search

snok / django-auth-adfs

A Django authentication backend for Microsoft ADFS and AzureAD
http://django-auth-adfs.readthedocs.io/
BSD 2-Clause "Simplified" License
271 stars 99 forks source link

Login failed issue #143

Closed dimkoug closed 3 years ago

dimkoug commented 3 years ago

When i login via adfs and the user does not exists in django users table i get login failed , also in my project i use custom User Model

How to login the user with adfs and if the user dose not exist to create them

JonasKs commented 3 years ago

Sounds like you haven't set it up right. Users are created on login.

dimkoug commented 3 years ago

my configuration setup

AUTHENTICATION_BACKENDS = ( 'django_auth_adfs.backend.AdfsAccessTokenBackend', "django.contrib.auth.backends.ModelBackend", )

AUTH_ADFS = { 'AUDIENCE': client_id, 'CLIENT_ID': client_id, 'CLIENT_SECRET': cient_secret, 'CLAIM_MAPPING': {'first_name': 'given_name', 'last_name': 'family_name', 'email': 'upn'}, 'GROUPS_CLAIM': 'roles', 'MIRROR_GROUPS': True, 'USERNAME_CLAIM': 'upn', 'TENANT_ID': tenant_id, 'RELYING_PARTY_ID': client_id, }

MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django_auth_adfs.middleware.LoginRequiredMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', ]

`AUTH_USER_MODEL = 'app.CustomUser'

LOGIN_URL = "django_auth_adfs:login" LOGIN_REDIRECT_URL = "/" LOGOUT_REDIRECT_URL = '/'`

DEBUG = True

ALLOWED_HOSTS = ['127.0.0.1', 'localhost'] `

in the azure application as callback url i use

https://127.0.0.1:8000/oauth2/callback

JonasKs commented 3 years ago

Please change your accestoken backend into AuthCodeBackend as seen here: https://django-auth-adfs.readthedocs.io/en/latest/install.html#setting-up-django

I'm suspecting the Azure AD docs tells you to use the wrong backend. I'll double check when I get on my computer.

dimkoug commented 3 years ago

from the cosole logs i get this log

django_auth_adfs Invalid issuer Unauthorized: /oauth2/callback

JonasKs commented 3 years ago

Did you do what I wrote above?

Please enable debug logs (there's a guide on how to do that in the docs), and show the entire stack trace.

dimkoug commented 3 years ago

yes i changed it from the link from your message

the callback path that i use in the azure portal is

https://127.0.0.1:8000/oauth2/callback

JonasKs commented 3 years ago

It's impossible for me to help you if you don't provide me with what I'm asking for.

dimkoug commented 3 years ago

the logs from the console

127.0.0.1 - - [31/Jan/2021 14:51:50] "GET / HTTP/1.1" 302 - DEBUG 2021-01-31 14:51:50,427 django_auth_adfs Loading django_auth_adfs ID Provider configuration. INFO 2021-01-31 14:51:50,427 django_auth_adfs Trying to get OpenID Connect config from https://login.microsoftonline.com/583f3da6-fd9f-435b-8f9a-2227f4828edd/.well-known/openid-configuration?appid=6c31f100-f10e-4bb4-bc3a-8db3638ba721 DEBUG 2021-01-31 14:51:51,013 django_auth_adfs Loading public key from certificate: DEBUG 2021-01-31 14:51:51,013 django_auth_adfs Loading public key from certificate: INFO 2021-01-31 14:51:51,013 django_auth_adfs django_auth_adfs loaded settings from ADFS server. INFO 2021-01-31 14:51:51,013 django_auth_adfs operating mode: openid_connect INFO 2021-01-31 14:51:51,013 django_auth_adfs authorization endpoint: https://login.microsoftonline.com/583f3da6-fd9f-435b-8f9a-2227f4828edd/oauth2/authorize INFO 2021-01-31 14:51:51,013 django_auth_adfs token endpoint: https://login.microsoftonline.com/583f3da6-fd9f-435b-8f9a-2227f4828edd/oauth2/token INFO 2021-01-31 14:51:51,013 django_auth_adfs end session endpoint: https://login.microsoftonline.com/583f3da6-fd9f-435b-8f9a-2227f4828edd/oauth2/logout INFO 2021-01-31 14:51:51,013 django_auth_adfs issuer: https://sts.windows.net/583f3da6-fd9f-435b-8f9a-2227f4828edd/ 127.0.0.1 - - [31/Jan/2021 14:51:51] "GET /oauth2/login?next=/ HTTP/1.1" 302 - DEBUG 2021-01-31 14:52:15,035 django_auth_adfs Received authorization code: DEBUG 2021-01-31 14:52:15,035 django_auth_adfs Getting access token at: https://login.microsoftonline.com/583f3da6-fd9f-435b-8f9a-2227f4828edd/oauth2/token DEBUG 2021-01-31 14:52:15,352 django_auth_adfs Received access token: INFO 2021-01-31 14:52:15,352 django_auth_adfs Invalid issuer Unauthorized: /oauth2/callback 127.0.0.1 - - [31/Jan/2021 14:52:15] "GET /oauth2/callback?code=&state=Lw%3d%3d&session_state=4b05e4dc-700d-40e6-86eb-42e24bd8b10a HTTP/1.1" 401 - 127.0.0.1 - - [31/Jan/2021 14:52:15] "GET /favicon.ico HTTP/1.1" 302 - 127.0.0.1 - - [31/Jan/2021 14:52:15] "GET /oauth2/login?next=/favicon.ico HTTP/1.1" 302 - DEBUG 2021-01-31 14:52:16,237 django_auth_adfs Received authorization code: DEBUG 2021-01-31 14:52:16,237 django_auth_adfs Getting access token at: https://login.microsoftonline.com/583f3da6-fd9f-435b-8f9a-2227f4828edd/oauth2/token DEBUG 2021-01-31 14:52:16,454 django_auth_adfs Received access token: INFO 2021-01-31 14:52:16,454 django_auth_adfs Invalid issuer Unauthorized: /oauth2/callback 127.0.0.1 - - [31/Jan/2021 14:52:16] "GET /oauth2/callback?code=&state=L2Zhdmljb24uaWNv&session_state=4b05e4dc-700d-40e6-86eb-42e24bd8b10a HTTP/1.1" 401 -

