16, 2023). Originally assigned to: @arthanson on GitHub. ### NetBox version v3.3.8 ### Python version 3.9 ### Steps to Reproduce 1. I authenticate using AzureAD with my user 2. I get authenticated 3. I check the user groups in admin with a superuser account 4. I don't see any group even if the user has several groups in AzureAD 5. I check in the user id_token in User social auths (inside the meny PYTHON SOCIAL AUTH) and I verify that I get the group id ### Expected Behavior The expected behaviour would be to see the member groups related to the user that is authenticated using AzureAD ### Observed Behavior No groups appeared related to the user. My configurations related with authentication is: REMOTE_AUTH_BACKEND = 'social_core.backends.azuread.AzureADOAuth2' SOCIAL_AUTH_AZUREAD_OAUTH2_KEY = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx' SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' SOCIAL_AUTH_REDIRECT_IS_HTTPS = True
adam added the status: acceptedtype: feature labels 2025-12-29 20:24:39 +01:00
adam closed this issue 2025-12-29 20:24:39 +01:00
adam commented 2025-12-29 20:24:40 +01:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Apr 17, 2023):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Do not attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our contributing guide.

@github-actions[bot] commented on GitHub (Apr 17, 2023): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. **Do not** attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our [contributing guide](https://github.com/netbox-community/netbox/blob/develop/CONTRIBUTING.md).
adam commented 2025-12-29 20:24:40 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Apr 25, 2023):

The expected behaviour would be to see the member groups related to the user that is authenticated using AzureAD

Neither the NetBox documentation nor the documentation for the upstream python-social-auth package suggests that this functionality exists. This should have been submitted as a feature request.

I'm marking this as needs owner for anyone who would like to dig into this, however some preliminary analysis suggests that the upstream Azure AD authentication backend would need to be extended to support group assignment.

@jeremystretch commented on GitHub (Apr 25, 2023): > The expected behaviour would be to see the member groups related to the user that is authenticated using AzureAD Neither the NetBox documentation nor the documentation for the upstream python-social-auth package suggests that this functionality exists. This should have been submitted as a feature request. I'm marking this as `needs owner` for anyone who would like to dig into this, however some preliminary analysis suggests that the upstream Azure AD authentication backend would need to be extended to support group assignment.
adam commented 2025-12-29 20:24:40 +01:00
Author
Owner
Copy Link

@candlerb commented on GitHub (Apr 28, 2023):

I tried to do it for Keycloak, and it broke things badly. Here's a potted history in case it helps.

In https://github.com/python-social-auth/social-core/pull/668, in an attempt to be helpful I also picked up the "groups" claim and returned it in the user structure from all OIDC responses:

    def get_user_details(self, response):
        username_key = self.setting('USERNAME_KEY', default=self.USERNAME_KEY)
        return {
            'username': response.get(username_key),
            'email': response.get('email'),
            'fullname': response.get('name'),
            'first_name': response.get('given_name'),
            'last_name': response.get('family_name'),
            'groups': response.get('groups'),    # <<<<<<<<< returns a list of strings
        }

But it turns out that if you do this, Django barfs, and this change had to be rolled back: see https://github.com/python-social-auth/social-core/issues/690 / https://github.com/python-social-auth/social-core/pull/692

The actual error from Django is:

Direct assignment to the forward side of a many-to-many set is prohibited. Use groups.set() instead.

If you can work out where that's coming from, you may be able to fix this issue. There's a full backtrace at https://github.com/netbox-community/netbox/discussions/8579#discussioncomment-2200174

