Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The user is not redirected to a microsoft page #258

Open
Wissperwind opened this issue Oct 10, 2022 · 9 comments
Open

The user is not redirected to a microsoft page #258

Wissperwind opened this issue Oct 10, 2022 · 9 comments
Labels
help wanted

Comments

@Wissperwind
Copy link

Wissperwind commented Oct 10, 2022
edited by polar-sh bot

Hi,

I use Azure AD. I configured everything like I thought it would work. I opened the django admin site. I typed in my credentials and it said wrong credentials... But I thought it should redirect me to a microsoft site to perform login? Why is Django even asking me for credentials?

Fund with Polar
@tim-schilling
Copy link
Member

By default the django admin URL won't be overriden. You would need to do that in your urls.py file specifically. If you install django-extensions and run python manage.py show_urls, you can see how your URL paths are configured.

@AzureIP
Copy link

AzureIP commented Oct 10, 2022
edited

OK, what exactly do I have to do? I just want that people can log in to django admin. They must somehow be redirected to some microsoft site by django I think. How to achieve this?

@tim-schilling
Copy link
Member

You need to define a URL to catch the requests to your admin login flow. The default would be:

path("admin/login/", admin_login_redirect)

Where admin_login_direct is:

from django.conf import settings
from django.contrib.auth.views import LoginView
from django.shortcuts import redirect, render
from django.urls import reverse

def admin_login_redirect(request):
    """Redirect the admin login to our auth login."""
    next = request.GET.get(LoginView.redirect_field_name, reverse("admin:index"))
    return redirect(settings.AUTH_URL + f"?next={next}")

@Wissperwind
Copy link
Author

Wissperwind commented Oct 11, 2022
edited

Ok, I did that.

    path("admin/login/", admin_login_redirect),
    path('admin/', admin.site.urls),

The ordering seems to matter.

It now says that I have not set AUTH_URL in settings. What value do I have to set AUTH_URL to? Haven't found anything about AUTH_URL in your doku: https://django-auth-adfs.readthedocs.io/en/latest/search.html?q=AUTH_URL&check_keywords=yes&area=default

@tim-schilling
Copy link
Member

Oh, sorry about that. That's a relic of my system allowing us to programatically switch between direct auth and active directory SSO. Rather than settings.AUTH_URL, you want to use reverse("django_auth_adfs:login") or whatever authentication URL you decide to use.

@Wissperwind
Copy link
Author

Wissperwind commented Oct 13, 2022
edited

I was now redirected to a microsoft login page correctly and was able to log in:
But afterwards I see a white page with "No authorization code was provided".
In the Urls I found:
AADSTS90008:+The+user+or+administrator+has+not+consented+to+use+the+application+with+ID+'my-id'.+This+happened+because+application+is+misconfigured:+it+must+require+access+to+Microsoft+Graph+by+specifying+at+least+'Sign+in+and+read+user+profile'+permission.

What is your plugin trying to do and what permissions are needed.

@tim-schilling
Copy link
Member

What is your plugin trying to do

Please review the documentation. You should have an idea of what the purpose of the library is if you're trying to integrate it.

what permissions are needed.

You identified the missing permissions in the URLs. Additionally, you can review the config guides in the docs and the demo app.

@Wissperwind
Copy link
Author

ok, the Azure AD Admin has changed something for me. The URL looks now different.
I Login to microsoft, I am redirected to

