Re: [web2py] Active directory authentication

2023-02-05 Thread urban....@gmail.com 
"Did you figure it out in the end cause I am facing the same issue right 
now :)"

We didn't yet end up using AD auth in production, though I did eventually 
have a *rudimentary *working version. 

I ended up using the python msal library directly.

https://github.com/AzureAD/microsoft-authentication-library-for-python



redirect_url = "https://www.ourwebsite/token";
b2c_tenant = "some-uuid"
signupsignin_user_flow = "B2C_1_signupsignin1"
editprofile_user_flow = "B2C_1_profileediting1"
resetpassword_user_flow = "B2C_1_passwordreset1"  # Note: Legacy setting.
authority_template = "https://login.microsoftonline.com/{tenant}";
CLIENT_ID = "some-uuid"
CLIENT_SECRET = "some-uuid" 

AUTHORITY = authority_template.format(
tenant=b2c_tenant, user_flow=signupsignin_user_flow)
B2C_PROFILE_AUTHORITY = authority_template.format(
tenant=b2c_tenant, user_flow=editprofile_user_flow)
B2C_RESET_PASSWORD_AUTHORITY = authority_template.format(
tenant=b2c_tenant, user_flow=resetpassword_user_flow)
REDIRECT_PATH = "/getAToken"  # Used for forming an absolute URL to your 
redirect URI.
ENDPOINT = '' # Application ID URI of app registration in Azure portal
SCOPE = []  # Example with two exposed scopes: ["demo.read", "demo.write"]
SESSION_TYPE = "filesystem"  # Specifies the token cache should be stored 
in server-side session

def _load_cache():
cache = msal.SerializableTokenCache()
if session.get("token_cache"):
cache.deserialize(session["token_cache"])
return cache

def _save_cache(cache):
if cache.has_state_changed:
session["token_cache"] = cache.serialize()

def _build_msal_app(cache=None, authority=None):
return msal.ConfidentialClientApplication(
app_config.CLIENT_ID, authority=authority or app_config.AUTHORITY,
client_credential=app_config.CLIENT_SECRET, token_cache=cache)

def _build_msal_app(cache=None, authority=None):
return msal.ConfidentialClientApplication(
CLIENT_ID, authority=authority or AUTHORITY,
client_credential=CLIENT_SECRET, token_cache=cache)

def _build_auth_code_flow(authority=None, scopes=None):
return _build_msal_app(authority=authority).initiate_auth_code_flow(
scopes or [],
redirect_uri=redirect_url)

Then I use these functions on the login page.

Something like this:
session["flow"] = _build_auth_code_flow(scopes=SCOPE) if 
settings.enable_ad else None
ad_login_url = session['flow']['auth_uri'] if session["flow"] else 
''
return dict(formLogin = formLogin, loggedIn = False, ad_login_url
=ad_login_url)

Using the ad_login_url to redirect to with a button on the login page. Then 
there's the standard microsoft register/login form that redirects to the my 
"token" controller function referenced in the "redirect_url" at the top of 
the pasted code. This url needs to be configured where you register an 
azure app. 

In the token controller you recieve the token which you an then use for 
authentication - login/registration

Something like this:
def token():
  cache = _load_cache()
  result = _build_msal_app(cache=cache).acquire_token_by_auth_code_flow(
session.get("flow", {}), request.vars
  )

  user = result['id_token_claims']

  if "error" in result:
return dict()

  _save_cache(cache)
  session["user"] = result.get("id_token_claims")
  username = user['preferred_username']

I don't know how clear this is, hopefully it's at least a little bit 
helpful, but I'm a bit fuzzy on the details. 
On Monday, February 6, 2023 at 6:05:52 AM UTC+1 david@gmail.com wrote:

> We do AD authentication with Shibboleth as our service provider on IIS 
> 10.  I don't know if that would be an option.  We couldn't find anything 
> else that worked on Windows. 
>
> Sent from Outlook for Android 
> --
> *From:* web...@googlegroups.com  on behalf of 
> Silvian “Top 10 Answers” Cedru 
> *Sent:* Monday, February 6, 2023 4:25:40 AM
> *To:* web2py-users 
> *Subject:* Re: [web2py] Active directory authentication 
>  
> Did you figure it out in the end cause I am facing the same issue right 
> now :) 
>
> urban@gmail.com schrieb am Donnerstag, 3. März 2022 um 21:31:25 UTC+7:
>
> "Still trying to wade through the seemingly half outdated guides" 
> I'm referring to Azure guides not Web2Py.
>
> On Thursday, March 3, 2022 at 2:10:33 PM UTC+1 urban@gmail.com wrote:
>
> No it's not on-premise. They said so explicitly. Apologise for the low 
> info questions. Still trying to wade through the seemingly half outdated 
> guides. Finally got the Flask demo that MS provides to work so that I know 
> the Azure side of things is working at least. Now have to figure out how to 
> implement it in Web2Py. Is the ldap_auth method only for on premise AD?
>
> On Wednesday, March 2, 2022 at 7:24:58 PM UTC+1 nico...@gmail.com wrote:
>
> Hi, 
>
> do you really use Azure AD? Otherwise, for normal on-premise AD, see the 
> documentation on 
> http://web2py.com

Re: [web2py] Active directory authentication

2023-02-05 Thread Davidiam 
We do AD authentication with Shibboleth as our service provider on IIS 10.  I 
don't know if that would be an option.  We couldn't find anything else that 
worked on Windows.

Sent from Outlook for Android

From: web2py@googlegroups.com  on behalf of Silvian 
“Top 10 Answers” Cedru 
Sent: Monday, February 6, 2023 4:25:40 AM
To: web2py-users 
Subject: Re: [web2py] Active directory authentication

Did you figure it out in the end cause I am facing the same issue right now :)

urban@gmail.com schrieb am Donnerstag, 3. März 2022 um 21:31:25 UTC+7:
"Still trying to wade through the seemingly half outdated guides"
I'm referring to Azure guides not Web2Py.

On Thursday, March 3, 2022 at 2:10:33 PM UTC+1 urban@gmail.com wrote:
No it's not on-premise. They said so explicitly. Apologise for the low info 
questions. Still trying to wade through the seemingly half outdated guides. 
Finally got the Flask demo that MS provides to work so that I know the Azure 
side of things is working at least. Now have to figure out how to implement it 
in Web2Py. Is the ldap_auth method only for on premise AD?

On Wednesday, March 2, 2022 at 7:24:58 PM UTC+1 nico...@gmail.com wrote:
Hi,

do you really use Azure AD? Otherwise, for normal on-premise AD, see the 
documentation on 
http://web2py.com/books/default/chapter/29/09/access-control#LDAP and 
https://github.com/web2py/web2py/blob/master/gluon/contrib/login_methods/ldap_auth.py

Nico


Il giorno mer 2 mar 2022 alle ore 16:48 urban@gmail.com 
 ha scritto:
We're looking into adding AD authentication to our app. We have an active 
directory account and an app registered on it.

In the documentation I found this example of enabling AD auth:

from gluon.contrib.login_methods.ldap_auth import ldap_auth  
auth.settings.login_methods.append(
  ldap_auth(
   mode='ad',
   server='https://aad.portal.azure.com/',
   base_dn='ou=Users,dc=domain,dc=com'
  )
)

However I get this error when trying to login

DEBUG:web2py.auth.ldap_auth:Traceback (most recent call last):
  File 
"C:\urban\web2py_latest\web2py\gluon\contrib\login_methods\ldap_auth.py", line 
236, in ldap_auth_aux
con = init_ldap()
  File 
"C:\urban\web2py_latest\web2py\gluon\contrib\login_methods\ldap_auth.py", line 
630, in init_ldap
"ldap://"; + ldap_server + ":" + str(ldap_port))
  File "C:\Python27\lib\site-packages\ldap\functions.py", line 92, in initialize
uri, trace_level, trace_file, trace_stack_limit, bytes_mode, **kwargs)
  File "C:\Python27\lib\site-packages\ldap\ldapobject.py", line 106, in __init__
self._l = 
ldap.functions._ldap_function_call(ldap._ldap_module_lock,_ldap.initialize,uri)
  File "C:\Python27\lib\site-packages\ldap\functions.py", line 55, in 
_ldap_function_call
result = func(*args,**kwargs)
LDAPError: (0, 'Error')

Am I doing anything wrong on the web2py side or is the issue in the AD 
configuration?

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+un...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/7d013980-154b-4b94-9365-4a64f9e32423n%40googlegroups.com.

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/a406d846-fdc8-4e71-aa0c-4efb8b4f1c5an%40googlegroups.com.