JonasKs commented 3 years ago

Hi, sorry for the delayed response. I couldn't find anything wrong for a while.

Can you go to this site:
bilde

Click into Manifest and change accessTokenAcceptedVersion to null or 1:

bilde

Docs: https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens#v10-and-v20

dimkoug commented 3 years ago

i did the change and i get this error

Forbidden: /oauth2/callback 127.0.0.1 - - [02/Feb/2021 09:42:22] "GET /oauth2/callback?code=&session_state=HTTP/1.1" 403 - 127.0.0.1 - - [02/Feb/2021 09:42:23] "GET /favicon.ico HTTP/1.1" 302 - 127.0.0.1 - - [02/Feb/2021 09:42:23] "GET /oauth2/login?next=/favicon.ico HTTP/1.1" 302 - DEBUG 2021-02-02 09:42:24,051 django_auth_adfs Received authorization code: DEBUG 2021-02-02 09:42:24,051 django_auth_adfs Getting access token at: https://login.microsoftonline.com/583f3da6-fd9f-435b-8f9a-2227f4828edd/oauth2/token DEBUG 2021-02-02 09:42:24,269 django_auth_adfs Received access token: DEBUG 2021-02-02 09:42:24,417 django_auth_adfs Attribute 'first_name' for user ' useremail' was set to 'name'. DEBUG 2021-02-02 09:42:24,417 django_auth_adfs Attribute 'last_name' for user 'useremail' was set to 'surname'. DEBUG 2021-02-02 09:42:24,417 django_auth_adfs Attribute 'email' for user 'useremail' was set to 'useremail'. DEBUG 2021-02-02 09:42:24,464 django_auth_adfs The configured groups claim 'roles' was not found in the access token DEBUG 2021-02-02 09:42:24,464 django_auth_adfs The configured group claim was not found in the access token Forbidden: /oauth2/callback 127.0.0.1 - - [02/Feb/2021 09:42:24] "GET /oauth2/callback?code= HTTP/1.1" 403 -

JonasKs commented 3 years ago

Now the the token is validated and OK, the user is created.

Can you post your entire settings.py, or e-mail it to me on jonas-ks@hotmail.com?

dimkoug commented 3 years ago

i send it with email

JonasKs commented 3 years ago

Please delete all access_tokens and code=.. from this issue.

For googlers: Changing accessTokenAcceptedVersion solved the issue as we can see in the logs above. The errors he gets now is related to his custom user model.

abhiraj1289 commented 3 years ago

Hi JonasKs & dimkoug , I am getting the same issue, and I changed the accessTokenAcceptedVersion as you mentioned. But still, I am getting 401 Unauthorized message I am not using any custom user model as well. can you please help?

[13/Mar/2021 10:37:54] "GET /outh HTTP/1.1" 404 2060 [13/Mar/2021 10:38:03] "GET /oauth2/login HTTP/1.1" 302 0 Unauthorized: /oauth2/callback [13/Mar/2021 10:38:17] "GET /oauth2/callback?code=0

JonasKs commented 3 years ago

Send me your entire settings.py file on email and let me know if you're using ADFS or Azure AD.

I will probably not be able to test out your settings this weekend, but I'll look over them.

Also check the docs on how to enable debug logs, and send me the entire log trace back.

The reason I want this on mail is because I don't want sensitive information posted here(such as client secretand your access token), but if you're able to decode your JWT token and clean out your settings.py, you can post here. 😊 Mail is safest, though.

abhiraj1289 commented 3 years ago

Okay, sent an email.

JonasKs commented 3 years ago

Documentation don't have adding the AuthCodeBackend in it. Adding that fixed his issue.

I'll try to correct this ASAP.

JonasKs commented 2 years ago

Create your own issue, with full trace back, debug logs etc. See the documentation

gwsampso commented 1 month ago

Hi, sorry for the delayed response. I couldn't find anything wrong for a while.

Can you go to this site: bilde

Click into Manifest and change accessTokenAcceptedVersion to null or 1:

bilde

Docs: https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens#v10-and-v20

updating manifest and changing accessTokenAcceptedVersion to null was an effective fix for me. I had manually changed my accessTokenAcceptedVersion to version 2 as per these guidelines https://learn.microsoft.com/en-us/office/dev/add-ins/develop/create-sso-office-add-ins-nodejs when trying to develop and excel addin with SSO that connects to my django rest framework api