Determine Social Provider Login Support (Facebook, Google) with StaticWebApps & App Service

[seantleonard]

Evaluate whether social providers include roles in their access tokens, i.e. via a role claim.

• If role claim(s) are included:
  • Can an end user can arbitrarily add themselves to roles or is that capability limited to FB app/enterprise admins?
    • If users can arbitrarily add themselves to roles, ensure we do NOT honor those roles to determine access in DAB engine and see whether SWA/AppService passes those roles through in the EasyAuth payload.
    • If just enterprise admins can manage roles/role assignments, no issues.
      • Check whether SWA/AppService passes those roles through in the EasyAuth payload. If not, developers must manage roles through SWA Azure Function Integration.
• No Role claims included:
  • Developers must manage roles through SWA Azure Functions (preview) Integration.

[jarupatj]

What do you mean by inject role? Do you have example? If we are using JWT as auth method, would Twitter, FB, Google set the role then?

[seantleonard]

When social provider mints an access token, it may include roles in the token if the provider supports roles, we should not honor those. This would also require enumerating all providers we'd want to eventually support to see what their token contents are. Social providers would not be an "all or nothing" support structure, it would need to be provider by provider because while they do provide tokens that show the user authenticates, the token contents (claims) may vary.

Since we've only tested with azure ad, we know azure ad will securely provide roles as role assignments are made in an administrative context.

[ayush3797]

@Aniruddh25 , FYI, moving it to Oct2022 milestone.

[ayush3797]

Needs discussion. Moving to Nov22.