python-social-auth/social-core

Authentication with Microsoft Azure AD in a multi-tenant app

tiago-peres opened this issue · 2 comments

tiago-peres commented

According to the Microsoft docs, Multitenant applications are to be redirected to https://login.microsoftonline.com/organizations.

Since I'm using social_core.backends.azuread.AzureADOAuth2, the user is redirected to https://login.microsoftonline.com/common (https://github.com/python-social-auth/social-core/blob/master/social_core/backends/azuread.py#L43). Thing is, common is for Multitenant and personal accounts.

I tried using social_core.backends.azuread_tenant.AzureADTenantOAuth2 since it allows to define the target tenant with two different variations in the Tenant

  • SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_TENANT_ID = "organizations"
  • SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_TENANT_ID = "(my tenant id)"

None of them worked.

Would be cool to be able to change the Tenant ID in social_core.backends.azuread.AzureADOAuth2, like this SOCIAL_AUTH_AZUREAD_OAUTH2_TENANT_ID = "organizations".

I've explained here in more detail too.

tiago-peres commented

For now I created a custom backend extending AzureADOAuth2

from social_core.backends.azuread import AzureADOAuth2

class CustomAzureADOAuth2(AzureADOAuth2):
    BASE_URL = "https://login.microsoftonline.com/organizations"
themysteq commented

@tiago-peres Strange, it should work but have you got chance to use 'social_core.backends.azuread_tenant.AzureADV2TenantOAuth2'? mind the V2 version as you should slowly migrate to v2.0 endpoints See here

I have an application bound to specific tenant due to company policy (internal app) so I have to provide tenant id and it works as intended.