Support a querystring to filter groups.

tim-schilling · tim-schilling · commit 9169f46d3e9e · 2024-10-17T19:53:33.000-05:00
diff --git a/django_auth_adfs/backend.py b/django_auth_adfs/backend.py
@@ -88,6 +88,25 @@ def get_obo_access_token(self, access_token):
         logger.debug("Received OBO access token: %s", obo_access_token)
         return obo_access_token
 
+    def get_group_memberships_from_ms_graph_params(self):
+        """
+        Return the parameters to be used in the querystring
+        when fetching the user's group memberships.
+
+        Possible keys to be used:
+            - $count
+            - $expand
+            - $filter
+            - $orderby
+            - $search
+            - $select
+            - $top
+
+        Docs:
+            https://learn.microsoft.com/en-us/graph/api/group-list-transitivememberof?view=graph-rest-1.0&tabs=python#http-request
+        """
+        return {}
+
     def get_group_memberships_from_ms_graph(self, obo_access_token):
         """
         Looks up a users group membership from the MS Graph API
@@ -105,6 +124,7 @@ def get_group_memberships_from_ms_graph(self, obo_access_token):
         response = self._ms_request(
             action=provider_config.session.get,
             url=graph_url,
+            data=self.get_group_memberships_from_ms_graph_params(),
             headers=headers,
         )
         claim_groups = []
diff --git a/docs/settings_ref.rst b/docs/settings_ref.rst
@@ -244,6 +244,12 @@ GROUPS_CLAIM
 Name of the claim in the JWT access token from ADFS that contains the groups the user is member of.
 If an entry in this claim matches a group configured in Django, the user will join it automatically.
 
+If using Azure AD and there are too many groups to fit in the JWT access token, the application will
+make a request to the Microsoft GraphQL API to find the groups. If you have many groups but only
+need a specific few, you can customize the request by overriding
+``AdfsBaseBackend.get_group_memberships_from_ms_graph_params`` and specifying the
+`OData query parameters <https://learn.microsoft.com/en-us/graph/api/group-list-transitivememberof?view=graph-rest-1.0&tabs=python#http-request>`_.
+
 Set this setting to ``None`` to disable automatic group handling. The group memberships of the user
 will not be touched.
 
