oAuth register_provider

[cplmayo]

I have been banging my head against the wall all day and cannot figure this out. I am registering the route and getting back the id_token but the callback function never seems to fire. I have been using the oauth_glue library as a model but I have to be missing something simple.

app.py

from authlib.integrations.flask_client import OAuth
from <local_module>.oAuth.azure import azure_config, azure_fetch_identity
security.oauthglue.register_provider('azure', azure_config('common'), azure_fetch_identity) 

azure.py

def azure_config(tenant, version=2):
    base_url = 'https://login.microsoftonline.com/' + tenant
    if version == 1:
        metadata_url = base_url + '/.well-known/openid-configuration'
    elif version == 2:
        metadata_url = base_url + '/v2.0/.well-known/openid-configuration'
    else:
        raise ValueError('Invalid version value')
    return dict(
        server_metadata_url=metadata_url,
        client_kwargs={'scope': 'openid email profile'}
        )
def azure_fetch_identity(oauth, token):
    print("beepity-boop-2")
    #profile = token["userinfo"]
    #return "email", profile["email"]

I'm sorry if I'm just missing something and I trying to get any information has been impossible and the documentation is less than clear so any help would be greatly appreciated.

[jwag956]

Please re-format so the code is readable.

There are lots of possible issues - but possibly I didn't read it correctly - but from https://github.com/authlib/loginpass/blob/master/loginpass/azure.py
I see 3 items in the config dict - I don't see 'api_base_url' in yours.

[cplmayo]

Sorry for my crap markdown the first time.

This is azure.py:

def azure_config(tenant, version=2):
    base_url = 'https://login.microsoftonline.com/' + tenant
    if version == 1:
        metadata_url = base_url + '/.well-known/openid-configuration'
    elif version == 2:
        metadata_url = base_url + '/v2.0/.well-known/openid-configuration'
    else:
        raise ValueError('Invalid version value')
    return dict(
        server_metadata_url=metadata_url,
        client_kwargs={'scope': 'openid email profile'}
        )

def azure_identity(oauth, token):
    print("beepity-boop-2")
    print(oauth.azure)
    profile = token["userinfo"]
    print(profile)
    #return "email", profile["email"]

In my app.py

from halo_asset_manager.oAuth.azure import azure_config, azure_identity

from Models import db
from Models.models import User, Role

logging.getLogger('passlib').setLevel(logging.ERROR) #Ref: https://github.com/pyca/bcrypt/issues/684#issuecomment-1858400267

"""
Load local env and create application
"""
htmx = Htmx()
mail = Mail()
migrate = Migrate()
security = Security()
oauth = OAuth()

css = Bundle("src/*.css", output="dist/main.css")
js = Bundle("src/*.js", output="dist/main.js")

def create_app():
    """Application Factory
    
    Return: WSGI Application
    """
    
    app = Flask(__name__)
    app.config.from_object('config.Config')
    app.app_context().push()
    
    app.jinja_env.add_extension("jinja2_base64_filters.Base64Filters")
    jinja_partials.register_extensions(app)
    htmx.init_app(app)
    mail.init_app(app)
    oauth.init_app(app)
    security.init_app(app, SQLAlchemyUserDatastore(db, User, Role), mail_util_cls=SesMailUtil)
    security.oauthglue.register_provider('azure', azure_config('common'), azure_identity)

I tried to include more from app.py this time since I could show the cold blocks better

From what I can tell my azure_identity function should be getting added as part of the blueprint during app registration in AuthLib but when nothing prints. It seems like azure_identity isn't getting called from oauthglue.

I can get a valid JWT back from the azure endpoint but it doesn't go through the azure_identity function so I just get redirected back to the login page.

[jwag956]

One possible reason - or at least confusing - Flask-Security will initialize OAuth() if it isn't passed as a parameter - so in your case you are creating 2 of them - maybe that doesn't matter - but either:

1. don't bother initializing/creating Oauth() or
2. pass in oauth=oauth as part of Security constructor.

The main reason to get sent back to /login is due to some OauthError or MismatchingStateError (from the oauth library). There isn't a great way to display any error like this - if you have an IDE and can set a breakpoint - that might help (in flask_security::oauth_glue:oauth_response. (or maybe better - set a breakpoint over in authorize_access_token() in authlib

I'll look into some way to help debug this...

[cplmayo]

I removed the app initialization and that didn't make a difference. To clarify also I can see the the correct replies in my browser and my app logs show the GET or POST depending on how I configure the request. So Authlib appears to be doing everything it is supposed to. It is just the linking of user data in the JWT token with the callback function.

