Oauth and Azure AD

vltt-iarc · October 15, 2019, 1:14pm

Hi,

We’re using Azure AD provider and I’m trying to use OAuth to authenticate users on Indico through Azure AD.
Unfortunatly I haven’t succeeded so far:
Error message Login failed: No identity found
in Indico.log
Authentication via azure failed: No identity found (None)

Has anybody succeeded to authenticate through Azure AD, and if yes, can anyone tell me if I’m missing something?

_azure_oauth_config = {
    'consumer_key': 'abcd',  # put key here
    'consumer_secret': '1234',  # put secret here
    'request_token_params': {'scope': 'User.Read'},
    'request_token_url': None,
    'access_token_method': 'POST',
    'access_token_url': 'https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/token', 
    'authorize_url': 'https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/authorize' 
     # replace {tenantid} with the tenant id provided by Azure
}

AUTH_PROVIDERS = {
    'azure': {
        'type': 'oauth',
        'title': 'Azure',
        'oauth': _azure_oauth_config
    }
}

IDENTITY_PROVIDERS = {
    'azure': {
        'type': 'oauth',
        'oauth': _azure_oauth_config,
        'endpoint': '/user',
        'identifier_field': 'userPrincipalName',
>         'trusted_email': True,
>     }
> }

pferreir · October 21, 2019, 2:19pm

How is that tenantid supposed to be guessed by Indico? I don’t think that will work (which maybe explains the issue?).

vltt-iarc · October 21, 2019, 2:40pm

Hi,

Indeed, {tenantid} should be replaced by the tenant Id provided by azure.
I edited the code block for more clarity.

pferreir · October 21, 2019, 3:15pm

I actually tried to quickly configure login with Azure and it seems to work.

_azure_oauth_config = {
    'access_token_method': 'POST',
    'authorize_url': 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
    'access_token_url': 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
    'consumer_key': '----',
    'consumer_secret': '----',
    'request_token_url': None,
    'request_token_params': {'scope': 'user.read'}
}

AUTH_PROVIDERS = {
    "ms-azure": {
        "type": "oauth",
        "title": "Azure OAuth",
        "oauth": _azure_oauth_config
    }
}

IDENTITY_PROVIDERS = {
    'ms-azure': {
        'title': "Azure",
        'trusted_email': True,
        'type': 'oauth',
        'oauth': _azure_oauth_config,
        'endpoint': 'https://graph.microsoft.com/v1.0/me',
        'identifier_field': 'id',
        'mapping': {
            'user_name': 'userPrincipalName',
            'first_name': 'givenName',
            'last_name': 'surname',
            'phone': 'mobilePhone',
            'email': 'mail'
        }
    }
}

PROVIDER_MAP = {"ms-azure": "ms-azure"}

The only problem seems to be that Azure doesn’t send back my e-mail address. I tried to play with the scope parameter to no avail. But at least this seems to solve your problem.

pferreir · October 21, 2019, 3:18pm

OK, if I try to do the same using my professional Azure account, it seems to work fine:

vltt-iarc · October 21, 2019, 3:43pm

It does solve my problem !
Thanks for your help.