Django allauth Microsoft SSO - django

I'm having trouble configuring my SSO options for my Django project that I'm working on. I'm hoping to make it so that only those users in my organization are able to sign into the application but I keep getting the following error:
AADSTS50194: Application 'Azure: Application (client) ID'(DjangoAppSSO) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.
I have gone in and populated the admin console with my Client ID being the same as above from the Azure account. I also created a Client Secret with my Value and Secret ID and put those in the admin console as well. I populated the Value as the "Key" in admin and Secret ID as the "Secret Key". All the required imports are done for settings.py and I believe the issue is in what I am giving the SOCIALACCOUNT_PROVIDERS possibly.
settings.py:
SOCIALACCOUNT_PROVIDERS = {
'microsoft': {
'APP': {
'tenant': 'organization',
'client_id': 'Azure: Application (client) ID',
}
}
}
Just for clarification sake, anywhere it says "Azure: Application (client) ID" is the actual value from there, I just don't want to post it anywhere.

AADSTS50194: Application is not configured as a multitenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.
The above error usually occurs if users tried to sign-in to your single-tenant application with multi-tenant (/common) endpoint.
Please note that, organizations is used for multi-tenant applications where it allows users to sign in with both work and school accounts.
To resolve the error, you need to modify your settings.py file by replacing organizations with your Tenant ID like below:
SOCIALACCOUNT_PROVIDERS = {
'microsoft': {
'APP': {
'tenant': 'Your_TenantID', //You can also give tenant domain here(contoso.onmicrosoft.com)
'client_id': 'Azure: Application (client) ID',
}
}
}
You can find Tenant ID of your tenant like below:
Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your Application -> Overview
Alternatively, you can change your existing single tenant application to multi-tenant by changing its Supported account types without modifying settings.py like below:
Reference:
Client application configuration (MSAL) | Microsoft Docs
Microsoft OAuth2 provider for django-allauth by Vincent Schänzer

Related

Authentication with Microsoft Azure AD in a multi-tenant app

Following the documentation, registered an application with Accounts in any organizational directory. The Tenant where the application resides is in "Default Directory" and has only one user, tiagomartinsperes#gmail.com. Also, the app has user assignment (as pointed out here) set to No
After, created another Tenant (different directory) and invited the external user me#tiagoperes.eu. That's the user I'm getting troubles logging into the previously created app.
Then, enable the OAuth2 support using social_core.backends.azuread.AzureADOAuth2 (from here).
As I try to authenticate now, it works well with tiagomartinsperes#gmail.com but with me#tiagoperes.eu gives the following error
Selected user account does not exist in tenant 'Default Directory' and cannot access the application 'a9a22676-8a1c-4297-95d3-8cd89553220e' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.
The problem is the URL the user is redirected to. According to the docs, multi-tenant applications should redirect to https://login.microsoftonline.com/organizations.
As we see in the Python Social Auth AzureADOAuth2 class, the BASE_URL is
BASE_URL = "https://{authority_host}/{tenant_id}"
Since authority_host = "https://login.microsoftonline.com/" and tenant_id="common", we'd get the wrong url.
Changing that and signing in with the same user and now I get a request to add the permissions
Reported that issue here too.

How to make Django tries multiple realms in Keycloak using openid connect?