I'm going to try and use breakpoints and see what I can figure out.

[jwag956]

In your browser you should see the redirect to /login/oauthresponse/azure
From there the response is passed to authlib.authorize_access_token - if that fails you are redirected to /login - if that succeeds then your oauthresponse callback is called - so most likely authorize_access_token is failing for some reason.

[cplmayo]

This is what I'm seeing in the application logs:
127.0.0.1 - - [31/Jan/2024 09:31:42] "GET /login/oauthresponse/azure?next=/&code=0.

The jwt is correct and I can decode it.

I spent most of yesterday trying to wrap my brain around oauthglue.py and that was where I landed. I had thrown those random print statements to try and confirm my callback was being called but the only way I could get those to print was if I called the function during registration. Otherwise they never fired which lead me to believe my function wasn't constructed correctly.

I couldn't figure out why it wasn't being called. I've never used breakpoints or the debugger so I'm going to spend some time today learning that so I can try what you suggested.

I'm really trying to use flask-security for all of my security related functions without adding additional libraries or custom routes so getting this working is pretty key for me.

[jwag956]

Looking at authlib:FlaskOauth2App:authorize_access_token - which is what Flask-Security uses - looks like there should be both a 'code' and a 'state' returned - a 'code=0' doesn't seem right at all.

When you say the JWT is correct - at what point/where are you seeing that?

I use PyCharm - works pretty well and has easy debugging built in.

[cplmayo]

I'm using VsCode and self taught so learning is happening!

I was mistaken; doubled checked what was coming after code and it wasn't what I thought.

I'm actively going back through everything; will update. At one point yesterday I had it returning a form post with all of the data but it was being dropped by flask due to the method.

[jwag956]

I can try to get it working on my end - though I am not familier with azure...

[cplmayo]

def azure_config(tenant, version=2):
    base_url = 'https://login.microsoftonline.com/' + tenant
    if version == 1:
        metadata_url = base_url + '/.well-known/openid-configuration'
    elif version == 2:
        metadata_url = base_url + '/v2.0/.well-known/openid-configuration'
    else:
        raise ValueError('Invalid version value')
    return dict(
        server_metadata_url=metadata_url,
        client_kwargs={'scope': 'openid',
                       'response_type': 'id_token',
                       'response_mode': 'form_post'}
        )

With this I get back the correct id_token but it is part of a post so it is dropped.

I'm using this as a reference: MS-Guide

I'm going to keep poking at it.

[jwag956]

How are you registering your app with azure? from the 'app registrations' service or some other way?

[cplmayo]

App registration

[cplmayo]

Could the second redirect be causing a problem?

[cplmayo]

Also if you have time or are interested I could send a teams invite.

[jwag956]

thats returning a 500 - so some exception in your flask app most likely. That screen shot doesn't look like it has the full URL? Not sure what /azure would be - that's not what flask-security sets up (unless you changed it).

[cplmayo]

I was just testing and I'm seeing the jwt in the url but the azure part must be whats doing it; I have no idea where that would be coming from though.
http://localhost:5000/login/oauthresponse/azure?next=%2f#id_token=eyJ0eXAiOiJKV1QiLCJh is coming through. Any ideas where that is coming from?

[jwag956]

Ok - I have it working in my oauth example code.

My config:

AZURE = {
    'api_base_url': 'https://graph.microsoft.com/',
    'server_metadata_url': "https://login.microsoftonline.com/8ad9bf45-2e93-4043-8f46-a6420c8e9d68/v2.0/.well-known/openid-configuration",
    'client_kwargs': {'scope': 'openid email profile'},
}
def azure_fetch_identity(oauth, token):
    profile = token["userinfo"]
    return "email", profile["email"]

Of course that is MY tenant ID. I have AZURE_CLIENT_ID and AZURE_CLIENT_SECRET in the environment.

I conditionally register it:

    if app.config.get("AZURE_CLIENT_SECRET"):
        security.oauthglue.register_provider("azure", AZURE, azure_fetch_identity)

The one thing that is really a pain - and I need to look into it more - is that Azure require the redirect URL to match - INCLUDING any query params (such as next-xxx) - That makes it less than useful IMHO - but here is my redirect url configured at Azure:

http://localhost:5002/login/oauthresponse/azure?next=/home

Note that when this was configured incorrectly I got pop-ups from Microsoft telling me the issue.

