search

snok / django-auth-adfs

A Django authentication backend for Microsoft ADFS and AzureAD
http://django-auth-adfs.readthedocs.io/
BSD 2-Clause "Simplified" License
270 stars 98 forks source link

Use Azure v2.0 endpoints #285

Open jlcmux opened 1 year ago

jlcmux commented 1 year ago

I'm trying to use v2.0 endpoints and i found the settings:

'VERSION': "v2.0",
'SCOPES': ['api://5dxxxxxx985e05af/read']

i got the token but the django backend shows:

{ "detail": "Invalid access token." }

Any other settings needed to do this?

Thank you.

Fund with Polar

jlcmux commented 1 year ago

INFO 2023-05-07 18:07:21,712 django_auth_adfs Loaded settings from ADFS server. INFO 2023-05-07 18:07:21,712 django_auth_adfs operating mode: openid_connect INFO 2023-05-07 18:07:21,712 django_auth_adfs authorization endpoint: https://login.microsoftonline.com/98f8aa58-70f0-4fe7-84fd-ea807f798f93/oauth2/v2.0/authorize INFO 2023-05-07 18:07:21,712 django_auth_adfs token endpoint: https://login.microsoftonline.com/98f8aa58-70f0-4fe7-84fd-ea807f798f93/oauth2/v2.0/token INFO 2023-05-07 18:07:21,712 django_auth_adfs end session endpoint: https://login.microsoftonline.com/98f8aa58-70f0-4fe7-84fd-ea807f798f93/oauth2/v2.0/logout INFO 2023-05-07 18:07:21,712 django_auth_adfs issuer: https://login.microsoftonline.com/98f8aa58-70f0-4fe7-84fd-ea807f798f93/v2.0 INFO 2023-05-07 18:07:21,712 django_auth_adfs msgraph endpoint: graph.microsoft.com DEBUG 2023-05-07 18:07:21,713 django_auth_adfs Received access token: eyJ0eXMiLCJnaX......... Pq2XPGYGcj5xPer6sbU9cccjj_gvYg INFO 2023-05-07 18:07:21,714 django_auth_adfs Invalid issuer

jlcmux commented 1 year ago

i could solve this changing accessTokenAcceptedVersion on manifest to "2".

but after this i got this:

image

and the django endpoint never respond:

image

Any idea?

jlcmux commented 1 year ago

this happends if i cancel with CTRL+C

<QuerySet []> sys:1: ResourceWarning: unclosed <ssl.SSLSocket fd=1360, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('192.168.1.3', 55875), raddr=('20.190.190.131', 443)>

jlcmux commented 1 year ago

No idea why but when a run with python manage.py runserver 0.0.0.0:8000 the api dont respond but when i run it with docker, works fine.

JonasKs commented 1 year ago

Please de code the token at jwt.me/jwt.io and check the roles and aud claim. The aud should match your clientID. If the roles contain a graph link, Django has to fetch the roles from Azure Graph. I suspect your locally run instance cannot connect to Azure

gvsireesh commented 1 year ago

Hi @jlcmux, @JonasKs were you able to find a solution for the issue. I'm facing exactly the same issue I have created a djangorestframework api it doesn't have any frontend. We have created app registered for the API and performed all the steps like creating scope, adding client application and providing the scope permission on the client application. I'm able to generate access token using my client application credentials however when I use that in the postman for the API it return invalid access token. I have validated the token and the audience is correct.

Backend API app registration configuration

image

On client I have added API permission

image

Generation OAuth token using

https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token with body grant_type:client_credentials client_id:{client_id} client_secret:{client_secret} scope:api://{app_id}/.default

I'm able to get the access token, and using the same in the header while calling the API from postman image

My configurations in Django application

settings.py


AUTHENTICATION_BACKENDS = [
    'django_auth_adfs.backend.AdfsAccessTokenBackend',
]

