search

Azure-Samples / ms-identity-python-webapp

A Python web application calling Microsoft graph that is secured using the Microsoft identity platform
MIT License
298 stars 143 forks source link

SSLError raised when calling initiate_auth_code_flow() #89

Closed richardARPANET closed 2 years ago

richardARPANET commented 2 years ago

def _build_auth_code_flow does not work when using Azure AD B2C. The following error is raised:

NOTE: I replaced my directory name with 'MyDirectoryName' in the below as I want to keep this private.

  File "/home/work/dev/jaw/data-samples-service/data_samples/account/views.py", line 29, in _build_msal_app
    return msal.ConfidentialClientApplication(
  File "/home/work/.pyenv/versions/data-samples-service/lib/python3.8/site-packages/msal/application.py", line 486, in __init__
    self.authority = Authority(
  File "/home/work/.pyenv/versions/data-samples-service/lib/python3.8/site-packages/msal/authority.py", line 121, in __init__
    openid_config = tenant_discovery(
  File "/home/work/.pyenv/versions/data-samples-service/lib/python3.8/site-packages/msal/authority.py", line 176, in tenant_discovery
    resp = http_client.get(tenant_discovery_endpoint, **kwargs)
  File "/home/work/.pyenv/versions/data-samples-service/lib/python3.8/site-packages/msal/individual_cache.py", line 269, in wrapper
    value = function(*args, **kwargs)
  File "/home/work/.pyenv/versions/data-samples-service/lib/python3.8/site-packages/requests/sessions.py", line 600, in get
    return self.request("GET", url, **kwargs)
  File "/home/work/.pyenv/versions/data-samples-service/lib/python3.8/site-packages/requests/sessions.py", line 587, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/work/.pyenv/versions/data-samples-service/lib/python3.8/site-packages/requests/sessions.py", line 701, in send
    r = adapter.send(request, **kwargs)
  File "/home/work/.pyenv/versions/data-samples-service/lib/python3.8/site-packages/requests/adapters.py", line 563, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='MyDirectoryName.onmicrosoft.com.b2clogin.com', port=443): Max retries exceeded with url: /MyDirectoryName.onmicrosoft.com.onmicrosoft.com/B2C_1_jhh_reset_password/v2.0/.well-known/openid-configuration (Caused by SSLError(CertificateError("hostname 'MyDirectoryName.onmicrosoft.com.b2clogin.com' doesn't match either of 'graph.windows.net', '*.aadg.windows.net', '*.aadkds.ppe.reporting.msidentity.com', '*.aadkds.prd.reporting.msidentity.com', '*.accesscontrol.aadtst3.windows-int.net', '*.accesscontrol.windows-ppe.net', '*.accesscontrol.windows.net', '*.adls.aadkds.ppe.reporting.msidentity.com', '*.adls.aadkds.prd.reporting.msidentity.com', '*.adti.aadkds.ppe.reporting.msidentity.com', '*.adti.aadkds.prd.reporting.msidentity.com', '*.authapp.net', '*.authorization.azure-ppe.net', '*.authorization.azure.net', '*.b2clogin.com', '*.cpim.windows.net', '*.d2k.aadkds.ppe.reporting.msidentity.com', '*.d2k.aadkds.prd.reporting.msidentity.com', '*.fp.measure.office.com', '*.gateway.windows.net', '*.login.live-int.com', '*.login.live.com', '*.login.microsoft.com', '*.login.microsoftonline.com', '*.login.windows-ppe.net', '*.logincert.microsoft.com', '*.logincert.windows-ppe.net', '*.microsoftaik-int.azure-int.net', '*.microsoftaik.azure.net', '*.pt.aadg.msidentity.com', '*.r.login.microsoft.com', '*.r.login.microsoftonline.com', '*.r.prd.aadg.msidentity.com', '*.windows-ppe.net', 'aadcdn.privatelink.msidentity.com', 'aadcdnimages.privatelink.msidentity.com', 'aadg.windows.net', 'aadgv6.ppe.windows.net', 'aadgv6.windows.net', 'accesscontrol.aadtst3.windows-int.net', 'account.live-int.com', 'account.live.com', 'api.password.ccsctp.com', 'api.passwordreset.microsoftonline.com', 'autologon.microsoftazuread-sso.com', 'clientconfig.microsoftonline-p-int.net', 'clientconfig.microsoftonline-p.net', 'directoryproxy.ppe.windows.net', 'directoryproxy.windows.net', 'gatewayforking.windows.net', 'graph.ppe.windows.net', 'login.live-int.com', 'login.live.com', 'login.microsoft-ppe.com', 'login.microsoft.com', 'login.microsoftonline-p.com', 'login.microsoftonline.com', 'login.windows.net', 'logincert.microsoftonline.com', 'microsoftaik-int.azure-int.net', 'microsoftaik.azure.net', 'nexus.microsoftonline-p-int.com', 'nexus.microsoftonline-p.com', 'nexus.passport-int.com', 'password.ccsctp.com', 'passwordreset.activedirectory.windowsazure.us', 'passwordreset.microsoftonline.com', 'ppe.aadcdn.privatelink.msidentity.com', 'signup.live-int.com', 'signup.live.com', 'sts.windows.net'")))

The endpoint it is calling within function tenant_discovery() is https://MyDirectoryName.onmicrosoft.com.b2clogin.com:443/MyDirectoryName.onmicrosoft.com.onmicrosoft.com/B2C_1_jhh_reset_password/v2.0/.well-known/openid-configuration

To Reproduce

import msal

def _build_msal_app(authority=None):
    """
   here's the logic for 'authority' param creation

    authority_template = (
        'https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{user_flow}'
    )
    AZURE_B2C_PASSWORD_RESET_AUTHORITY = authority_template.format(
        tenant=SOCIAL_AUTH_AZUREAD_B2C_OAUTH2_TENANT_ID,
        user_flow='B2C_1_jhh_reset_password',
    )
    """
    return msal.ConfidentialClientApplication(
        settings.SOCIAL_AUTH_AZUREAD_B2C_OAUTH2_KEY,
        authority=authority or settings.AZURE_B2C_PASSWORD_RESET_AUTHORITY,
        client_credential=settings.SOCIAL_AUTH_AZUREAD_B2C_OAUTH2_SECRET,
        token_cache=None,
    )

def _build_auth_code_flow(authority=None, scopes=None):
    return _build_msal_app(authority=authority).initiate_auth_code_flow(
        scopes=scopes or [],
        redirect_uri='http://localhost:5000/web-ui/?done',
    )

flow = _build_auth_code_flow(
    authority=settings.AZURE_B2C_PASSWORD_RESET_AUTHORITY
)
url = flow['auth_uri']
print(url)

Am I doing something wrong?