Synopsis
We have a web app that allows internal users and external users to login, we would like to split the 2 groups of users in Keycloak with different realms, for instance, internal realm and external realm. Our ideal authentication method is OpenID Connect.
Problem
Most Django OIDC libraries allows to specify one OIDC client configuration in Django settings. However given how OIDC works one client configuration only works with one realm, because a client is configured inside a realm.
I have come across this library django-keycloak which seems to be able to configure client configurations in a database and I need to implement my own middleware to dynamically route the request to a corresponding realm, see multi-tenancy section.
Unfortunately this library has not been updated for 2 years and seems not maintained anymore.
Question
Is there an up-to-date library that has similar functionality in django-keycloak? (I will raise an issue in the repo to enquire the project status)
Apart from the multi-client configuration approach, is there a better alternative?
I do not know about django, but from the Keycloak side what you can do is to configure the external realm as an identity provider for the internal realm. You can read about identity brokering here.
For that go to the Admin Console and:
select your Internal Realm, and click on Identity Providers
On the right side of the page select Keycloak OpenID Connect from the Add provider ... dropdown menu. It will popup the Add Identity Provider form, from there set:
the alias
the Authorization URL, Token URL, Logout URL, User Info URL and Issuer to the correspondent endpoints that can be found on the external realm .well-known endpoint (i.e., <KEYCLOAK_IP>/auth/realms/<External Realm Name>/.well-known/openid-configuration)
For the Client Authentication you can select Client secret send as post
For the Client ID and Client Secret first create a new client in your external realm and use its Client ID and Client Secret here. This client:
can have Access Type confidential
Standard Flow Enabled : ON
Valid Redirect URIs set it to your Keycloak IP followed by "*", for instance <KEYCLOAK_IP>*
Web Origins : +
Save
Bear in mind that some of those configurations might have to be adapted to your own needs.
Now if everything was set correctly, at the keycloak internal realm login page will show up a new button that the users stored on the external realm can click on to authenticate against the external realm.
Now you configure your app to lend at the Internal Realm Login page, the users from your internal realm authenticate immediately there, the users from the external realm click on the new button to explicitly authenticate against the external realm.
This setup is more or less like the use case that a user wants to login into your app but using his/her social media account.

Google Login error with django-social-auth

I'd created a django project for sign in with google using django-social-auth.
I'd followed the doc and created an app in google developer console with "OAuth 2.0" and added API's of
Gmail API, Google+ API, Google+ Domains API and Google+ Hangouts API
In Credentials I've set up AUTHORIZED REDIRECT URIS to my production server url "mysite.com".
I'd configured django settings with the "CLIENT ID" and "CLIENT SECRET". This set up works perfectly on my local server, user is created and the email is associated for the user.
But when I moved to the production server, I get the error
"400. That’s an error. OpenID auth request contains an unregistered domain: mysite.com".
Did any one else faces a similar issue?
I also had the similar issue and I fixed it as follows:
If your google login URL is /login/google/, change it to /login/google-oauth2/
Add the following redirect URIs in your google app settings
http://<your domain>/<social-auth-prefix-if-any>/complete/google-oauth2/
http://<your domain>/<social-auth-prefix-if-any>/associate/complete/google-oauth2/
Hope this helps.

After user removes application access to his LinkedIn profile, next OAuth2 reauthorization fails

I'm using django application with python-social-auth responsible for integration with Linkedin OAuth2 API.
Linkedin returns 500 server error:
{
"error":"server_error",
"error_description":"the authorization server encountered an unexpected condition : Unable to retrieve access token"
}
Steps to reproduce:
Create new LinkedIn app with OAuth 2.0 Redirect URLs set to http://localhost/complete/linkedin-oauth2/?
Setup django app with python-social-auth module:
SOCIAL_AUTH_LINKEDIN_OAUTH2_KEY = <API key>
SOCIAL_AUTH_LINKEDIN_OAUTH2_SECRET = <Secret Key>
Run Django server on port 80 and go to: http://localhost/login/linkedin-oauth2/
Go to Linkedin Settings, choose Groups, Companies & Applications > View your applications, select your application name and submit Remove
Logout user from your Django app and start authentication again: http://localhost/login/linkedin-oauth2/
There's a discussion about this issue on the LinkedIn forums.
Apparently this can happen if you move from OAuth1 to OAuth2.
The proposed remedy until they resolve the problem is to create a new authentication key for our applications.

Google Directory API users list gives 404 Not found

I'm using the javascript client library to try to get a list of users in a domain, but I'm getting a 404 not found in the response.
gapi.client.load('admin', 'directory_v1', function() {
var request = gapi.client.directory.users.list({ domain: "mydomain.com"});
request.execute(function(resp) {
console.log(resp);
});
});
I have a load function before this that gets the userinfo and that works fine, it's just the directory api I can't get working. I added the admin.directory.user scope, and I have the proper client id and api key. I enabled the Admin SDK in the Services tab of my project. The account that the project was created in has all administrator privileges except super admin. Is there some extra step you have to take to use admin sdk apis? What am I missing?
Any help would be appreciated.
You need to grant Oauth access for ClientId in admin console.
Security -> Advanced settings -> Manage Oauth client access
And then add your client ID and the scope needed.