https://lap-20-073.ssss.de:8080/foss/oauth2/callback?code=0.AXMA-g66LIO9o0KRJjIRKlj2OBziwPwYzq9ChKFAbkv6osRzAJI.AgABAAIAAAD--DLA3VO7QrddgJg7WevrAgDs_wQA9P9vjdjYs5NGWHI8o9U9DaqZ35HOHJB6wSLGy6Pl7DJJAQXBfAig_rnXdC9eReozMzo4cmgRz7uU8Qj_HGEj1SWlSYYHPaAU3t6LDbL0OiSXQ7u6K9iQwnZfhGKE7sBtDt04aqq0NM9RR4ybdGoBE8HVcom9KU-y5mBeZ6zL7c6yTQ7wu5oVTo_YIxUtoRT4DR93l9R36grqGXgwtMHbjUW1_TJms9LNNLj67z89sRid7aeyYpFiQ-dMUXLA73-z5rE7iTrrj6f1oAyhMDShhY6P7TUg4SRGaCto-uCwzWeeIwTsaW2RVkTODFcY0zfsnz3_Bism0bpq1IHtTnqTehw2RhdmreCiymQ-4svadOuh75g9XlEOIemNKla2PhYMrdEtmiq2-tMpPzswnTSupOvX809f2U1fiWylgTzvCSg3dlm8njb2ylZDgNuLmhhZzNlPlaFge4f7W4gAO9JoblkU_EW75gGL__sTtZ7Yp0caK5ejs25TKm4dwu9_fPmfKHbhIk6MirGiQpxJICaQnYOJSs69OsO7mvzMA1C177YSh6rSA1ugHxhOjfyy8sxW4CCr6WQwKq_9jFPjP84xo0FUPUgOwdaNs2JrNQP7X1lMhF4nF0KSQlR16plZaGVy3PSEejX906v8u3iFJcp7QLiYbb9tKFRin4ctCmkoBI1Rzwn6jiUcc_BvQm83O8FxcfuZsmozqtx3aaPrKDMX-BH0T0ZruXcHJKD6kLzOufl84CjfLSsuW6bZx4SqMJGbDeF39lGQdBVO-QecRHu9U0HLGcFJzfcGNAXlClhbg6A&state=L2Zvc3MvYWRtaW4v&session_state=1c3f2961-5687-4023-9a26-6909a3214ce3#
(I have changed randomly some numbers)
So the text error message in the url is gone, but i am still not logged in into the admin aerea.

Login Failed is displayed and in the log I see:

INFO 2022-10-19 09:12:06,826 django_auth_adfs Loaded settings from ADFS server.
INFO 2022-10-19 09:12:06,826 django_auth_adfs operating mode:         openid_connect
INFO 2022-10-19 09:12:06,827 django_auth_adfs authorization endpoint: https://login.microsoftonline.com/2c6a0efa-bd83-42a3-9126-32112a58f639/oauth2/authorize
INFO 2022-10-19 09:12:06,827 django_auth_adfs token endpoint:         https://login.microsoftonline.com/2c6a0efa-bd83-42a3-9126-32112a58f639/oauth2/token
INFO 2022-10-19 09:12:06,827 django_auth_adfs end session endpoint:   https://login.microsoftonline.com/2c6a0efa-bd83-42a3-9126-32112a58f639/oauth2/logout
INFO 2022-10-19 09:12:06,828 django_auth_adfs issuer:                 https://sts.windows.net/2c6a0efa-bd83-42a3-9126-32112a58f639/
INFO 2022-10-19 09:12:06,828 django_auth_adfs msgraph endpoint:       graph.microsoft.com
DEBUG 2022-10-19 09:12:07,070 django_auth_adfs Authentication backend was called but no access token was received
Unauthorized: /foss/oauth2/callback

(I have changed some numbers)

How to debug this further? How to find the problem?

@aoiheaven
Copy link

I was now redirected to a microsoft login page correctly and was able to log in: But afterwards I see a white page with "No authorization code was provided". In the Urls I found: AADSTS90008:+The+user+or+administrator+has+not+consented+to+use+the+application+with+ID+'my-id'.+This+happened+because+application+is+misconfigured:+it+must+require+access+to+Microsoft+Graph+by+specifying+at+least+'Sign+in+and+read+user+profile'+permission.

What is your plugin trying to do and what permissions are needed.

about this issue, you could ref the last section of step-3-register-and-configure-an-azure-ad-frontend-application
request permission: GroupMember.Read.All from your administrator to bypass it.

But for me, some typical case, can we add groups claim in frontend app, aims to limit user group number when generating token as workaround?
important-caveats-for-this-functionality
add-group-claims-to-tokens-for-saml-applications-using-sso-configuration
@tim-schilling Could help comment it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tim-schilling @Wissperwind @AzureIP @aoiheaven