"Did you figure it out in the end cause I am facing the same issue right now :)"
We didn't yet end up using AD auth in production, though I did eventually have a *rudimentary *working version. I ended up using the python msal library directly. https://github.com/AzureAD/microsoft-authentication-library-for-python redirect_url = "https://www.ourwebsite/token"; b2c_tenant = "some-uuid" signupsignin_user_flow = "B2C_1_signupsignin1" editprofile_user_flow = "B2C_1_profileediting1" resetpassword_user_flow = "B2C_1_passwordreset1" # Note: Legacy setting. authority_template = "https://login.microsoftonline.com/{tenant}"; CLIENT_ID = "some-uuid" CLIENT_SECRET = "some-uuid" AUTHORITY = authority_template.format( tenant=b2c_tenant, user_flow=signupsignin_user_flow) B2C_PROFILE_AUTHORITY = authority_template.format( tenant=b2c_tenant, user_flow=editprofile_user_flow) B2C_RESET_PASSWORD_AUTHORITY = authority_template.format( tenant=b2c_tenant, user_flow=resetpassword_user_flow) REDIRECT_PATH = "/getAToken" # Used for forming an absolute URL to your redirect URI. ENDPOINT = '' # Application ID URI of app registration in Azure portal SCOPE = [] # Example with two exposed scopes: ["demo.read", "demo.write"] SESSION_TYPE = "filesystem" # Specifies the token cache should be stored in server-side session def _load_cache(): cache = msal.SerializableTokenCache() if session.get("token_cache"): cache.deserialize(session["token_cache"]) return cache def _save_cache(cache): if cache.has_state_changed: session["token_cache"] = cache.serialize() def _build_msal_app(cache=None, authority=None): return msal.ConfidentialClientApplication( app_config.CLIENT_ID, authority=authority or app_config.AUTHORITY, client_credential=app_config.CLIENT_SECRET, token_cache=cache) def _build_msal_app(cache=None, authority=None): return msal.ConfidentialClientApplication( CLIENT_ID, authority=authority or AUTHORITY, client_credential=CLIENT_SECRET, token_cache=cache) def _build_auth_code_flow(authority=None, scopes=None): return _build_msal_app(authority=authority).initiate_auth_code_flow( scopes or [], redirect_uri=redirect_url) Then I use these functions on the login page. Something like this: session["flow"] = _build_auth_code_flow(scopes=SCOPE) if settings.enable_ad else None ad_login_url = session['flow']['auth_uri'] if session["flow"] else '' return dict(formLogin = formLogin, loggedIn = False, ad_login_url =ad_login_url) Using the ad_login_url to redirect to with a button on the login page. Then there's the standard microsoft register/login form that redirects to the my "token" controller function referenced in the "redirect_url" at the top of the pasted code. This url needs to be configured where you register an azure app. In the token controller you recieve the token which you an then use for authentication - login/registration Something like this: def token(): cache = _load_cache() result = _build_msal_app(cache=cache).acquire_token_by_auth_code_flow( session.get("flow", {}), request.vars ) user = result['id_token_claims'] if "error" in result: return dict() _save_cache(cache) session["user"] = result.get("id_token_claims") username = user['preferred_username'] I don't know how clear this is, hopefully it's at least a little bit helpful, but I'm a bit fuzzy on the details. On Monday, February 6, 2023 at 6:05:52 AM UTC+1 david....@gmail.com wrote: > We do AD authentication with Shibboleth as our service provider on IIS > 10. I don't know if that would be an option. We couldn't find anything > else that worked on Windows. > > Sent from Outlook for Android <https://aka.ms/AAb9ysg> > ------------------------------ > *From:* web...@googlegroups.com <web...@googlegroups.com> on behalf of > Silvian “Top 10 Answers” Cedru <silvia...@gmail.com> > *Sent:* Monday, February 6, 2023 4:25:40 AM > *To:* web2py-users <web...@googlegroups.com> > *Subject:* Re: [web2py] Active directory authentication > > Did you figure it out in the end cause I am facing the same issue right > now :) > > urban....@gmail.com schrieb am Donnerstag, 3. März 2022 um 21:31:25 UTC+7: > > "Still trying to wade through the seemingly half outdated guides" > I'm referring to Azure guides not Web2Py. > > On Thursday, March 3, 2022 at 2:10:33 PM UTC+1 urban....@gmail.com wrote: > > No it's not on-premise. They said so explicitly. Apologise for the low > info questions. Still trying to wade through the seemingly half outdated > guides. Finally got the Flask demo that MS provides to work so that I know > the Azure side of things is working at least. Now have to figure out how to > implement it in Web2Py. Is the ldap_auth method only for on premise AD? > > On Wednesday, March 2, 2022 at 7:24:58 PM UTC+1 nico...@gmail.com wrote: > > Hi, > > do you really use Azure AD? Otherwise, for normal on-premise AD, see the > documentation on > http://web2py.com/books/default/chapter/29/09/access-control#LDAP and > https://github.com/web2py/web2py/blob/master/gluon/contrib/login_methods/ldap_auth.py > > Nico > > > Il giorno mer 2 mar 2022 alle ore 16:48 urban....@gmail.com < > urban....@gmail.com> ha scritto: > > We're looking into adding AD authentication to our app. We have an active > directory account and an app registered on it. > > In the documentation I found this example of enabling AD auth: > > from gluon.contrib.login_methods.ldap_auth import ldap_auth > auth.settings.login_methods.append( > ldap_auth( > mode='ad', > server='https://aad.portal.azure.com/', > base_dn='ou=Users,dc=domain,dc=com' > ) > ) > > However I get this error when trying to login > > DEBUG:web2py.auth.ldap_auth:Traceback (most recent call last): > File > "C:\urban\web2py_latest\web2py\gluon\contrib\login_methods\ldap_auth.py", > line 236, in ldap_auth_aux > con = init_ldap() > File > "C:\urban\web2py_latest\web2py\gluon\contrib\login_methods\ldap_auth.py", > line 630, in init_ldap > "ldap://"; + ldap_server + ":" + str(ldap_port)) > File "C:\Python27\lib\site-packages\ldap\functions.py", line 92, in > initialize > uri, trace_level, trace_file, trace_stack_limit, bytes_mode, **kwargs) > File "C:\Python27\lib\site-packages\ldap\ldapobject.py", line 106, in > __init__ > self._l = > ldap.functions._ldap_function_call(ldap._ldap_module_lock,_ldap.initialize,uri) > File "C:\Python27\lib\site-packages\ldap\functions.py", line 55, in > _ldap_function_call > result = func(*args,**kwargs) > LDAPError: (0, 'Error') > > Am I doing anything wrong on the web2py side or is the issue in the AD > configuration? > > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to web2py+un...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/web2py/7d013980-154b-4b94-9365-4a64f9e32423n%40googlegroups.com > > <https://groups.google.com/d/msgid/web2py/7d013980-154b-4b94-9365-4a64f9e32423n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to web2py+un...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/web2py/a406d846-fdc8-4e71-aa0c-4efb8b4f1c5an%40googlegroups.com > > <https://groups.google.com/d/msgid/web2py/a406d846-fdc8-4e71-aa0c-4efb8b4f1c5an%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/36f307b5-e422-425e-ae07-c8b8c4faeb60n%40googlegroups.com.
