snok/django-auth-adfs

Use Azure v2.0 endpoints

jlcmux opened this issue · 11 comments

I'm trying to use v2.0 endpoints and i found the settings:

'VERSION': "v2.0",
'SCOPES': ['api://5dxxxxxx985e05af/read']

i got the token but the django backend shows:

{
"detail": "Invalid access token."
}

Any other settings needed to do this?

Thank you.

Fund with Polar

INFO 2023-05-07 18:07:21,712 django_auth_adfs Loaded settings from ADFS server.
INFO 2023-05-07 18:07:21,712 django_auth_adfs operating mode: openid_connect
INFO 2023-05-07 18:07:21,712 django_auth_adfs authorization endpoint: https://login.microsoftonline.com/98f8aa58-70f0-4fe7-84fd-ea807f798f93/oauth2/v2.0/authorize
INFO 2023-05-07 18:07:21,712 django_auth_adfs token endpoint: https://login.microsoftonline.com/98f8aa58-70f0-4fe7-84fd-ea807f798f93/oauth2/v2.0/token
INFO 2023-05-07 18:07:21,712 django_auth_adfs end session endpoint: https://login.microsoftonline.com/98f8aa58-70f0-4fe7-84fd-ea807f798f93/oauth2/v2.0/logout
INFO 2023-05-07 18:07:21,712 django_auth_adfs issuer: https://login.microsoftonline.com/98f8aa58-70f0-4fe7-84fd-ea807f798f93/v2.0
INFO 2023-05-07 18:07:21,712 django_auth_adfs msgraph endpoint: graph.microsoft.com
DEBUG 2023-05-07 18:07:21,713 django_auth_adfs Received access token: eyJ0eXMiLCJnaX.........
Pq2XPGYGcj5xPer6sbU9cccjj_gvYg
INFO 2023-05-07 18:07:21,714 django_auth_adfs Invalid issuer

i could solve this changing accessTokenAcceptedVersion on manifest to "2".

but after this i got this:

image

and the django endpoint never respond:

image

Any idea?

this happends if i cancel with CTRL+C

<QuerySet []>
sys:1: ResourceWarning: unclosed <ssl.SSLSocket fd=1360, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('192.168.1.3', 55875), raddr=('20.190.190.131', 443)>

No idea why but when a run with python manage.py runserver 0.0.0.0:8000 the api dont respond but when i run it with docker, works fine.

Please de code the token at jwt.me/jwt.io and check the roles and aud claim. The aud should match your clientID. If the roles contain a graph link, Django has to fetch the roles from Azure Graph. I suspect your locally run instance cannot connect to Azure

Hi @jlcmux, @JonasKs
were you able to find a solution for the issue.
I'm facing exactly the same issue I have created a djangorestframework api it doesn't have any frontend. We have created app registered for the API and performed all the steps like creating scope, adding client application and providing the scope permission on the client application.
I'm able to generate access token using my client application credentials however when I use that in the postman for the API it return invalid access token. I have validated the token and the audience is correct.

Backend API app registration configuration

image

On client I have added API permission

image

Generation OAuth token using

https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
with body
grant_type:client_credentials
client_id:{client_id}
client_secret:{client_secret}
scope:api://{app_id}/.default

I'm able to get the access token, and using the same in the header while calling the API from postman
image

My configurations in Django application

settings.py

AUTHENTICATION_BACKENDS = [
    'django_auth_adfs.backend.AdfsAccessTokenBackend',
]

AUTH_ADFS = {
    'CLIENT_ID': client_id,
    'TENANT_ID': tenant_id,
    'VERSION': "v2.0",
    'SCOPES':['api://{app_id}/api.read'],
    'AUDIENCE': client_id,
    'RELYING_PARTY_ID': client_id,
    'LOGIN_EXEMPT_URLS': [
        '^api',  # Assuming you API is available at /api
    ],
}
REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticated',
    ),
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'django_auth_adfs.rest_framework.AdfsAccessTokenAuthentication',
        'rest_framework.authentication.SessionAuthentication',
    )
}



**views.py**

`
class SearchView(views.APIView):
    @action(methods=["post"], detail=True, permission_classes=[IsAuthenticated])
    def post(self, request):
        return Response('Success Response', status=status.HTTP_200_OK)
`

Could you please help me in setting up this

Please attach debug logs.

Hi @JonasKs , Please find additional logs here, have replaced sensitive data with tokens

DEBUG 2023-06-22 12:06:34,979 django_auth_adfs Loading ID Provider configuration.
INFO 2023-06-22 12:06:34,979 django_auth_adfs Trying to get OpenID Connect config from https://login.microsoftonline.com/{tenantid}/v2.0/.well-known/openid-configuration?appid=
DEBUG 2023-06-22 12:06:35,446 django_auth_adfs Loading public key from certificate:
DEBUG 2023-06-22 12:06:35,454 django_auth_adfs Loading public key from certificate:
DEBUG 2023-06-22 12:06:35,458 django_auth_adfs Loading public key from certificate:
DEBUG 2023-06-22 12:06:35,461 django_auth_adfs Loading public key from certificate:
INFO 2023-06-22 12:06:35,465 django_auth_adfs Loaded settings from ADFS server.
INFO 2023-06-22 12:06:35,466 django_auth_adfs operating mode: openid_connect
INFO 2023-06-22 12:06:35,467 django_auth_adfs authorization endpoint: https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/authorize
INFO 2023-06-22 12:06:35,468 django_auth_adfs token endpoint: https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/token
INFO 2023-06-22 12:06:35,469 django_auth_adfs end session endpoint: https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/logout
INFO 2023-06-22 12:06:35,469 django_auth_adfs issuer: https://login.microsoftonline.com/{tenantid}/v2.0
INFO 2023-06-22 12:06:35,470 django_auth_adfs msgraph endpoint: graph.microsoft.com
DEBUG 2023-06-22 12:06:35,481 django_auth_adfs Received access token: <access_token>
INFO 2023-06-22 12:06:35,496 django_auth_adfs Invalid issuer

Let me know if you need additional information

when I decode the access token issuer id is https://sts.windows.net/<tenant_id>/

If I remove 'VERSION': "v2.0" from AUTH_ADFS then I'm getting below error

django_auth_adfs User claim's doesn't have the claim 'upn' in his claims:

when I decode the access token issuer id is https://sts.windows.net/<tenant_id>/

Sounds like you haven't changed the token version to v2 in the manifest. Do that and give it 24 hours and test again. Azure is slow b

when I decode the access token issuer id is https://sts.windows.net/<tenant_id>/

Sounds like you haven't changed the token version to v2 in the manifest. Do that and give it 24 hours and test again. Azure is slow b

Hi @JonasKs, I have made that change yesterday itself but as you mentioned it took time to reflect. Now, the change I can see however I'm getting a differet error

DEBUG 2023-06-23 18:35:11,438 django_auth_adfs The configured groups claim groups was not found in the access token
ERROR 2023-06-23 18:35:11,439 django_auth_adfs User claim's doesn't have the claim 'upn' in his claims
I'm using service prinicpal access token to authenticate.

My settings are this, is this something I need to change. I think I'm close to resolving this issue but yet unable to figure it out.

AUTH_ADFS = { 'CLIENT_ID': client_id, 'TENANT_ID': tenant_id, 'VERSION': "v2.0", 'SCOPES':['scope'], 'AUDIENCE': client_id, 'RELYING_PARTY_ID': client_id, 'LOGIN_EXEMPT_URLS': [ '^api', # Assuming you API is available at /api ], }

The configured groups claim groups was not found in the access token

This can be configured.