AUTH_ADFS = {
    'CLIENT_ID': client_id,
    'TENANT_ID': tenant_id,
    'VERSION': "v2.0",
    'SCOPES':['api://{app_id}/api.read'],
    'AUDIENCE': client_id,
    'RELYING_PARTY_ID': client_id,
    'LOGIN_EXEMPT_URLS': [
        '^api',  # Assuming you API is available at /api
    ],
}
REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticated',
    ),
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'django_auth_adfs.rest_framework.AdfsAccessTokenAuthentication',
        'rest_framework.authentication.SessionAuthentication',
    )
}

**views.py**

`
class SearchView(views.APIView):
    @action(methods=["post"], detail=True, permission_classes=[IsAuthenticated])
    def post(self, request):
        return Response('Success Response', status=status.HTTP_200_OK)
`

Could you please help me in setting up this
JonasKs commented 1 year ago

Please attach debug logs.

gvsireesh commented 1 year ago

Hi @JonasKs , Please find additional logs here, have replaced sensitive data with tokens

DEBUG 2023-06-22 12:06:34,979 django_auth_adfs Loading ID Provider configuration. INFO 2023-06-22 12:06:34,979 django_auth_adfs Trying to get OpenID Connect config from https://login.microsoftonline.com/{tenantid}/v2.0/.well-known/openid-configuration?appid= DEBUG 2023-06-22 12:06:35,446 django_auth_adfs Loading public key from certificate: DEBUG 2023-06-22 12:06:35,454 django_auth_adfs Loading public key from certificate: DEBUG 2023-06-22 12:06:35,458 django_auth_adfs Loading public key from certificate: DEBUG 2023-06-22 12:06:35,461 django_auth_adfs Loading public key from certificate: INFO 2023-06-22 12:06:35,465 django_auth_adfs Loaded settings from ADFS server. INFO 2023-06-22 12:06:35,466 django_auth_adfs operating mode: openid_connect INFO 2023-06-22 12:06:35,467 django_auth_adfs authorization endpoint: https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/authorize INFO 2023-06-22 12:06:35,468 django_auth_adfs token endpoint: https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/token INFO 2023-06-22 12:06:35,469 django_auth_adfs end session endpoint: https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/logout INFO 2023-06-22 12:06:35,469 django_auth_adfs issuer: https://login.microsoftonline.com/{tenantid}/v2.0 INFO 2023-06-22 12:06:35,470 django_auth_adfs msgraph endpoint: graph.microsoft.com DEBUG 2023-06-22 12:06:35,481 django_auth_adfs Received access token: INFO 2023-06-22 12:06:35,496 django_auth_adfs Invalid issuer

Let me know if you need additional information

when I decode the access token issuer id is https://sts.windows.net//

If I remove 'VERSION': "v2.0" from AUTH_ADFS then I'm getting below error

django_auth_adfs User claim's doesn't have the claim 'upn' in his claims:

JonasKs commented 1 year ago

when I decode the access token issuer id is https://sts.windows.net//

Sounds like you haven't changed the token version to v2 in the manifest. Do that and give it 24 hours and test again. Azure is slow b

gvsireesh commented 1 year ago

when I decode the access token issuer id is https://sts.windows.net//

Sounds like you haven't changed the token version to v2 in the manifest. Do that and give it 24 hours and test again. Azure is slow b

Hi @JonasKs, I have made that change yesterday itself but as you mentioned it took time to reflect. Now, the change I can see however I'm getting a differet error

DEBUG 2023-06-23 18:35:11,438 django_auth_adfs The configured groups claim groups was not found in the access token ERROR 2023-06-23 18:35:11,439 django_auth_adfs User claim's doesn't have the claim 'upn' in his claims I'm using service prinicpal access token to authenticate.

My settings are this, is this something I need to change. I think I'm close to resolving this issue but yet unable to figure it out.

AUTH_ADFS = { 'CLIENT_ID': client_id, 'TENANT_ID': tenant_id, 'VERSION': "v2.0", 'SCOPES':['scope'], 'AUDIENCE': client_id, 'RELYING_PARTY_ID': client_id, 'LOGIN_EXEMPT_URLS': [ '^api', # Assuming you API is available at /api ], }

JonasKs commented 1 year ago

The configured groups claim groups was not found in the access token

This can be configured.