Closed lassogames closed 5 years ago
Udpdate: I've tried adding different scopes e.g. SCOPE_MICROSOFT = ["User.Read","openid", "email", "profile"]
and the error persists, but with the response scopes seemingly random every time I test it.
For example, this most recent time the warning was as follows:
Warning: Scope has changed from "openid User.Read profile email" to "Policy.ReadWrite.ConditionalAccess Notes.ReadWrite User.Invite.All AccessReview.ReadWrite.All Member.Read.Hidden User.Read EduAssignments.Read Group.Read.All Mail.Read User.Read.All Calendars.Read
.Shared Files.ReadWrite.All BookingsAppointment.ReadWrite.All DeviceManagementServiceConfig.Read.All Files.Read.All SecurityEvents.ReadWrite.All Tasks.Read.Shared UserTimelineActivity.Write.CreatedByApp Agreement.ReadWrite.All Tasks.ReadWrite Sites.Read.All Privile
gedAccess.ReadWrite.AzureResources Mail.ReadWrite Notifications.ReadWrite.CreatedByApp openid Mail.Send identityriskyuser.read.all AppCatalog.ReadWrite.All EduRoster.ReadBasic SecurityEvents.Read.All MailboxSettings.Read Policy.Read.All EduRoster.Read Mail.ReadWrit
e.Shared Files.ReadWrite.Selected IdentityRiskEvent.Read.All IdentityProvider.Read.All Tasks.Read ProgramControl.ReadWrite.All Contacts.Read.Shared People.Read MailboxSettings.ReadWrite DeviceManagementConfiguration.ReadWrite.All Directory.ReadWrite.All IdentityPro
vider.ReadWrite.All User.Export.All Notes.Create Financials.ReadWrite.All Reports.Read.All Agreement.Read.All EduAdministration.ReadWrite Subscription.Read.All EduAdministration.Read Sites.Manage.All EduAssignments.ReadWriteBasic User.ReadWrite DeviceManagementServ
iceConfig.ReadWrite.All Notes.Read.All Calendars.Read AuditLog.Read.All Contacts.ReadWrite Group.ReadWrite.All User.ReadWrite.All Calendars.ReadWrite.Shared Mail.Send.Shared UserActivity.ReadWrite.CreatedByApp DeviceManagementConfiguration.Read.All DeviceManagement
Apps.ReadWrite.All Files.Read.Selected Sites.ReadWrite.All DeviceManagementManagedDevices.PrivilegedOperations.All DeviceManagementRBAC.Read.All Files.Read Bookings.Manage.All Notes.Read Calendars.ReadWrite DeviceManagementApps.Read.All Contacts.Read DeviceManageme
ntRBAC.ReadWrite.All AgreementAcceptance.Read Notes.ReadWrite.CreatedByApp Directory.Read.All Bookings.Read.All EAS.AccessAsUser.All Notes.ReadWrite.All Mail.Read.Shared PrivilegedAccess.ReadWrite.AzureAD Sites.FullControl.All Tasks.ReadWrite.Shared DeviceManagemen
tManagedDevices.Read.All Device.Command Directory.AccessAsUser.All EduAssignments.ReadBasic Files.ReadWrite Device.Read email EduAssignments.ReadWrite profile ProgramControl.Read.All AgreementAcceptance.Read.All User.ReadBasic.All Bookings.ReadWrite.All AccessRevie
w.Read.All Contacts.ReadWrite.Shared EduRoster.ReadWrite Files.ReadWrite.AppFolder DeviceManagementManagedDevices.ReadWrite.All People.Read.All".
I am not familiar with Azure AD, but I think there may be something in your configuration that is causing it to do this. It does not do this with a MICROSOFT_AUTH_TENANT_ID
of common
(general Microsoft accounts).
I actually got it working by adding the system environment variable (in the right place)
But, it made me realize my web API was sending back way too broad of a scope, so I will have to prune it down to just the necessary stuff and add those scopes to the request and I think that will do it. I will keep this thread posted when I go that route.
Jack Daniels
@lasso_games
On Sun, Apr 28, 2019 at 8:51 AM Christopher Bailey notifications@github.com wrote:
I am not familiar with Azure AD, but I think there may be something in your configuration that is causing it to do this. It does not do this with a MICROSOFT_AUTH_TENANT_ID of common (general Microsoft accounts).
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/AngellusMortis/django_microsoft_auth/issues/210#issuecomment-487376415, or mute the thread https://github.com/notifications/unsubscribe-auth/AHAK2WYUF2A4GNI74AUJAQ3PSWMVNANCNFSM4HGXVIFQ .
