search

snok / django-auth-adfs

A Django authentication backend for Microsoft ADFS and AzureAD
http://django-auth-adfs.readthedocs.io/
BSD 2-Clause "Simplified" License
270 stars 98 forks source link

Login failed - 401 Unathorized on callback #265

Closed joshDairy closed 1 year ago

joshDairy commented 1 year ago

After going through the log in process we get a successfully response from https://login.microsoftonline.com//***/login

We then are asked if we want to stay signed in. After selecting an option we're redirected to https://ourwebsite.com/oauth2/callback?code=0.AXUA....# which gives a 401 Unauthorized with a Login failed response.

We have a Django app hosted on an Azure App Service behind a private endpoint accessed through an Application Gateway. We're using django_auth_adfs for authentication.

To get the redirects working we've added three Rewrites to our Application Gateway.

  1. Sets request header X-Forwarded-Proto to https
  2. Sets location that matches (.)(redirect_uri=https%3A%2F%2F)..azurewebsites.net(.)$ to {http_resp_Location_1}{http_resp_Location_2}{var_host}{http_resp_Location_3}
  3. Sets location that matches (https:\/\/)..azurewebsites.net(.*)$ to https://{var_host}{http_resp_Location_2}

The flow works locally, so I'm not sure if there is setting on the Django side I need to add for production with our set up or if I've possibly just misconfigured something on the Azure side. I'm currently stuck and am hoping someone here has run in to this issue before or has some ideas of where to look for issues. Any help would be greatly appreciated and please let me know if I can provide any more details.

relevant settings.py below:

AUTHENTICATION_BACKENDS = (
    'django_auth_adfs.backend.AdfsAuthCodeBackend',
    'django_auth_adfs.backend.AdfsAccessTokenBackend',
)

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

INSTALLED_APPS = [
    ...
    'django_auth_adfs',
    ...
]

AUTH_ADFS = {
    'AUDIENCE': client_id,
    'CLIENT_ID': client_id,
    'CLIENT_SECRET': client_secret,
    'CLAIM_MAPPING': {'first_name': 'given_name',
                      'last_name': 'family_name',
                      'email': 'upn'},
    'GROUPS_CLAIM': 'roles',
    'MIRROR_GROUPS': True,
    'USERNAME_CLAIM': 'upn',
    'TENANT_ID': tenant_id,
    'RELYING_PARTY_ID': client_id,
}

MIDDLEWARE = [
    ...
    'django_auth_adfs.middleware.LoginRequiredMiddleware',
]

LOGIN_URL = "django_auth_adfs:login"
LOGIN_REDIRECT_URL = "/"

relevant urls.py below:

urlpatterns = [
    ...
    re_path(r'oauth2/', include('django_auth_adfs.urls')),
]
JonasKs commented 1 year ago

Please post logs, you can find a tutorial on how to set it up here: https://django-auth-adfs.readthedocs.io/en/latest/troubleshooting.html

sondrelg commented 1 year ago

Closing from lack of response. Feel free to reopen :slightly_smiling_face:

joshDairy commented 1 year ago

Apologies for delayed response. We're having a little trouble getting the debug output in the Azure App Service. I'm working on it now and will update as soon as I have it.