Error when configured for Azure Authentication

[JamesVth]

I have a new installation in Azure with the latest version of Doc Assemble. I have set up the app registration for the required API permissions from "Microsoft Graph" per the documentation (email, openid, offline_access, profile) in addition I added User.Read and User.ReadBasic.All after I hit the error below. It seems like it's not able to pull the id from the information in the callback? Maybe? Am I missing an API permission?

=====ERROR TEXT=====

Error KeyError: 'id' Log Traceback (most recent call last): File "/usr/share/docassemble/local3.10/lib/python3.10/site-packages/flask/app.py", line 867, in full_dispatch_request rv = self.dispatch_request() File "/usr/share/docassemble/local3.10/lib/python3.10/site-packages/flask/app.py", line 852, in dispatch_request return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args) File "/usr/share/docassemble/local3.10/lib/python3.10/site-packages/docassemble/webapp/server.py", line 5128, in oauth_callback social_id, username, email, name_data = oauth.callback() File "/usr/share/docassemble/local3.10/lib/python3.10/site-packages/docassemble/webapp/server.py", line 4863, in callback 'azure$' + str(me['id']), KeyError: 'id'

=====ERROR TEXT=====

Thanks in advance!

[jhpyle]

It is working for me and I have: It is possible that Microsoft is returning an error message as JSON. I would look closely at the browser console to see if there are any error messages anywhere, i.e. in the network tab, or the URL parameters. So I don't think you are missing an API. It might have something to do with whether the permission extends to the user you are logging in as. (Maybe the "delegation" concept.) My only way to test the integration is through my organization's account, and there might be something different between my organization's Azure account and your organization's Azure account that explains why Microsoft's servers are responding differently.

[JamesVth]

For your app service, do you have an authentication provider set up?

[jhpyle]

I am not sure what you mean. I set up an App Registration in Azure Portal allow any user in my organization's Office 365 domain to sign in to a docassemble server using their Office 365 credentials. So the authentication provider is Azure. Under the Authentication section of the App Registration I set up a "Web" type of app.

[JamesVth]

Authentication Provider is a setting under Authentication in the App Service / Web App that the container runs under (at least in our configuration). We aren't using an authentication provider in our new installation currently.

I did check the developer console in the browser. The application is returning a "501 NOT IMPLEMENTED" error from "https://{OUR HOST NAME}.azurewebsites.net/callback/azure". I'm digging a little deeper into that.

[JamesVth]

I just wanted to add an update here. I think this ended up being an issue with how hard it is to revoke user granted permissions. I believe offline_access was causing our issue, but since I don't permission at the tenant level to remove that I had to create a whole new App Registration and limit it to the permissions you outlined above. It is now working as intended. Thanks for your time and help!

[JamesVth]

I should add. You may want to revise the installation section as this:

lines up with the graph description of "offline_access", which our tenant requires admin consent for and without appropriate tenant level access you cannot remove this at the Enterprise Application level. The 4 items in your screen shot ended up being all we needed.