I am going to go a head and close this issue, but please feel free to keep posting any updates or even make a PR to the docs with what you learned from changing the Web API permissions.
@lassogames I have the same problem. could you please tell me how did you manage to fix it?
For others who come across this problem as I did. I was able to fix it by setting the environment variable: OAUTHLIB_RELAX_TOKEN_SCOPE=True
Description
Configured backend to authenticate to my single-tenant API on AAD, and upon reaching microsoft/auth-callback, receive long Scope warning in a popup:
Scope has changed from "profile openid email" to "DeviceManagementManagedDevices.PrivilegedOperations.All Calendars.ReadWrite.Shared User.Read.All Sites.FullControl.All MailboxSettings.ReadWrite EAS.AccessAsUser.All Policy.Read.All AccessReview.ReadWrite.All EduRoster.ReadWrite ProgramControl.ReadWrite.All Subscription.Read.All Files.ReadWrite.All Directory.ReadWrite.All DeviceManagementApps.ReadWrite.All Directory.Read.All Contacts.Read DeviceManagementManagedDevices.ReadWrite.All Mail.ReadWrite.Shared PrivilegedAccess.ReadWrite.AzureResources MailboxSettings.Read Calendars.ReadWrite Mail.ReadWrite Bookings.Manage.All identityriskyuser.read.all Policy.ReadWrite.ConditionalAccess Notes.Read DeviceManagementConfiguration.Read.All User.ReadWrite Agreement.Read.All Files.Read.All EduRoster.Read Files.ReadWrite.AppFolder Reports.Read.All Device.Read Tasks.Read Contacts.Read.Shared Notes.ReadWrite.All EduAssignments.Read Notes.Read.All IdentityProvider.Read.All AppCatalog.ReadWrite.All Calendars.Read.Shared EduAdministration.ReadWrite User.Read AccessReview.Read.All AuditLog.Read.All Bookings.Read.All BookingsAppointment.ReadWrite.All DeviceManagementConfiguration.ReadWrite.All EduAdministration.Read ProgramControl.Read.All Financials.ReadWrite.All User.Invite.All openid Device.Command Contacts.ReadWrite.Shared Directory.AccessAsUser.All People.Read People.Read.All Mail.Send EduRoster.ReadBasic DeviceManagementServiceConfig.ReadWrite.All Files.ReadWrite.Selected Notes.ReadWrite EduAssignments.ReadWriteBasic PrivilegedAccess.ReadWrite.AzureAD User.Export.All Tasks.ReadWrite.Shared DeviceManagementRBAC.ReadWrite.All Notes.Create Tasks.Read.Shared DeviceManagementRBAC.Read.All Sites.Read.All Agreement.ReadWrite.All SecurityEvents.Read.All profile Mail.Send.Shared Mail.Read.Shared User.ReadWrite.All Notes.ReadWrite.CreatedByApp AgreementAcceptance.Read.All Calendars.Read DeviceManagementApps.Read.All Files.Read Sites.ReadWrite.All DeviceManagementServiceConfig.Read.All Group.Read.All Bookings.ReadWrite.All Sites.Manage.All Member.Read.Hidden User.ReadBasic.All email EduAssignments.ReadWrite Files.Read.Selected Files.ReadWrite UserTimelineActivity.Write.CreatedByApp IdentityProvider.ReadWrite.All AgreementAcceptance.Read Tasks.ReadWrite Mail.Read Contacts.ReadWrite EduAssignments.ReadBasic Group.ReadWrite.All Notifications.ReadWrite.CreatedByApp IdentityRiskEvent.Read.All DeviceManagementManagedDevices.Read.All SecurityEvents.ReadWrite.All UserActivity.ReadWrite.CreatedByApp".
What I Did
Followed Usage guide on setting up dependencies for AAD auth. In addition to adding MICROSOFT_AUTH_CLIENT_ID and MICROSOFT_AUTH_CLIENT_SECRET, I added MICROSOFT_AUTH_TENANT_ID to settings.py.
also added environment variable
on account of similar Scope warning issues.
Before receiving this warning, I'm pretty confident that my configuration is correct because I received several microsoft errors leading up to this. I got the "this client ID is not a multi-tenant app" error, as well as the "not a callback URI" error. After configuring my SITE_ID to use
localhost
, I finally got past the microsoft errors and arrived at this warning.Traceback: