I am relatively new to Django and am using your library to try and login with Active Directory - which I can do successfully. However, once logged in I would like to use the credentials to make further API calls to other AD integrated services. I understand this may not be the appropriate place to request assistance and I thank you in advance for any advice you can provide. If there is a more appropriate way to request help I would be grateful to be pointed in that direction.
I have read https://django-auth-adfs.readthedocs.io/en/latest/oauth2_explained.html and it states:
"Once the session is created, OAuth2 isn’t used anymore. Django uses its sessions to authenticate and authorize the user on subsequent requests."
I have tried using the following inside views.py
:
def current_view(request):
user = request.user
if user.is_authenticated:
response = provider_config.session.get(f"https://{provider_config.msgraph_endpoint}/me/photo/$value`, stream=True)
logger.debug(response)
to read the currently logged in users photo. This returns 401 as per the title. This is where (I assume) it should be using the session to supply the credentials? Is there an alternative method I should be using? Does the above quote indicate that django only uses the credentials it has to validate the user in the context of each view within this webapp and not for use against additional APIs?
I have also read: https://django-auth-adfs.readthedocs.io/en/latest/rest_framework.html and don't understand how this fits in.
Looking through the django-auth-adfs code, the closest thing to what I am trying to do is: get_group_memberships_from_ms_graph
in backend.py
but instead hit a different ms graph API. I can't seem to replicate that since I can't find the access_token
in the user
, request
, settings
or provider_config
objects to add it to the headers.
Here is my settings.py:
import os
from pathlib import Path
from typing import List
# Build paths inside the project like this: BASE_DIR / 'subdir'.
BASE_DIR = Path(__file__).resolve().parent.parent
# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/4.2/howto/deployment/checklist/
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = os.environ["CURRENT_SECRET_KEY"]
SECRET_KEY_FALLBACKS = [
os.environ["OLD_SECRET_KEY"],
]
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = os.environ["DEBUG"]
ALLOWED_HOSTS: List[str] = [
"*",
]
# Application definition
INSTALLED_APPS = [
"django.contrib.admin",
"django.contrib.auth",
"django.contrib.contenttypes",
"django.contrib.sessions",
"django.contrib.messages",
"django.contrib.staticfiles",
"webapp.apps.HarlequinUIConfig",
# Needed for the ADFS redirect URI to function
'django_auth_adfs',
]
MIDDLEWARE = [
"django.middleware.security.SecurityMiddleware",
"django.contrib.sessions.middleware.SessionMiddleware",
"django.middleware.common.CommonMiddleware",
"django.middleware.csrf.CsrfViewMiddleware",
"django.contrib.auth.middleware.AuthenticationMiddleware",
'django_auth_adfs.middleware.LoginRequiredMiddleware',
"django.contrib.messages.middleware.MessageMiddleware",
"django.middleware.clickjacking.XFrameOptionsMiddleware",
]
ROOT_URLCONF = "webapp.urls"
TEMPLATES = [
{
"BACKEND": "django.template.backends.django.DjangoTemplates",
"DIRS": [],
"APP_DIRS": True,
"OPTIONS": {
"context_processors": [
"django.template.context_processors.debug",
"django.template.context_processors.request",
"django.contrib.auth.context_processors.auth",
"django.contrib.messages.context_processors.messages",
],
},
},
]
WSGI_APPLICATION = "webapp.wsgi.application"
# Database
# https://docs.djangoproject.com/en/4.2/ref/settings/#databases
DATABASES = {
"default": {
"ENGINE": "django.db.backends.sqlite3",
"NAME": BASE_DIR / "db.sqlite3",
}
}
# Password validation
# https://docs.djangoproject.com/en/4.2/ref/settings/#auth-password-validators
AUTH_PASSWORD_VALIDATORS = [
{
"NAME": "django.contrib.auth.password_validation.UserAttributeSimilarityValidator", # noqa: E501
},
{
"NAME": "django.contrib.auth.password_validation.MinimumLengthValidator", # noqa: E501
},
{
"NAME": "django.contrib.auth.password_validation.CommonPasswordValidator", # noqa: E501
},
{
"NAME": "django.contrib.auth.password_validation.NumericPasswordValidator", # noqa: E501
},
]
# Refer to https://django-auth-adfs.readthedocs.io/en/latest/azure_ad_config_guide.html
# For details on setting up an Azure AD application
client_id = os.environ["CLIENT_ID"]
client_secret = os.environ["CLIENT_SECRET"]
tenant_id = os.environ["TENANT_ID"]
AUTH_ADFS = {
'AUDIENCE': client_id,
'CLIENT_ID': client_id,
'CLIENT_SECRET': client_secret,
'CLAIM_MAPPING': {'first_name': 'given_name',
'last_name': 'family_name',
'email': 'upn'},
'GROUPS_CLAIM': 'roles',
'MIRROR_GROUPS': True,
'USERNAME_CLAIM': 'upn',
'TENANT_ID': tenant_id,
'RELYING_PARTY_ID': client_id,
# We want to exclude the root page from the auth_adfs middleware
"LOGIN_EXEMPT_URLS": ['^$']
}
AUTHENTICATION_BACKENDS = [
'django.contrib.auth.backends.ModelBackend',
'django_auth_adfs.backend.AdfsAccessTokenBackend',
'django_auth_adfs.backend.AdfsAuthCodeBackend',
]
# Configure django to redirect users to the right URL for login
LOGIN_URL = "django_auth_adfs:login"
LOGIN_REDIRECT_URL = "/content/"
# Internationalization
# https://docs.djangoproject.com/en/4.2/topics/i18n/
LANGUAGE_CODE = "en-us"
TIME_ZONE = "UTC"
USE_I18N = True
USE_TZ = True
# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/4.2/howto/static-files/
STATIC_URL = "static/"
STATICFILES_DIRS = [os.path.join(BASE_DIR, "webapp/static"),]
# Default primary key field type
# https://docs.djangoproject.com/en/4.2/ref/settings/#default-auto-field
DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"
# All the bells ans whistles from https://docs.djangoproject.com/en/4.2/topics/logging/
# TODO: Review and customise as appropriate.
LOGGING = {
"version": 1,
"disable_existing_loggers": False,
"formatters": {
"verbose": {
"format": "{levelname} {asctime} {module} {process:d} {thread:d} {message}",
"style": "{",
},
"simple": {
"format": "{levelname} {message}",
"style": "{",
},
},
"filters": {
"require_debug_true": {
"()": "django.utils.log.RequireDebugTrue",
},
},
"handlers": {
"console": {
"level": "DEBUG",
"filters": ["require_debug_true"],
"class": "logging.StreamHandler",
"formatter": "verbose",
},
"mail_admins": {
"level": "ERROR",
"class": "django.utils.log.AdminEmailHandler",
},
},
"loggers": {
"root": {
"handlers": ["console"],
"level": "DEBUG",
},
"django": {
"handlers": ["console"],
"propagate": True,
},
"django.request": {
"handlers": ["mail_admins"],
"level": "ERROR",
"propagate": False,
},
'django_auth_adfs': {
'handlers': ['console'],
'level': 'DEBUG',
},
},
}
Please let me know if there is any further information I can provide. Thanks in advance.
Pay now to fund the work behind this issue.
Get updates on progress being made.
Maintainer is rewarded once the issue is completed.
You're funding impactful open source efforts
You want to contribute to this effort
You want to get funding like this too