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/AM8P193MB080284160269AAD0298C954CFEDA9%40AM8P193MB0802.EURP193.PROD.OUTLOOK.COM.

[web2py] SSO integration with Azure AD

2023-02-05 Thread Silvian “Top 10 Answers” Cedru 
Hello everyone,

I am facing a little problem here I tried the LDAP approach but I have in 
issue with importing it since it tells me mutable mapping is missing I was 
wondering if someone knows an easier way to set up SSO in my web2py 
application but with Azure Ad. 

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/b41edd2e-a839-46f4-a68c-9cfcb6cac06cn%40googlegroups.com.

Re: [web2py] Active directory authentication

2023-02-05 Thread Silvian “Top 10 Answers” Cedru 
Did you figure it out in the end cause I am facing the same issue right now 
:) 

urban@gmail.com schrieb am Donnerstag, 3. März 2022 um 21:31:25 UTC+7:

> "Still trying to wade through the seemingly half outdated guides"
> I'm referring to Azure guides not Web2Py.
>
> On Thursday, March 3, 2022 at 2:10:33 PM UTC+1 urban@gmail.com wrote:
>
>> No it's not on-premise. They said so explicitly. Apologise for the low 
>> info questions. Still trying to wade through the seemingly half outdated 
>> guides. Finally got the Flask demo that MS provides to work so that I know 
>> the Azure side of things is working at least. Now have to figure out how to 
>> implement it in Web2Py. Is the ldap_auth method only for on premise AD?
>>
>> On Wednesday, March 2, 2022 at 7:24:58 PM UTC+1 nico...@gmail.com wrote:
>>
>>> Hi,
>>>
>>> do you really use Azure AD? Otherwise, for normal on-premise AD, see the 
>>> documentation on 
>>> http://web2py.com/books/default/chapter/29/09/access-control#LDAP and 
>>> https://github.com/web2py/web2py/blob/master/gluon/contrib/login_methods/ldap_auth.py
>>>
>>> Nico
>>>
>>>
>>> Il giorno mer 2 mar 2022 alle ore 16:48 urban@gmail.com <
>>> urban@gmail.com> ha scritto:
>>>
 We're looking into adding AD authentication to our app. We have an 
 active directory account and an app registered on it.

 In the documentation I found this example of enabling AD auth:

 from gluon.contrib.login_methods.ldap_auth import ldap_auth  
 auth.settings.login_methods.append(
   ldap_auth( 
mode='ad', 
server='https://aad.portal.azure.com/',
base_dn='ou=Users,dc=domain,dc=com'
   )
 )

 However I get this error when trying to login

 DEBUG:web2py.auth.ldap_auth:Traceback (most recent call last):
   File 
 "C:\urban\web2py_latest\web2py\gluon\contrib\login_methods\ldap_auth.py", 
 line 236, in ldap_auth_aux
 con = init_ldap()
   File 
 "C:\urban\web2py_latest\web2py\gluon\contrib\login_methods\ldap_auth.py", 
 line 630, in init_ldap
 "ldap://"; + ldap_server + ":" + str(ldap_port))
   File "C:\Python27\lib\site-packages\ldap\functions.py", line 92, in 
 initialize
 uri, trace_level, trace_file, trace_stack_limit, bytes_mode, 
 **kwargs)
   File "C:\Python27\lib\site-packages\ldap\ldapobject.py", line 106, in 
 __init__
 self._l = 
 ldap.functions._ldap_function_call(ldap._ldap_module_lock,_ldap.initialize,uri)
   File "C:\Python27\lib\site-packages\ldap\functions.py", line 55, in 
 _ldap_function_call
 result = func(*args,**kwargs)
 LDAPError: (0, 'Error')

 Am I doing anything wrong on the web2py side or is the issue in the AD 
 configuration?

 -- 
 Resources:
 - http://web2py.com
 - http://web2py.com/book (Documentation)
 - http://github.com/web2py/web2py (Source code)
 - https://code.google.com/p/web2py/issues/list (Report Issues)
 --- 
 You received this message because you are subscribed to the Google 
 Groups "web2py-users" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to web2py+un...@googlegroups.com.
 To view this discussion on the web visit 
 https://groups.google.com/d/msgid/web2py/7d013980-154b-4b94-9365-4a64f9e32423n%40googlegroups.com
  
 
 .

>>>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/a406d846-fdc8-4e71-aa0c-4efb8b4f1c5an%40googlegroups.com.