Thanks I will try that out cause the only thing that I got to work today was openid and I am not so sure if that is a good option for that .
urban....@gmail.com schrieb am Montag, 6. Februar 2023 um 14:21:27 UTC+7: > "Did you figure it out in the end cause I am facing the same issue right > now :)" > > We didn't yet end up using AD auth in production, though I did eventually > have a *rudimentary *working version. > > I ended up using the python msal library directly. > > https://github.com/AzureAD/microsoft-authentication-library-for-python > > > > redirect_url = "https://www.ourwebsite/token"; > b2c_tenant = "some-uuid" > signupsignin_user_flow = "B2C_1_signupsignin1" > editprofile_user_flow = "B2C_1_profileediting1" > resetpassword_user_flow = "B2C_1_passwordreset1" # Note: Legacy setting. > authority_template = "https://login.microsoftonline.com/{tenant}"; > CLIENT_ID = "some-uuid" > CLIENT_SECRET = "some-uuid" > > AUTHORITY = authority_template.format( > tenant=b2c_tenant, user_flow=signupsignin_user_flow) > B2C_PROFILE_AUTHORITY = authority_template.format( > tenant=b2c_tenant, user_flow=editprofile_user_flow) > B2C_RESET_PASSWORD_AUTHORITY = authority_template.format( > tenant=b2c_tenant, user_flow=resetpassword_user_flow) > REDIRECT_PATH = "/getAToken" # Used for forming an absolute URL to your > redirect URI. > ENDPOINT = '' # Application ID URI of app registration in Azure portal > SCOPE = [] # Example with two exposed scopes: ["demo.read", "demo.write"] > SESSION_TYPE = "filesystem" # Specifies the token cache should be stored > in server-side session > > def _load_cache(): > cache = msal.SerializableTokenCache() > if session.get("token_cache"): > cache.deserialize(session["token_cache"]) > return cache > > def _save_cache(cache): > if cache.has_state_changed: > session["token_cache"] = cache.serialize() > > def _build_msal_app(cache=None, authority=None): > return msal.ConfidentialClientApplication( > app_config.CLIENT_ID, authority=authority or app_config.AUTHORITY, > client_credential=app_config.CLIENT_SECRET, token_cache=cache) > > def _build_msal_app(cache=None, authority=None): > return msal.ConfidentialClientApplication( > CLIENT_ID, authority=authority or AUTHORITY, > client_credential=CLIENT_SECRET, token_cache=cache) > > def _build_auth_code_flow(authority=None, scopes=None): > return _build_msal_app(authority=authority).initiate_auth_code_flow( > scopes or [], > redirect_uri=redirect_url) > > Then I use these functions on the login page. > > Something like this: > session["flow"] = _build_auth_code_flow(scopes=SCOPE) if > settings.enable_ad else None > ad_login_url = session['flow']['auth_uri'] if session["flow"] else > '' > return dict(formLogin = formLogin, loggedIn = False, ad_login_url > =ad_login_url) > > Using the ad_login_url to redirect to with a button on the login page. > Then there's the standard microsoft register/login form that redirects to > the my "token" controller function referenced in the "redirect_url" at the > top of the pasted code. This url needs to be configured where you register > an azure app. > > In the token controller you recieve the token which you an then use for > authentication - login/registration > > Something like this: > def token(): > cache = _load_cache() > result = _build_msal_app(cache=cache).acquire_token_by_auth_code_flow( > session.get("flow", {}), request.vars > ) > > user = result['id_token_claims'] > > if "error" in result: > return dict() > > _save_cache(cache) > session["user"] = result.get("id_token_claims") > username = user['preferred_username'] > > I don't know how clear this is, hopefully it's at least a little bit > helpful, but I'm a bit fuzzy on the details. > On Monday, February 6, 2023 at 6:05:52 AM UTC+1 david....@gmail.com wrote: > >> We do AD authentication with Shibboleth as our service provider on IIS >> 10. I don't know if that would be an option. We couldn't find anything >> else that worked on Windows. >> >> Sent from Outlook for Android <https://aka.ms/AAb9ysg> >> ------------------------------ >> *From:* web...@googlegroups.com <web...@googlegroups.com> on behalf of >> Silvian “Top 10 Answers” Cedru <silvia...