[cplmayo]

I copied your code into my app factory and i'm still getting the same errors:

def create_app():
    """Application Factory
    
    Return: WSGI Application
    """

    app = Flask(__name__)
    app.config.from_object('config.Config')
    app.app_context().push()

    app.jinja_env.add_extension("jinja2_base64_filters.Base64Filters")
    jinja_partials.register_extensions(app)
    htmx.init_app(app)
    mail.init_app(app)
    security.init_app(app, SQLAlchemyUserDatastore(db, User, Role), mail_util_cls=SesMailUtil)

    from Models import models

    db.init_app(app)
    db.create_all()

    migrate.init_app(app, db)
    
    AZURE = {
    'api_base_url': 'https://graph.microsoft.com/',
    'server_metadata_url': "https://login.microsoftonline.com/24f5575e-134d-471d-bc44-ad53bf241f85/v2.0/.well-known/openid-configuration",
    'client_kwargs': {'scope': 'openid email profile'},
    }
    def azure_fetch_identity(oauth, token):
        profile = token["userinfo"]
        return "email", profile["email"]
    
    if app.config.get("AZURE_CLIENT_SECRET"):
        security.oauthglue.register_provider("azure", AZURE, azure_fetch_identity)
        #security.oauthglue.register_provider("azure", azure_config('common'), azure_identity)

    assets = Environment(app)
    assets.register("css", css)
    assets.register("js", js)
    css.build()
    js.build()
    app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1, x_port=1, x_prefix=1)

    return app

Still getting the same error.

    # Flask Security
    REMEMBER_COOKIE_SAMESITE = "strict"
    SESSION_COOKIE_SAMESITE = "strict"

    SECURITY_EMAIL_VALIDATOR_ARGS = {
        "check_deliverability": False
        }

    # Secrity Registerable
    SECURITY_REGISTERABLE = False
    SECURITY_USERNAME_ENABLE = True

    # Secrity Confirmable
    SECURITY_CONFIRMABLE = True
    SECURITY_EMAIL_SUBJECT_CONFIRM = "Your account has been provisioned"

    # Security Changeable    
    SECURITY_CHANGEABLE = True
    SECURITY_CHANGE_URL = "/user/password"
    SECURITY_POST_CHANGE_VIEW = "/user/password"
    SECURITY_SEND_PASSWORD_CHANGE_EMAIL = False

    # Security Recoverable
    SECURITY_RECOVERABLE = True
    SECURITY_RESET_URL = "/reset"
    SECURITY_RESET_PASSWORD_WITHIN = "1 days"

    # Security Two-Factor
    SECURITY_TWO_FACTOR = True
    SECURITY_TOTP_SECRETS = {"1": environ.get("SECURITY_TOTP_SECRETS")}
    SECURITY_MULTI_FACTOR_RECOVERY_CODES = True
    SECURITY_TWO_FACTOR_REQUIRED = False
    SECURITY_TOTP_ISSUER = 'Halo-ConnectedArchitecture'
    
    # Security OAuth
    SECURITY_OAUTH_ENABLE = True
    SECURITY_OAUTH_BUILTIN_PROVIDERS = [""]
    AZURE_CLIENT_ID = environ.get("AZURE_CLIENT_ID")
    AZURE_CLIENT_SECRET = environ.get("AZURE_CLIENT_SECRET")
    #AZURE_B2C_TENANT_NAME = environ.get("AZURE_B2C_TENANT_NAME")

    # Security Trackable
    SECURITY_TRACKABLE = True
    
    # Boto3
    AWS_ACCESS_KEY_ID = environ.get("AWS_ACCESS_KEY_ID")
    AWS_SECRET_ACCESS_KEY = environ.get("AWS_SECRET_ACCESS_KEY")
    SES_REGION_NAME = environ.get("SES_REGION_NAME")
    SES_EMAIL_SOURCE = environ.get("SES_EMAIL_SOURCE")
    SES_ROLE = environ.get("SES_ROLE")

Could I have something in my conf that is causing an issue?

[cplmayo]

Has to be something I have is mis-configured;

[jwag956]

Try not setting SESSION_COOKIE_SAMESITE - I have had some issues with that affecting the oauth redirect

[cplmayo]

That fixed it! Setting that and setting it my tennet ID made it work. That is the biggest part for me. Thank you so much!

[jwag956]

Great - and this ONLY seems to matter the first time - I believe now that you have 'approved' it - you can set it back to strict and it will work. I have not spent time figuring out why except that authlib stores the state in the session - so if the session cookie isn't sent - then you will get that state error.

[cplmayo]

I can't tell you how much I appreciate the help.