search

grafana / django-saml2-auth

Django SAML2 Authentication Made Easy. Easily integrate with SAML2 SSO identity providers like Okta, Azure AD and others.
Other
189 stars 56 forks source link

Generated jwt token is not validated in API (djangorestframework-simplejwt) #251

Closed romuluc closed 8 months ago

romuluc commented 8 months ago

Hello,

I am using the django-saml2-auth with JWT to integrating to django-restframework. In my project I am using too djangorestframework-simplejwt. However, the jwt token generated after saml authentication in Azure AD is not validated in my API.

When I try to access some endpoint of my API:

{
  "status": "error",
  "code": 401,
  "data": null,
  "message": "Given token not valid for any token type"
}

Some points of my settings:

SIMPLE_JWT = {
    "ACCESS_TOKEN_LIFETIME": timedelta(days=1),
    "REFRESH_TOKEN_LIFETIME": timedelta(days=2),
    'AUTH_HEADER_TYPES': ('Token',),
    'UPDATE_LAST_LOGIN': True,
    "TOKEN_OBTAIN_SERIALIZER": "myapi.token.serializer.CustomTokenObtainPairSerializer",
    "ALGORITHM": "HS256",
}
SAML2_AUTH = {
    'METADATA_LOCAL_FILE_PATH': '/app/static/PSAT-Core-Saml2.xml',

    'KEY_FILE': '/app/static/chave_privada.key',
    'CERT_FILE': '/app/static/certificado.crt',

    'DEBUG': True,
    'DEFAULT_NEXT_URL': '/api',

    'CREATE_USER': 'TRUE',
    'NEW_USER_PROFILE': {
        'USER_GROUPS': [],
        'ACTIVE_STATUS': True,
        'STAFF_STATUS': False,
        'SUPERUSER_STATUS': False,
    },
    'ATTRIBUTES_MAP': {
        'email': 'name',
        'username': 'name',
        'first_name': 'givenname',
        'last_name': 'surname',
    },

    'ASSERTION_URL': 'http://localhost:8000', # Custom URL to validate incoming SAML requests against
    'ENTITY_ID': 'http://localhost:8000/saml2_auth/acs/', # Populates the Issuer element in authn request
    'NAME_ID_FORMAT': 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', # Sets the Format property of authn NameIDPolicy element
    'USE_JWT': True,
    'JWT_ALGORITHM': 'HS256',  # JWT algorithm to sign the message with
    'JWT_SECRET': 'your.jwt.secret',  # JWT secret to sign the message with
    'FRONTEND_URL': 'http://localhost:3000/login',
    'WANT_ASSERTIONS_SIGNED': True,
    'AUTHN_REQUESTS_SIGNED': True,
    'WANT_RESPONSE_SIGNED': True,
    'TOKEN_REQUIRED': False
}

I'm glad for any help.

romuluc commented 8 months ago

Sorry,

I solved it by creating a TRIGGER.CUSTOM_CREATE_JWT as explained in the docs.

Thanks!