I'm trying to create an App which has a log in page where user should be authenticated using azure AD. Basically the App has a log in form where user puts his id and password from ad and django should check with ad and allow him in or not. Later on ofc would like to add permission depending on AD group.
So far I searched a lot on the internet and found nothing. Could you guys help with some example or link to documentation what I could use.
First of all, I'd like to suggest that you don't do that.
What you are asking for is ROPC flow: https://joonasw.net/view/ropc-grant-flow-in-azure-ad.
Usage of this flow is not recommended unless this is for migrating a legacy application (which is the original purpose of ROPC).
It also won't work if the user has MFA, an expired password etc.
There is usually no reason why you'd want to handle user passwords when using a federated identity provider.
Related
I am creating a flask app to be used internally in my company. I would like to restrict what a user can do it based on its login ID. I read a lot about using LDAP3 but I don't think I can do what want which send the login ID to the server. There I would have a table which will register which part of the system has the permition to edit. If it try to change somenthing not permited the app will retrieve a warning message.
I won't to do that to avoid having to create a separate login functionality just for this app. I read that I should use AD authentication but I am not very familiarized with that and I would also like to avoid having to ask our IT department to create user groups there for each part of my system.
I know that I can do that using ASP .NET (at least I did once).
Any guidance will be apreciated.
I think you are looking for Role-based Authorization.
In order to use this functionality you will need to implement roles on your model file per the Data-models documentation.
This will allow you to assign users a role when they are created, and you can use a decorator on your routes to 'require' the user to have the role you want them to have before they access the endpoint.
I am able to logout and login but there is 1 particular scenario which I am not able to achieve.
Scenario:-
User logs in using federated social login (Google), using hosted UI directly.
Now the user clicks on logout it directs it to AWS Cognito logout URL
https://xxxxxxx.auth.us-east-2.amazoncognito.com/logout?
response_type=token&client_id=xxxxxxxxx&logout_uri=https://abc/logout.html
it logs out the user success and successfully redirects the user to logout page as mentioned in URL.
Now when the user tries to log in again by a different account, he is forced to use his previous google login only.
I want to have such functionality that user can log out and log in again if he wants then he can log in with the same account or with different depend on choice.
The important point to note is I can't use AWS-Amplify or any javascript framework, only plain javascript.
The reason you are always forced to log in with the same user seems to be that the /logout? endpoint only logs out the user on Cognito, but Cognito does not communicate to Google that it should log you out of your device. Thus, every time you sign back in and the Google Authentication screen is launched Google still remembers the device and sees that you're still logged in. As a result, the redirect URI is triggered without you ever being prompted to choose a new account.
I'm running into the same issues on a React Native project, but have yet to find any evidence that Cognito offers an endpoint to force it to also sign you out of the Identity provider (i.e. Google).
PS: Here's another stackoverflow discussion with more info: AWS Cognito - How to force select account when signing in with Google
One of the responses in that thread mentions calling Google's logout endpoint directly as part of the signout flow. It's definitely not pretty, but since you're using plain Javascript it might be a sufficient solution.
If you find a cleaner solution please make sure to share it, as I'd be interested to hear what you find :)
Well, I got it working but I don't think so its an issue but a kind of behaviour that every developer should know who is trying to integrate google login in the there application. Here are the few scenarios I am have checked and their respective behaviour.
My AWS Cognito Login URL
https://xxxxxxx.auth.us-east-2.amazoncognito.com/oauth2/authorize?
identity_provider=Google&redirect_uri=https://xxxxxx/login.html&response_type=TOKEN
&client_id=xxxxxxxxxxxxxxxxx&scope=phone%20email%20openid%20profile
My AWS Cognito Log out URL
https://xxxxxxxxx.auth.us-east-2.amazoncognito.com/logout?
client_id=xxxxxxxxxxxxxxxxxxxx
&logout_uri=https://xxxxxxxxxxxxx/logout.html
By using the above URL when I log out, I don't get logged out from chrome browser.
This behaviour is an issue for many people
So when your chrome browser has only 1 account logged in, at that time AWS Cognito google login won't redirect to a page where you can select the different user, because you have only single user through which it gets logged indirectly.
Found out how we can show multiple logins:- So if you want another user to log in then he needs to first sign in chrome browser, and when he clicks on google login from the website at that time he will be able to select user, as in chrome we have now 2 users logged in google, from where he can select which user want to use for access.
I won't be accepting this as an answer because it's not how everyone want this behaviour, will wait for few days if someone can suggest better way.
I think so, for now, we have to go with this.
Currently I am using database accounts as my authentication schema and as a result anyone with a valid database account may login. I would like this to be more restrictive. All my users have a prefix in their user account names which specifies the group they belong to. An example would be dev_john, qa_cindy, etc. I would only like a specific group with a certain prefix in their username to be able to login. Database accounts seems to just allow all. I see there is a custom auth, but I am unsure how to get databse users from here.
I think the problem with this would be how to check the Oracle users' passwords from within your custom authentication function. Hopefully there is no way you can find out their passwords to check them, so how can you establish they typed the correct password? Maybe there is a way, I don't know.
However, perhaps more appropriate for this rule would be an authorization scheme. The user can log in, but if their username fails your authorization scheme test, they can't access the application. The test would be a PL/SQL expression like:
:APP_USER like 'QA%' or :APP_USER like 'TEST%'
When user DEV_JOHN logs in, the log in succeeds but all they get is a page saying e.g.
Only QA and TEST users are allowed to access this system.
I'm using django-auth with the django-auth-openid extension to use OpenID (specifically, Google) to log users into my site. I have a user base of about 90 who will be using the site. All of them have Google accounts, and will be using them to access the site. Since the user base is set (there is no registration allowed, only admins can add users), I already have an exhaustive list of all of my users, including their email addresses and other information. How can I allow these users to login with their Gmail addresses without making them register first? Essentially, I'd like to make django-auth-openid match OpenID Gmail addresses to rows in the existing django-auth Users table. Is this possible?
Thanks!
I ended up using the python-social-auth library (which has Django support built in). The documentation for use with Django isn't great, but between the docs and the provided example it was relatively easy to integrate it with my existing django-auth setup. After that, I just deleted the 'create_user' pipeline from the SOCIAL_AUTH_PIPELINE tuple in my settings, and, that way, only users with existing OpenID connections were allowed in (no new registrations occurred from OpenID logins). This meant, though, that I had to create those connections (between OpenID identifiers and Users) manually, but that was pretty easy to do just using the Django Python shell.
Is there any way to authorize user (acting as a Page or Page administrator) in the same like FB Conect does but using Page data?
E.g. I would like a company, say local barber, authorize in my system as a certain Page (can be indirect, i.e. through a private account but I would like to know if this user is a page administrator). The purpose of this is to link an account on my website with a certain business that has representation on Facebook.
Well, you could ask the user for manage_pages permission and look if the page you’re interested in is amongst them, but since that’ll give your app also their page access tokens, I doubt they’ll grant you that.
Less intrusive and much simpler would be to have them install your app on their page as a page tab, and then look into the signed_request parameter once their using your app - it has a boolean flag for wether the user is admin or not. After that they can remove your app again.