marknadig / omniauth-azure-oauth2 Goto Github PK

License: MIT License

Ruby 100.00%

omniauth-azure-oauth2's Introduction

No longer maintained

This project is no longer maintained. I'm off on other projects on other platforms and don't have time to maintain this gem :/ I am unable to transfer the project ownership. Your best bet is to fork and apply your changes. Perhaps consider publishing to RubyGems yourself so it can live on.

OmniAuth Windows Azure Active Directory Strategy

This gem provides a simple way to authenticate to Windows Azure Active Directory (WAAD) over OAuth2 using OmniAuth.

One of the unique challenges of WAAD OAuth is that WAAD is multi tenant. Any given tenant can have multiple active directories. The CLIENT-ID, REPLY-URL and keys will be unique to the tenant/AD/application combination. This gem simply provides hooks for determining those unique values for each call.

Installation

Add this line to your application's Gemfile:

gem 'omniauth-azure-oauth2'

Usage

First, you will need to add your site as an application in WAAD.: Adding, Updating, and Removing an Application

Summary: Select your Active Directory in https://manage.windowsazure.com/ of type 'Web Application'. Name, sign-on url, logo are not important. You will need the CLIENT-ID from the application configuration and you will need to generate an expiring key (aka 'client secret'). REPLY URL is the oauth redirect uri which will be the omniauth callback path https://example.com/users/auth/azure_oauth2/callback. The APP ID UI just needs to be unique to that tenant and identify your site and isn't needed to configure the gem. Permissions need Delegated Permissions to at least have "Enable sign-on and read user's profiles".

Note: Seems like the terminology is still fluid, so follow the MS guidance (buwahaha) to set this up.

The TenantInfo information can be a hash or class. It must provide client_id and client_secret. Optionally a domain_hint and tenant_id. For a simple single-tenant app, this could be:

use OmniAuth::Builder do
  provider :azure_oauth2,
    {
      client_id: ENV['AZURE_CLIENT_ID'],
      client_secret: ENV['AZURE_CLIENT_SECRET'],
      tenant_id: ENV['AZURE_TENANT_ID']
    }
end

Or the alternative format for use with devise:

config.omniauth :azure_oauth2, client_id: ENV['AZURE_CLIENT_ID'],
      client_secret: ENV['AZURE_CLIENT_SECRET'], tenant_id: ENV['AZURE_TENANT_ID']

For multi-tenant apps where you don't know the tenant_id in advance, simply leave out the tenant_id to use the common endpoint.

use OmniAuth::Builder do
  provider :azure_oauth2,
    {
      client_id: ENV['AZURE_CLIENT_ID'],
      client_secret: ENV['AZURE_CLIENT_SECRET']
    }
end

For dynamic tenant assignment, pass a class that supports those same attributes and accepts the strategy as a parameter

class YouTenantProvider
  def initialize(strategy)
    @strategy = strategy
  end

  def client_id
    tenant.azure_client_id
  end

  def client_secret
    tenant.azure_client_secret
  end

  def tenant_id
    tenant.azure_tanant_id
  end

  def domain_hint
    tenant.azure_domain_hint
  end

  private

  def tenant
    # whatever strategy you want to figure out the right tenant from params/session
    @tenant ||= Customer.find(@strategy.session[:customer_id])
  end
end

use OmniAuth::Builder do
  provider :azure_oauth2, YourTenantProvider
end

The base_azure_url can be overridden in the provider configuration for different locales; e.g. base_azure_url: "https://login.microsoftonline.de"

Auth Hash Schema

The following information is provided back to you for this provider:

{
  uid: '12345',
  info: {
    name: 'some one',
    first_name: 'some',
    last_name: 'one',
    email: '[email protected]'
  },
  credentials: {
    token: 'thetoken',
    refresh_token: 'refresh'
  },
  extra: { raw_info: raw_api_response }
}

notes

When you make a request to WAAD you must specify a resource. The gem currently assumes this is the AD identified as '00000002-0000-0000-c000-000000000000'. This can be passed in as part of the config. It currently isn't designed to be dynamic.

use OmniAuth::Builder do
  provider :azure_oauth2, TenantInfo, resource: 'myresource'
end

Contributing

Fork it
Create your feature branch (git checkout -b my-new-feature)
Make your changes, add tests, run tests (rake)
Commit your changes and tests (git commit -am 'Added some feature')
Push to the branch (git push origin my-new-feature)
Create new Pull Request

Misc

Run tests bundle exec rake
Push to rubygems bundle exec rake release.

omniauth-azure-oauth2's People

Contributors

Stargazers

Watchers

omniauth-azure-oauth2's Issues

Update to Azure AD v2.0?

Just got some information that Azure AD v2.0 addressed some bugs I'm noticing (e.g. login using a Microsoft id through Azure AD doesn't work, even though the account is in an Azure AD). Any plan to update the code to v2.0? Any objection if I go and attempt to make the update?

Common Tenant Endpoint

I'm looking to implement a multi-tenant SaaS app where customers can sign up and use the Consent Framework to automatically have my application registered in their respective Azure Directories. Given it uses oauth2, I've come across your gem.

When requesting an authorization code, we have the option to specify a specific tenant or just use a common (tenant-independent) endpoint.

I am wondering why the tenant-id value is required. You're currently building authorize_url and token_url with it. Can't you just use the common endpoint instead?

#{BASE_AZURE_URL}/common/oauth2/authorize
#{BASE_AZURE_URL}/common/oauth2/token

This should remove the requirement for us to know the tenant prior to the user signing in for the first time.

Happy to try and provide a pull request if this will work? I'll leave the ability to specify the tenant-id but not require it.

Thanks for your great work so far.

Does not work with Office 365 Germany

For accounts created on Office 365 Germany

https://products.office.com/en-gb/business/office-365-germany

the AZURE_BASE_URL must be https://login.microsoftonline.de/

Wrong email address obtained from Azure oAuth

The oAuth plug-in is working great, except one thing: The user’s email address is incorrect. The plug-in is populating the email address as the short name and the Active Directory domain, neither of which are correct. Example my email address is [email protected] but the oAuth plugin is making the email address [email protected]. Is there a way to add something to the code that populates the user account as the ‘mail’ attribute in LDAP or Active Directory. https://meta.discourse.org/t/discourse-azure-ad-plugin-not-working/65249/10

The configuration of "base_azure_url" does not work

My Config(gitlab.rb)

Is the right configuration correct?

gitlab_rails['omniauth_external_providers'] = ['azure_oauth2']
gitlab_rails['omniauth_providers'] = [
  {
    "name" => "azure_oauth2",
    "args" => { 
      "client_id" => "my client id",
      "client_secret" => "my client secret",
      "tenant_id" => "my tenant id",
      # Note: This is the auth site of China
      "base_azure_url" => "https://login.chinacloudapi.cn",
    },
  }
]

Symptom description

I configured Gitlab-CE in accordance with the above method, and then sudo gitlab-ctl reconfigure it.
When I open the landing page again, the Azure AD button appears on the page as shown below.

But when I click the Azure AD button, the page to jump to https://login.microsoftonline.com/MyTenantId/oauth2/authorize (see below). It should jump to https://login.chinacloudapi.cn/MyTenantId/oauth2/authorize

Uhhh, where is the right place to write?

### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ce/integration/omniauth.html
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['azure_oauth2']
gitlab_rails['omniauth_sync_email_from_provider'] = 'azure_oauth2'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['azure_oauth2']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'azure_oauth2'
gitlab_rails['omniauth_block_auto_created_users'] = true
gitlab_rails['omniauth_auto_link_ldap_user'] = true
# gitlab_rails['omniauth_auto_link_saml_user'] = false
gitlab_rails['omniauth_external_providers'] = ['azure_oauth2']
gitlab_rails['omniauth_providers'] = [
  {
    "name" => "azure_oauth2",
    "args" => { 
      "client_id" => "My client_id",
      "client_secret" => "My client_secret",
      "tenant_id" => "My tenant_id",
      # Uhhh, where is the right place to write?
      "base_azure_url" => "https://login.chinacloudapi.cn",
    },
    # Uhhh, where is the right place to write?
    "base_azure_url" = "https://login.chinacloudapi.cn"
  }
]
# Uhhh, where is the right place to write?
gitlab_rails['base_azure_url'] = "https://login.chinacloudapi.cn"
# Uhhh, where is the right place to write?
gitlab_rails['omniauth_base_azure_url'] = "https://login.chinacloudapi.cn"

So here comes the question...

Can you tell me how to configure omniauth-azure-oauth2 to jump to https://login.chinacloudapi.cn?

Endless thanks

Consider 0.0.7 release for current state of master

Please consider adding a release tag for the current state of master as of a88593a.

In my experience while configuring GitLab 8.11.2 from source, the commits after the 0.0.6 release proved essential in getting Azure AD authentication working.

Currently the entry for this gem in my Gemfile looks like this:
gem 'omniauth-azure-oauth2', git: 'https://github.com/KonaTeam/omniauth-azure-oauth2.git', branch: 'master'

Which works fine at this moment, but I would like to fixate the version I am installing.
A new release would simplify the install of the correct version of this gem.

Thank you for maintaining this project in the first place ;)

Include tenant id in info?

Hi,

We've been using the gem for both single tenant and multi tenant applications. For multi tenant, we added strategy to include tid in info, so that we can use that to query against the specific tenant. I wonder if we should add this in the gem so that everyone get this by default? I can send a pull request if that makes sense.

Thanks!
Dennis

callback_phase issues with callback_url

Hi,

I've recently been trying to use your gem for a project i'm working on and I can't seem to get it working.

During the callback when the token is requested. The azure AD instance is throwing the following error:

AADSTS70002: Error validating credentials. AADSTS50011: The reply address does not match.

At first I thought I had a typo inside my app setup in azure but that wasn't the case.

Azure seems to complain about the fact that the underlying auth2 implementation of callback_url appends the code parameter on the end of the redirect_uri and therefore it doesn't match what is is expecting.

Just wondering if you have run into this scenario?

Thanks

OmniAuth v2.0.0rc1

Hello, maintainer of OmniAuth here.

I just wanted to make the maintainers of this gem aware of the discussion that I have opened regarding v2.0.0 of OmniAuth. I invite you to join in and voice any concerns you may have here: omniauth/omniauth#1017

Oauth2 Azure AD v2 Endpoint and MFA

My organization uses MFA through our SSO in Azure AD. For whatever reason, I am not prompted for MFA when accessing the v1 endpoint (/<tenant>/oauth2/authorize). When I manually change this to the v2 endpoint (/<tenant>/oauth2/v2.0/authorize) and add a scope such as User.Read, I am prompted for MFA.

I can probably make this change, and submit a PR, but I am not very familiar with Ruby and do not have much time right now. If someone would like to add the v2 endpoint, I would be very grateful.

Role claims authorization

So I use this gem to authenticate users and it works just fine. Now I am trying to use Azure to define users/groups roles and did that by editing the app manifest in Azure AD. My question is there a way to include those roles in the access token received by rails app ? I used JWT gem to read the token but it does not include the roles I defined in Azure.

Support for getting fresh access token

Would be very helpful to have a helper method to use the refresh token to get a fresh access token?
Any guidance on this?