Support OIDC authentication with Entra ID (Azure AD) user with more than 200 groups

XMLWordPrintableJSON

    • Type: New Feature
    • Resolution: Unresolved
    • Priority: Major - P3
    • None
    • Affects Version/s: None
    • Component/s: None
    • None
    • Server Security
    • None
    • 3
    • TBD
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • 0

      This came up in a recent customer request

      Per this article from Microsoft:

      When you request all groups in your token as shown in the example, you can't rely on the token having the groups claim in your token. There are size limits on tokens and on groups claims so that they don't become too large. When the user is a member of too many groups, your app needs to get the user's group membership from Microsoft Graph. The limits for groups in a groups claim are:

      • 200 groups for JSON web tokens (JWT).

      ...

      In all of these cases, instead of having a groups claim, you see an indication (known as a group overage) that tells you that the user is a member of too many groups to fit in your token.

      Implicit flow overage indication is done with a hasgroups claim instead of the groups claim.


      {{When complete this ticket will provide handling for {{hasgroups }}}}claims in Entra ID tokens to retrieve a complete groups set from the Graph API

            Assignee:
            Unassigned
            Reporter:
            Adam Rayner
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: