search

robrotheram / taiga-contrib-openid-auth

Taiga plugin for openid authentication
45 stars 25 forks source link

Configuration for Azure AD with openID - fails w/umpa lumpas error #30

Open scott-dunt opened 2 years ago

scott-dunt commented 2 years ago

Trying to figure out - map the Azure AD settings and configuration for Openid - Oauth2 to the Taiga plug in. I have setup multiple applications using SAML and Oauth access in this environment. I see in the Azure AD logs that my login was success for the URL - call from Taiga to Azure, in the browser I see:

https://login.microsoftonline.com/<Tenant ID>/oauth2/v2.0/authorize?redirect_uri=https://taiga.XXXX.com/login&client_id=<Client ID>&response_type=code&scope=openid

(I have tried BOTH the scope=openid and scope=openid email and there is no difference.) What I see come back in the browser looks a whole lot like all the other setups I have troubleshoot, although there is NO Cookie used for the connection:

https://taiga.xxxxx.com/login?code=0.ATUA8jpZqvhhT02YiunEwCt_V8nOQnqvbpZCshY6Ui4kng81AAA.AQABAAIAAAD--DLA3VO7QrddgJg7WevrJcuTrl4SezZr7lLS5p3J_NDUsuMzXe5KhLttSNfWCZeLF7XzCZuXFObSgZ-FBrkKt4PN8goxdZjQ4eTNdh7fvdhc6Ew6m5Mql34L_fjGCL4yQ05sep1RPUnirnacV1FuWbSHtOx2wizSv5X6ypjZ5MmwYDZYtGvZL6cz00- <SNIP> &session_state=61ee05d8-a3c5-40d1-8f64-a22e141cd386#

My setting in docker-compose.yml are:

version: "3.5"

x-environment:
  &default-back-environment

# OpenID settings
  ENABLE_OPENID: "True"
  OPENID_USER_URL : "https://graph.microsoft.com/oidc/userinfo"
  OPENID_TOKEN_URL : "https://login.microsoftonline.com/<Tenant ID>/oauth2/v2.0/token"
  OPENID_CLIENT_ID : "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  OPENID_CLIENT_SECRET : "xxxxxxxxxxxxxxxxxxxx"
  OPENID_SCOPE: "openid"

  taiga-front:
    image: robrotheram/taiga-front-openid
    environment:
      TAIGA_URL: "https://taiga.XXXX.com"
      TAIGA_WEBSOCKETS_URL: "wss://taiga.XXXX.com"
      ENABLE_OPENID: "true"
      OPENID_URL : "https://login.microsoftonline.com/<Tenant ID>/oauth2/v2.0/authorize"
      OPENID_CLIENT_ID : "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
      OPENID_NAME: "xxxxxxxxxxxxxxxxxxxxx"
      PUBLIC_REGISTER_ENABLED: "true"
      OPENID_SCOPE: "openid"

There is NOTHING in the container logs that shows any kind of errors. If there is some way to enable debug logging that would be helpful.

Apparently Azure AD has the facility to dump what its supported openID configuration is:

From: https://login.microsoftonline.com//v2.0/.well-known/openid-configuration

{"token_endpoint":"https://login.microsoftonline.com/<Tenant ID>/oauth2/v2.0/token",
"token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],
"jwks_uri":"https://login.microsoftonline.com/<Tenant ID>/discovery/v2.0/keys",
"response_modes_supported":["query","fragment","form_post"],
"subject_types_supported":["pairwise"],
"id_token_signing_alg_values_supported":["RS256"],
"response_types_supported":["code","id_token","code id_token","id_token token"],
"scopes_supported":["openid","profile","email","offline_access"],
"issuer":"https://login.microsoftonline.com/<Tenant ID>/v2.0",
"request_uri_parameter_supported":false,
"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo",
"authorization_endpoint":"https://login.microsoftonline.com/<Tenant ID>/oauth2/v2.0/authorize",
"device_authorization_endpoint":"https://login.microsoftonline.com/<Tenant ID>/oauth2/v2.0/devicecode",
"http_logout_supported":true,
"frontchannel_logout_supported":true,
"end_session_endpoint":"https://login.microsoftonline.com/<Tenant ID>/oauth2/v2.0/logout",
"claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],
"kerberos_endpoint":"https://login.microsoftonline.com/<Tenant ID>/kerberos",
"tenant_region_scope":"NA",
"cloud_instance_name":"microsoftonline.com",
"cloud_graph_host_name":"graph.windows.net",
"msgraph_host":"graph.microsoft.com",
"rbac_url":"https://pas.windows.net"}

I have also set the permissions within Azure AD for the app to be able to read:

AzureADPermissions

Looking for any guidance on how to get this working.. I'm assuming this might be a desirable configuration for others to use as well?

psydrohne commented 2 years ago

I am also searching for a tutorial on how to authetify with openid against Azure AD. Have you made any progress on this?

pitwegner commented 1 year ago

Set DEBUG = True in your settings/config.py and check the Logs and/or the failed request response. This error can occur in a number of cases when something in your configuration is wrong (e.g. SMTP settings).

Pacerino commented 6 months ago

I know the Issue is quite old, but here is my solution that worked for those who stumble across the Issue.

Add within docker-compose.yml to default-back-environment

PUBLIC_REGISTER_ENABLED: "True"
ENABLE_OPENID: "True"
OPENID_URL: "https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXXXXXX/oauth2/v2.0/authorize"
OPENID_USER_URL: "https://graph.microsoft.com/oidc/userinfo"
OPENID_TOKEN_URL: "https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXXXXXX/oauth2/v2.0/token"
OPENID_CLIENT_ID: "XXXXXXXXXXXXXXXXXXXXXX"
OPENID_CLIENT_SECRET: "XXXXXXXXXXXXXXXXXXXXXX"
OPENID_NAME: "Microsoft"
OPENID_USERNAME_FIELD: "email"
OPENID_FULLNAME_FIELD: "name"
OPENID_SCOPE: "openid email"

and to taiga-front:

ENABLE_OPENID: "true"
OPENID_URL : "https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXXXXXX/oauth2/v2.0/authorize"
OPENID_CLIENT_ID : "XXXXXXXXXXXXXXXXXXXXXX"
OPENID_NAME: "Microsoft"
PUBLIC_REGISTER_ENABLED: "false"