Jump to content
Claris Engage 2025 - March 25-26 Austin Texas ×

Add Oauth users with script step

3a35d4
 Share

This topic is 1775 days old. Please don't post here. Open a new topic instead.

Recommended Posts

  • Newbies
3a35d4 Rookie

3a35d4

Posted
  • Newbies
Posted (edited)

Why can I not add Azure AD authenticated accounts with the Add-Account script step.

I have users authenticating in AAD who need to invite other AAD users to my filemaker application. If scripting is not possible then they will all have to be entered manually. Why is this not possible? I saw this, https://community.filemaker.com/en/s/question/0D50H00006h9Eaz/add-account-missing-oauth-users but there wasn't any explanation of why it wasn't possible. This seems like it could be done exactly the same as local accounts, but instead, the feature is simply missing.

Edited by 3a35d4
Wim Decorte Grand Master

Wim Decorte

Posted
Posted

For  best results, use Group-based OAuth authentication.  That way you never have to add users through scripting in FM, the invites and membership are handled on the Azure AD side only.

As to why it is not possible: you cannot add on-prem AD or OD or local groups or individual users either, the whole point of using External Authentication is that you have to NO account management in FM at all.

  • Newbies
3a35d4 Rookie

3a35d4

Posted
  • Author
  • Newbies
Posted

That was the original plan however different users in each group need different privilege sets based on their role in the organization, to restrict the tables/layouts that they can view. I don't see any way this would be possible if they're grouped.

 

Wim Decorte Grand Master

Wim Decorte

Posted
Posted

Then create new groups, AD supports group-in-group memberships. It is not uncommon to create groups specific to an application or service. 
 

  • Newbies
3a35d4 Rookie

3a35d4

Posted
  • Author
  • Newbies
Posted

How would I go about viewing the group claims from the Azure AD JWT token? Is there any easy way that I can access these from within FileMaker? Or would I have to request them from the MS Graph API after I've already logged in?

Wim Decorte Grand Master

Wim Decorte

Posted
Posted

You don't need to view the group claims to make the authentication works.  FMS receives the JWT token, decodes it and checks the groups in the groups claim against the name of the accounts (group based) that exist in the file.  At the first match it assigns the priv set for that account.

All of this happens in the background automatically.

If you need the list of groups for a user for some other reason then yes: you'll need to use the Graph API to ask for them. 

This topic is 1775 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept