AngellusMortis / django_microsoft_auth

Simple app to enable Microsoft Account, Office 365 and Xbox Live authentcation as a Django authentcation backend.
MIT License
137 stars 84 forks source link

microsoft/auth-callback Scope Warning for v2.0 #210

Closed lassogames closed 5 years ago

lassogames commented 5 years ago

Description

Configured backend to authenticate to my single-tenant API on AAD, and upon reaching microsoft/auth-callback, receive long Scope warning in a popup:

Scope has changed from "profile openid email" to "DeviceManagementManagedDevices.PrivilegedOperations.All Calendars.ReadWrite.Shared User.Read.All Sites.FullControl.All MailboxSettings.ReadWrite EAS.AccessAsUser.All Policy.Read.All AccessReview.ReadWrite.All EduRoster.ReadWrite ProgramControl.ReadWrite.All Subscription.Read.All Files.ReadWrite.All Directory.ReadWrite.All DeviceManagementApps.ReadWrite.All Directory.Read.All Contacts.Read DeviceManagementManagedDevices.ReadWrite.All Mail.ReadWrite.Shared PrivilegedAccess.ReadWrite.AzureResources MailboxSettings.Read Calendars.ReadWrite Mail.ReadWrite Bookings.Manage.All identityriskyuser.read.all Policy.ReadWrite.ConditionalAccess Notes.Read DeviceManagementConfiguration.Read.All User.ReadWrite Agreement.Read.All Files.Read.All EduRoster.Read Files.ReadWrite.AppFolder Reports.Read.All Device.Read Tasks.Read Contacts.Read.Shared Notes.ReadWrite.All EduAssignments.Read Notes.Read.All IdentityProvider.Read.All AppCatalog.ReadWrite.All Calendars.Read.Shared EduAdministration.ReadWrite User.Read AccessReview.Read.All AuditLog.Read.All Bookings.Read.All BookingsAppointment.ReadWrite.All DeviceManagementConfiguration.ReadWrite.All EduAdministration.Read ProgramControl.Read.All Financials.ReadWrite.All User.Invite.All openid Device.Command Contacts.ReadWrite.Shared Directory.AccessAsUser.All People.Read People.Read.All Mail.Send EduRoster.ReadBasic DeviceManagementServiceConfig.ReadWrite.All Files.ReadWrite.Selected Notes.ReadWrite EduAssignments.ReadWriteBasic PrivilegedAccess.ReadWrite.AzureAD User.Export.All Tasks.ReadWrite.Shared DeviceManagementRBAC.ReadWrite.All Notes.Create Tasks.Read.Shared DeviceManagementRBAC.Read.All Sites.Read.All Agreement.ReadWrite.All SecurityEvents.Read.All profile Mail.Send.Shared Mail.Read.Shared User.ReadWrite.All Notes.ReadWrite.CreatedByApp AgreementAcceptance.Read.All Calendars.Read DeviceManagementApps.Read.All Files.Read Sites.ReadWrite.All DeviceManagementServiceConfig.Read.All Group.Read.All Bookings.ReadWrite.All Sites.Manage.All Member.Read.Hidden User.ReadBasic.All email EduAssignments.ReadWrite Files.Read.Selected Files.ReadWrite UserTimelineActivity.Write.CreatedByApp IdentityProvider.ReadWrite.All AgreementAcceptance.Read Tasks.ReadWrite Mail.Read Contacts.ReadWrite EduAssignments.ReadBasic Group.ReadWrite.All Notifications.ReadWrite.CreatedByApp IdentityRiskEvent.Read.All DeviceManagementManagedDevices.Read.All SecurityEvents.ReadWrite.All UserActivity.ReadWrite.CreatedByApp".

What I Did

Followed Usage guide on setting up dependencies for AAD auth. In addition to adding MICROSOFT_AUTH_CLIENT_ID and MICROSOFT_AUTH_CLIENT_SECRET, I added MICROSOFT_AUTH_TENANT_ID to settings.py.

python manage.py runserver

also added environment variable

$env:OAUTHLIB_RELAX_TOKEN_SCOPE=$TRUE

on account of similar Scope warning issues.

Before receiving this warning, I'm pretty confident that my configuration is correct because I received several microsoft errors leading up to this. I got the "this client ID is not a multi-tenant app" error, as well as the "not a callback URI" error. After configuring my SITE_ID to use localhost, I finally got past the microsoft errors and arrived at this warning.