@gmail.com> >> *Sent:* Monday, February 6, 2023 4:25:40 AM >> *To:* web2py-users <web...@googlegroups.com> >> *Subject:* Re: [web2py] Active directory authentication >> >> Did you figure it out in the end cause I am facing the same issue right >> now :) >> >> urban....@gmail.com schrieb am Donnerstag, 3. März 2022 um 21:31:25 >> UTC+7: >> >> "Still trying to wade through the seemingly half outdated guides" >> I'm referring to Azure guides not Web2Py. >> >> On Thursday, March 3, 2022 at 2:10:33 PM UTC+1 urban....@gmail.com wrote: >> >> No it's not on-premise. They said so explicitly. Apologise for the low >> info questions. Still trying to wade through the seemingly half outdated >> guides. Finally got the Flask demo that MS provides to work so that I know >> the Azure side of things is working at least. Now have to figure out how to >> implement it in Web2Py. Is the ldap_auth method only for on premise AD? >> >> On Wednesday, March 2, 2022 at 7:24:58 PM UTC+1 nico...@gmail.com wrote: >> >> Hi, >> >> do you really use Azure AD? Otherwise, for normal on-premise AD, see the >> documentation on >> http://web2py.com/books/default/chapter/29/09/access-control#LDAP and >> https://github.com/web2py/web2py/blob/master/gluon/contrib/login_methods/ldap_auth.py >> >> Nico >> >> >> Il giorno mer 2 mar 2022 alle ore 16:48 urban....@gmail.com < >> urban....@gmail.com> ha scritto: >> >> We're looking into adding AD authentication to our app. We have an active >> directory account and an app registered on it. >> >> In the documentation I found this example of enabling AD auth: >> >> from gluon.contrib.login_methods.ldap_auth import ldap_auth >> auth.settings.login_methods.append( >> ldap_auth( >> mode='ad', >> server='https://aad.portal.azure.com/', >> base_dn='ou=Users,dc=domain,dc=com' >> ) >> ) >> >> However I get this error when trying to login >> >> DEBUG:web2py.auth.ldap_auth:Traceback (most recent call last): >> File >> "C:\urban\web2py_latest\web2py\gluon\contrib\login_methods\ldap_auth.py", >> line 236, in ldap_auth_aux >> con = init_ldap() >> File >> "C:\urban\web2py_latest\web2py\gluon\contrib\login_methods\ldap_auth.py", >> line 630, in init_ldap >> "ldap://"; + ldap_server + ":" + str(ldap_port)) >> File "C:\Python27\lib\site-packages\ldap\functions.py", line 92, in >> initialize >> uri, trace_level, trace_file, trace_stack_limit, bytes_mode, **kwargs) >> File "C:\Python27\lib\site-packages\ldap\ldapobject.py", line 106, in >> __init__ >> self._l = >> ldap.functions._ldap_function_call(ldap._ldap_module_lock,_ldap.initialize,uri) >> File "C:\Python27\lib\site-packages\ldap\functions.py", line 55, in >> _ldap_function_call >> result = func(*args,**kwargs) >> LDAPError: (0, 'Error') >> >> Am I doing anything wrong on the web2py side or is the issue in the AD >> configuration? >> >> -- >> Resources: >> - http://web2py.com >> - http://web2py.com/book (Documentation) >> - http://github.com/web2py/web2py (Source code) >> - https://code.google.com/p/web2py/issues/list (Report Issues) >> --- >> You received this message because you are subscribed to the Google Groups >> "web2py-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to web2py+un...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/web2py/7d013980-154b-4b94-9365-4a64f9e32423n%40googlegroups.com >> >> <https://groups.google.com/d/msgid/web2py/7d013980-154b-4b94-9365-4a64f9e32423n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> Resources: >> - http://web2py.com >> - http://web2py.com/book (Documentation) >> - http://github.com/web2py/web2py (Source code) >> - https://code.google.com/p/web2py/issues/list (Report Issues) >> --- >> You received this message because you are subscribed to the Google Groups >> "web2py-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to web2py+un...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/web2py/a406d846-fdc8-4e71-aa0c-4efb8b4f1c5an%40googlegroups.com >> >> <https://groups.google.com/d/msgid/web2py/a406d846-fdc8-4e71-aa0c-4efb8b4f1c5an%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/2fba6e52-d826-4b2d-a0ba-387327327fe5n%40googlegroups.com.
