I've built a node.js app with express and the passport-azure-ad library in order to authenticate users via AAD. I want to get groups back in the auth callback for users that are logging in so I can ensure they belong to the correct security group before granting them access to parts of my app.
I edited my manifest for my Active Directory App (Clarity) to include
"groupMembershipClaims": "All"
This is working very well for all users that I have had log in except for one. Typically I get a response in the profile object of this form:
accessToken: "scrubbedAccessToken"
aio: "scrubbedAio"
amr: "["pwd"]"
family_name: "My Last Name"
given_name: "My First Name"
groups: Array[1]
0: "[...hugeListofGuids...]"
length: 1
in_corp: "true"
ipaddr: "my ip"
name: "My Name"
oid: "scrubbedOid"
onprem_sid: "scrubbedSid"
sub: "scrubbedSub"
tid: "scrubbedTid"
unique_name: "[email protected]"
upn: "[email protected]"
ver: "1.0"
But for some reason for one of my users my app gets this instead:
_claim_names: "{"groups":"src1"}"
_claim_sources: "{"src1":{"endpoint":"https://graph.windows.net/scrubbedTid/users/scrubbedOid/getMemberObjects"}}"
accessToken: "scrubbedAccessToken"
aio: "scrubbedAio"
amr: "["pwd"]"
family_name: "scrubbedLastName"
given_name: "scrubbedFirstName"
in_corp: "true"
ipaddr: "scrubbedIp"
name: "scrubbedFulleName"
oid: "scrubbedOid"
onprem_sid: "scrubbedSid"
sub: "scrubbedSub"
tid: "scrubbedTid"
unique_name: "scrubbedEmail"
upn: "scrubbedEmail"
ver: "1.0"
Can anyone give me some insight as to why I'd get different formats for different users? These users are both in the same tenant and their emails are in the same domain.