Traceback:


Request Method: | POST
-- | --
http://localhost:8000/microsoft/auth-callback/

2.2

Warning

Scope has changed from "email profile openid" to "People.Read Directory.AccessAsUser.All User.ReadBasic.All EduRoster.ReadBasic PrivilegedAccess.ReadWrite.AzureAD Tasks.ReadWrite DeviceManagementServiceConfig.ReadWrite.All User.Read Contacts.Read AccessReview.Read.All Calendars.ReadWrite Sites.FullControl.All Files.ReadWrite.All IdentityRiskEvent.Read.All AppCatalog.ReadWrite.All AgreementAcceptance.Read Tasks.ReadWrite.Shared DeviceManagementManagedDevices.Read.All BookingsAppointment.ReadWrite.All Tasks.Read.Shared Group.ReadWrite.All Notes.Create DeviceManagementManagedDevices.PrivilegedOperations.All DeviceManagementRBAC.ReadWrite.All IdentityProvider.ReadWrite.All DeviceManagementApps.Read.All Bookings.Manage.All AuditLog.Read.All EduAssignments.ReadWrite Notes.ReadWrite Mail.Send email Files.Read Notes.ReadWrite.CreatedByApp DeviceManagementConfiguration.ReadWrite.All Files.ReadWrite.Selected EduAssignments.Read Notes.Read.All Files.ReadWrite Mail.Send.Shared Policy.Read.All Directory.ReadWrite.All Files.ReadWrite.AppFolder EduRoster.ReadWrite Mail.Read.Shared EduAssignments.ReadBasic DeviceManagementManagedDevices.ReadWrite.All Calendars.Read.Shared ProgramControl.ReadWrite.All Contacts.ReadWrite.Shared Mail.ReadWrite People.Read.All profile EduAdministration.Read Member.Read.Hidden Group.Read.All Subscription.Read.All Contacts.ReadWrite EduAssignments.ReadWriteBasic ProgramControl.Read.All identityriskyuser.read.all Files.Read.Selected DeviceManagementConfiguration.Read.All DeviceManagementServiceConfig.Read.All Calendars.ReadWrite.Shared User.Export.All Financials.ReadWrite.All Reports.Read.All Notes.Read Device.Command Mail.Read SecurityEvents.Read.All Calendars.Read Sites.Read.All PrivilegedAccess.ReadWrite.AzureResources IdentityProvider.Read.All Agreement.Read.All SecurityEvents.ReadWrite.All Notifications.ReadWrite.CreatedByApp Mail.ReadWrite.Shared User.ReadWrite Files.Read.All Sites.Manage.All Bookings.Read.All Policy.ReadWrite.ConditionalAccess Sites.ReadWrite.All EduRoster.Read UserActivity.ReadWrite.CreatedByApp openid EduAdministration.ReadWrite AccessReview.ReadWrite.All UserTimelineActivity.Write.CreatedByApp User.Read.All User.ReadWrite.All AgreementAcceptance.Read.All Notes.ReadWrite.All DeviceManagementRBAC.Read.All Agreement.ReadWrite.All DeviceManagementApps.ReadWrite.All MailboxSettings.Read User.Invite.All Contacts.Read.Shared Directory.Read.All EAS.AccessAsUser.All Bookings.ReadWrite.All MailboxSettings.ReadWrite Device.Read Tasks.Read".

3.7.3
lassogames commented 5 years ago

Udpdate: I've tried adding different scopes e.g. SCOPE_MICROSOFT = ["User.Read","openid", "email", "profile"] and the error persists, but with the response scopes seemingly random every time I test it.

