How to use Weblate with Azure B2C and custom policy?
Closed this issue · 13 comments
Describe the issue
We have Azure B2C set up with a custom policy flow. We'd like to use this for login with Weblate. According to this linked article from the documentation, one can use a B2C Tenant with the WEBLATE_SOCIAL_AUTH_AZUREAD_B2C_OAUTH2_POLICY environment variable.
However, the Weblate documentation does not state what the name of the back-end should be, i.e. the value for the environment variable WEBLATE_REGISTRATION_ALLOW_BACKENDS.
Should one just use azuread-tenant-oauth2 or is there something like azuread-b2c-tenant-oauth2?
I already tried
- I've read and searched the documentation.
- I've searched for similar issues in this repository.
Steps to reproduce the behavior
No response
Expected behavior
No response
Screenshots
No response
Exception traceback
No response
How do you run Weblate?
Docker container
Weblate versions
No response
Weblate deploy checks
No response
Additional context
No response
This issue looks more like a support question than an issue. We strive to answer these reasonably fast, but purchasing the support subscription is not only more responsible and faster for your business but also makes Weblate stronger.
In case your question is already answered, making a donation is the right way to say thank you!
The back-end azuread-tenant-oauth2 does not work apparently. At least the Azure button is not displayed.
It should be azuread-b2c-oauth2 (see https://github.com/python-social-auth/social-core/blob/3d818d67f4969b99a09880f6a6fcf4bf187bdb28/social_core/backends/azuread_b2c.py#L54), but it's not the setting you want to change - it only allows creating new registrations from certain backend when new registrations are disabled in Weblate.
What you need is to add the backend to AUTHENTICATION_BACKENDS setting. As you seem to be using Docker, this can only be done via custom configuration file, see https://docs.weblate.org/en/latest/admin/install/docker.html#further-configuration-customization
@nijel Thank you so much for that hint. How exactly would I do that in my case?
We run Weblate via a Docker Compose file on Azure App Service for Containers (managed service). The Docker Compose file looks like this:
version: "3"
services:
weblate:
image: weblate/weblate
tmpfs:
- /app/cache
volumes:
- weblate-data:/app/data
environment:
- REDIS_HOST=cache
- REDIS_PORT=6379
restart: always
depends_on:
- cache
ports:
- 80:8080
cache:
image: redis:6-alpine
restart: always
command: ["redis-server", "--appendonly", "yes"]
volumes:
- redis-data:/data
volumes:
weblate-data: {}
redis-data: {}and all the settings are injected via environment variables (aka Application Settings) in Azure.
How would I overwrite the settings? Do I just create a new file /app/data/settings-override.py that only consists of
AUTHENTICATION_BACKENDS = (
"social_core.backends.azuread_b2c.AzureADB2COAuth2",
"social_core.backends.email.EmailAuth",
"weblate.accounts.auth.WeblateUserBackend",
)and nothing else? Is that it?
And how would I put that file in the weblate-data volume via the Docker Compose file? Or do I have to build a custom container image for that? Even then, how could I add the settings-override.py in a data volume during build time when said volume only exists during run time? I'm a bit confused here.
You need to add configuration for it as well starting with SOCIAL_AUTH_AZUREAD_B2C_OAUTH2_.
Yeah, the ones here I guess.
But just to clarify again: the /app/data/settings-override.py does not need to include anything else but the AUTHENTICATION_BACKENDS assignment above. Is that correct?
Do you have any hint for me what the best way is to bake this file into my Docker Compose setup?
These need to be in the settings-override.py as well.
Ah okay. Because until recently (with Azure AD, not B2C) we injected said settings via environment variables (aka Application Settings) in Azure with an additional prefix WEBLATE_, e.g. WEBLATE_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_TENANT_ID.
Is that an alternative way or should I do both, i.e. put SOCIAL_AUTH_AZUREAD_B2C_TENANT_OAUTH2_TENANT_ID in settings.override.py AND set WEBLATE_SOCIAL_AUTH_AZUREAD_B2C_TENANT_OAUTH2_TENANT_ID as an environment variable?
Yes, for supported backends it can be injected via environment, for anything else, Python settings are used.
Thank you. I will try to bake this into the Docker Compose file. I hope I get it to work with my cloud environment.
Two last questions:
-
Alternatively, I could also use the OpenIdConnect back-end with Azure B2C, I guess. Is OpenIdConnect supported out of the box? At least the corresponding environment variables are listed here.
-
The documentation says
The remaining configuration will be auto-detected, by fetching:
<SOCIAL_AUTH_OIDC_OIDC_ENDPOINT>/.well-known/openid-configurationHowever, Azure B2C OpenIdConnect-Endpoints must include the Azure B2C policy as a query parameter and, hence, they look like this:
https://my-company-auth.b2clogin.com/my-company-auth.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_SIGNUP_SIGNIN
Is it possible to set the endpoint manually without the automatic appending of the "/.well-known/openid-configuration" suffix? Or do you know any other way of specifying the query parameter "p=B2C_SIGNUP_SIGNIN"?
For anyone having the same questions and ending up here:
You can also use
https://my-company-auth.b2clogin.com/my-company-auth.onmicrosoft.com/B2C_SIGNUP_SIGNIN/v2.0/.well-known/openid-configuration
as an alternative endpoint. That's not listed / documented in Azure Portal as endpoint, but it does work. So that makes my second question obsolete.
I have tried the OIDC back-end now and, in principal, it seems to work. Hence, I will close this issue now.
However, there is still an OIDC error, but I opened a new issue for this. See #7911.
The issue you have reported is now resolved. If you don’t feel it’s right, please follow its labels to get a clue for further steps.
- In case you see a similar problem, please open a separate issue.
- If you are happy with the outcome, don’t hesitate to support Weblate by making a donation.