@candlerb commented on GitHub (Apr 28, 2023): I tried to do it for Keycloak, and it broke things badly. Here's a potted history in case it helps. In https://github.com/python-social-auth/social-core/pull/668, in an attempt to be helpful I also picked up the "groups" claim and returned it in the user structure from all OIDC responses: ``` def get_user_details(self, response): username_key = self.setting('USERNAME_KEY', default=self.USERNAME_KEY) return { 'username': response.get(username_key), 'email': response.get('email'), 'fullname': response.get('name'), 'first_name': response.get('given_name'), 'last_name': response.get('family_name'), 'groups': response.get('groups'), # <<<<<<<<< returns a list of strings } ``` But it turns out that if you do this, Django barfs, and this change had to be rolled back: see https://github.com/python-social-auth/social-core/issues/690 / https://github.com/python-social-auth/social-core/pull/692 The actual error from Django is: ``` Direct assignment to the forward side of a many-to-many set is prohibited. Use groups.set() instead. ``` If you can work out where that's coming from, you may be able to fix this issue. There's a full backtrace at https://github.com/netbox-community/netbox/discussions/8579#discussioncomment-2200174
adam commented 2025-12-29 20:24:41 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Apr 28, 2023):

Thanks @candlerb, that's very helpful. I suspected that this sort of change would be necessary so it's nice to have that confirmed.

If you can work out where that's coming from, you may be able to fix this issue.

I assume that the dictionary of attributes returned by the backend is being applied to the user instance blindly. groups would cause an issue because it's a reverse manager (rather than a normal attribute). So I'm not sure how it's working (if it's working) for other backends as you pointed out here.

@jeremystretch commented on GitHub (Apr 28, 2023): Thanks @candlerb, that's very helpful. I suspected that this sort of change would be necessary so it's nice to have that confirmed. > If you can work out where that's coming from, you may be able to fix this issue. I assume that the dictionary of attributes returned by the backend is being applied to the user instance blindly. `groups` would cause an issue because it's a reverse manager (rather than a normal attribute). So I'm not sure how it's working (_if_ it's working) for other backends as you pointed out [here](https://github.com/python-social-auth/social-core/issues/690#issuecomment-1168627022).
adam commented 2025-12-29 20:24:41 +01:00
Author
Owner
Copy Link

@CTV-2023 commented on GitHub (Apr 28, 2023):

Hi, just in case that helps, the workaround I found was not using AzureAD but SAML against AzureAD and store groups in SOCIAL_AUTH_SAML_EXTRA_DATA to use them with a custom pipeline. Might be considered as "dirty" (and the code far from perfect)
https://www.reddit.com/r/Netbox/comments/104ouqz/netbox_saml_with_azure_ad_authorization/

@CTV-2023 commented on GitHub (Apr 28, 2023): Hi, just in case that helps, the workaround I found was not using AzureAD but SAML against AzureAD and store groups in SOCIAL_AUTH_SAML_EXTRA_DATA to use them with a custom pipeline. Might be considered as "dirty" (and the code far from perfect) https://www.reddit.com/r/Netbox/comments/104ouqz/netbox_saml_with_azure_ad_authorization/
adam commented 2025-12-29 20:24:42 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (May 3, 2023):

There's now a feature request to implement this ability natively within python-social-auth: https://github.com/python-social-auth/social-core/issues/794

@jeremystretch commented on GitHub (May 3, 2023): There's now a feature request to implement this ability natively within `python-social-auth`: https://github.com/python-social-auth/social-core/issues/794
adam commented 2025-12-29 20:24:42 +01:00
Author
Owner
Copy Link

@BBezaire commented on GitHub (Sep 5, 2023):

Hi All,

I noticed PR #13373 was reverted.
Can we reopen this issue, or has discussion moved elsewhere?

@BBezaire commented on GitHub (Sep 5, 2023): Hi All, I noticed PR #13373 was reverted. Can we reopen this issue, or has discussion moved elsewhere?
adam commented 2025-12-29 20:24:42 +01:00
Author
Owner
Copy Link

@enribla commented on GitHub (Sep 8, 2023):

Good morning,
If I understand correctly, this functionality has been reverted?
Is not possible to map azureAD groups with netbox groups? Or simply replicate the AzureAD groups on the netbox application?
Thanks

@enribla commented on GitHub (Sep 8, 2023): Good morning, If I understand correctly, this functionality has been reverted? Is not possible to map azureAD groups with netbox groups? Or simply replicate the AzureAD groups on the netbox application? Thanks
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label status: accepted type: feature
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#7521
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?