Issues using Azure AD

[zjph90]

Hi Verdan,

Not sure if this is the right place to be writing this as it is specifically an Amundsen issue but I followed the link from your stemma.ai article.

I am attempting to use Azure AD to provide authentication for our Amundsen instance. I have followed the instructions in your article and I think it is mostly working. When I go to the home page I am initially redirected to the Azure login page. Authentication appears to work correctly and I am directed back to the Amundsen home page. However when I attempt to search nothing happens in the frontend. I can see in the logs that I am getting the following error:

  File "/usr/local/lib/python3.7/site-packages/amundsen_frontend-4.0.1-py3.7.egg/amundsen_application/log/action_log.py", line 85, in _build_metrics
    metrics['user'] = flask_app.config['AUTH_USER_METHOD'](flask_app).email
AttributeError: 'dict' object has no attribute 'email'

With my limited python debugging capabilty I can see that the _get_authuser() function is returning the dict:

{'_schema': ['"display_name", "full_name", or "email" must be provided']}

It might imply that we are not getting an email field back from the Azure server but when I check the config url it definitely lists "email" in the claims_supported list.

When I experimented with different values for FLASK_OIDC_USER_ID_FIELD I got:

Make sure to set the proper 'FLASK_OIDC_USER_ID_FIELD' env variable to match with your OIDC Provider.'email' is not present in the response from OIDC Provider. 
Available Keys are: (aud, iss, iat, nbf, exp, name, nonce, oid, preferred_username, rh, sub, tid, uti, ver). 

The claims_supported list from the config url is:

claims_supported: [ "sub", "iss", "cloud_instance_name", "cloud_instance_host_name", "cloud_graph_host_name", "msgraph_host", "aud", "exp", "iat", "auth_time", "acr", "nonce", "preferred_username", "name", "tid", "ver", "at_hash", "c_hash", "email" ]

I'm not sure where to go from here.

Any help appreciated.

Cheers, John

[verdan]

Can you please try to set 'FLASK_OIDC_USER_ID_FIELD=preferred_username' as the Azure does nkt return the key "email" in reaponse.

[zjph90]

I tried with preferred_username and I still get the 'dict' object has no attribute 'email' error

[zjph90]

I've been able to work past this issue - with a bit of a fudge rather than a fix.

The script _actionlog.py was failing because the flask_app.config['AUTH_USER_METHOD'](flask_app).email was not defined but I'm guessing this is just making a log entry somewhere. I hard-coded a value in there and it now works. The frontend appears to converse happily with the search and metadata services.

Obviously we would like to fix the __buildmetrics function. It looks like there is some unexpected response from the Azure AD server (returning {'_schema': ['"display_name", "full_name", or "email" must be provided']}) but I have so far been unable to get any insight into this.

[denispoperechny]

To fix 'email' issue I just use the custom "AUTH_USER_METHOD" with added config file as it's intended for this purpose (per my understanding):

`

def get_auth_user(app: Flask) -> User:

    user_data = session.get("user")

    if "preferred_username" in user_data:

        user_data["email"] = user_data["preferred_username"]

    user_info = load_user(user_data)

    return user_info

`

[verdan]

@zjph90 does the above solve your issue?

[verdan]

closing this issue for now assuming the above solution helped. please re-open if needed.