For example, this most recent time the warning was as follows:

Warning: Scope has changed from "openid User.Read profile email" to "Policy.ReadWrite.ConditionalAccess Notes.ReadWrite User.Invite.All AccessReview.ReadWrite.All Member.Read.Hidden User.Read EduAssignments.Read Group.Read.All Mail.Read User.Read.All Calendars.Read
.Shared Files.ReadWrite.All BookingsAppointment.ReadWrite.All DeviceManagementServiceConfig.Read.All Files.Read.All SecurityEvents.ReadWrite.All Tasks.Read.Shared UserTimelineActivity.Write.CreatedByApp Agreement.ReadWrite.All Tasks.ReadWrite Sites.Read.All Privile
gedAccess.ReadWrite.AzureResources Mail.ReadWrite Notifications.ReadWrite.CreatedByApp openid Mail.Send identityriskyuser.read.all AppCatalog.ReadWrite.All EduRoster.ReadBasic SecurityEvents.Read.All MailboxSettings.Read Policy.Read.All EduRoster.Read Mail.ReadWrit
e.Shared Files.ReadWrite.Selected IdentityRiskEvent.Read.All IdentityProvider.Read.All Tasks.Read ProgramControl.ReadWrite.All Contacts.Read.Shared People.Read MailboxSettings.ReadWrite DeviceManagementConfiguration.ReadWrite.All Directory.ReadWrite.All IdentityPro
vider.ReadWrite.All User.Export.All Notes.Create Financials.ReadWrite.All Reports.Read.All Agreement.Read.All EduAdministration.ReadWrite Subscription.Read.All EduAdministration.Read Sites.Manage.All EduAssignments.ReadWriteBasic User.ReadWrite DeviceManagementServ
iceConfig.ReadWrite.All Notes.Read.All Calendars.Read AuditLog.Read.All Contacts.ReadWrite Group.ReadWrite.All User.ReadWrite.All Calendars.ReadWrite.Shared Mail.Send.Shared UserActivity.ReadWrite.CreatedByApp DeviceManagementConfiguration.Read.All DeviceManagement
Apps.ReadWrite.All Files.Read.Selected Sites.ReadWrite.All DeviceManagementManagedDevices.PrivilegedOperations.All DeviceManagementRBAC.Read.All Files.Read Bookings.Manage.All Notes.Read Calendars.ReadWrite DeviceManagementApps.Read.All Contacts.Read DeviceManageme
ntRBAC.ReadWrite.All AgreementAcceptance.Read Notes.ReadWrite.CreatedByApp Directory.Read.All Bookings.Read.All EAS.AccessAsUser.All Notes.ReadWrite.All Mail.Read.Shared PrivilegedAccess.ReadWrite.AzureAD Sites.FullControl.All Tasks.ReadWrite.Shared DeviceManagemen
tManagedDevices.Read.All Device.Command Directory.AccessAsUser.All EduAssignments.ReadBasic Files.ReadWrite Device.Read email EduAssignments.ReadWrite profile ProgramControl.Read.All AgreementAcceptance.Read.All User.ReadBasic.All Bookings.ReadWrite.All AccessRevie
w.Read.All Contacts.ReadWrite.Shared EduRoster.ReadWrite Files.ReadWrite.AppFolder DeviceManagementManagedDevices.ReadWrite.All People.Read.All".
AngellusMortis commented 5 years ago

I am not familiar with Azure AD, but I think there may be something in your configuration that is causing it to do this. It does not do this with a MICROSOFT_AUTH_TENANT_ID of common (general Microsoft accounts).

lassogames commented 5 years ago

I actually got it working by adding the system environment variable (in the right place)

But, it made me realize my web API was sending back way too broad of a scope, so I will have to prune it down to just the necessary stuff and add those scopes to the request and I think that will do it. I will keep this thread posted when I go that route.

Jack Daniels

@lasso_games

On Sun, Apr 28, 2019 at 8:51 AM Christopher Bailey notifications@github.com wrote:

I am not familiar with Azure AD, but I think there may be something in your configuration that is causing it to do this. It does not do this with a MICROSOFT_AUTH_TENANT_ID of common (general Microsoft accounts).

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/AngellusMortis/django_microsoft_auth/issues/210#issuecomment-487376415, or mute the thread https://github.com/notifications/unsubscribe-auth/AHAK2WYUF2A4GNI74AUJAQ3PSWMVNANCNFSM4HGXVIFQ .

AngellusMortis commented 5 years ago

I am going to go a head and close this issue, but please feel free to keep posting any updates or even make a PR to the docs with what you learned from changing the Web API permissions.

francesco-clementi commented 4 years ago

@lassogames I have the same problem. could you please tell me how did you manage to fix it?

paulhjyoon commented 3 years ago

For others who come across this problem as I did. I was able to fix it by setting the environment variable: OAUTHLIB_RELAX_TOKEN_SCOPE=True