marknadig / omniauth-azure-oauth2 Goto Github PK

The oAuth plug-in is working great, except one thing: The user’s email address is incorrect. The plug-in is populating the email address as the short name and the Active Directory domain, neither of which are correct. Example my email address is [email protected] but the oAuth plugin is making the email address [email protected]. Is there a way to add something to the code that populates the user account as the ‘mail’ attribute in LDAP or Active Directory. https://meta.discourse.org/t/discourse-azure-ad-plugin-not-working/65249/10

Hi,

We've been using the gem for both single tenant and multi tenant applications. For multi tenant, we added strategy to include tid in info, so that we can use that to query against the specific tenant. I wonder if we should add this in the gem so that everyone get this by default? I can send a pull request if that makes sense.

Thanks!
Dennis

I'm looking to implement a multi-tenant SaaS app where customers can sign up and use the Consent Framework to automatically have my application registered in their respective Azure Directories. Given it uses oauth2, I've come across your gem.

When requesting an authorization code, we have the option to specify a specific tenant or just use a common (tenant-independent) endpoint.

I am wondering why the tenant-id value is required. You're currently building authorize_url and token_url with it. Can't you just use the common endpoint instead?

#{BASE_AZURE_URL}/common/oauth2/authorize
#{BASE_AZURE_URL}/common/oauth2/token

This should remove the requirement for us to know the tenant prior to the user signing in for the first time.

Happy to try and provide a pull request if this will work? I'll leave the ability to specify the tenant-id but not require it.

Thanks for your great work so far.

Hello, maintainer of OmniAuth here.

I just wanted to make the maintainers of this gem aware of the discussion that I have opened regarding v2.0.0 of OmniAuth. I invite you to join in and voice any concerns you may have here: omniauth/omniauth#1017

Would be very helpful to have a helper method to use the refresh token to get a fresh access token?
Any guidance on this?

My organization uses MFA through our SSO in Azure AD. For whatever reason, I am not prompted for MFA when accessing the v1 endpoint (/<tenant>/oauth2/authorize). When I manually change this to the v2 endpoint (/<tenant>/oauth2/v2.0/authorize) and add a scope such as User.Read, I am prompted for MFA.

I can probably make this change, and submit a PR, but I am not very familiar with Ruby and do not have much time right now. If someone would like to add the v2 endpoint, I would be very grateful.

Please consider adding a release tag for the current state of master as of a88593a.

In my experience while configuring GitLab 8.11.2 from source, the commits after the 0.0.6 release proved essential in getting Azure AD authentication working.

Currently the entry for this gem in my Gemfile looks like this:
gem 'omniauth-azure-oauth2', git: 'https://github.com/KonaTeam/omniauth-azure-oauth2.git', branch: 'master'

Which works fine at this moment, but I would like to fixate the version I am installing.
A new release would simplify the install of the correct version of this gem.

Thank you for maintaining this project in the first place ;)

For accounts created on Office 365 Germany

https://products.office.com/en-gb/business/office-365-germany

the AZURE_BASE_URL must be https://login.microsoftonline.de/

So I use this gem to authenticate users and it works just fine. Now I am trying to use Azure to define users/groups roles and did that by editing the app manifest in Azure AD. My question is there a way to include those roles in the access token received by rails app ? I used JWT gem to read the token but it does not include the roles I defined in Azure.

My Config(gitlab.rb)

Is the right configuration correct?

gitlab_rails['omniauth_external_providers'] = ['azure_oauth2']
gitlab_rails['omniauth_providers'] = [
  {
    "name" => "azure_oauth2",
    "args" => { 
      "client_id" => "my client id",
      "client_secret" => "my client secret",
      "tenant_id" => "my tenant id",
      # Note: This is the auth site of China
      "base_azure_url" => "https://login.chinacloudapi.cn",
    },
  }
]

Symptom description

I configured Gitlab-CE in accordance with the above method, and then sudo gitlab-ctl reconfigure it.
When I open the landing page again, the Azure AD button appears on the page as shown below.

But when I click the Azure AD button, the page to jump to https://login.microsoftonline.com/MyTenantId/oauth2/authorize (see below). It should jump to https://login.chinacloudapi.cn/MyTenantId/oauth2/authorize

Uhhh, where is the right place to write?

### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ce/integration/omniauth.html
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['azure_oauth2']
gitlab_rails['omniauth_sync_email_from_provider'] = 'azure_oauth2'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['azure_oauth2']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'azure_oauth2'
gitlab_rails['omniauth_block_auto_created_users'] = true
gitlab_rails['omniauth_auto_link_ldap_user'] = true
# gitlab_rails['omniauth_auto_link_saml_user'] = false
gitlab_rails['omniauth_external_providers'] = ['azure_oauth2']
gitlab_rails['omniauth_providers'] = [
  {
    "name" => "azure_oauth2",
    "args" => { 
      "client_id" => "My client_id",
      "client_secret" => "My client_secret",
      "tenant_id" => "My tenant_id",
      # Uhhh, where is the right place to write?
      "base_azure_url" => "https://login.chinacloudapi.cn",
    },
    # Uhhh, where is the right place to write?
    "base_azure_url" = "https://login.chinacloudapi.cn"
  }
]
# Uhhh, where is the right place to write?
gitlab_rails['base_azure_url'] = "https://login.chinacloudapi.cn"
# Uhhh, where is the right place to write?
gitlab_rails['omniauth_base_azure_url'] = "https://login.chinacloudapi.cn"

So here comes the question...

Can you tell me how to configure omniauth-azure-oauth2 to jump to https://login.chinacloudapi.cn?

Endless thanks

Just got some information that Azure AD v2.0 addressed some bugs I'm noticing (e.g. login using a Microsoft id through Azure AD doesn't work, even though the account is in an Azure AD). Any plan to update the code to v2.0? Any objection if I go and attempt to make the update?

Hi,

I've recently been trying to use your gem for a project i'm working on and I can't seem to get it working.

During the callback when the token is requested. The azure AD instance is throwing the following error:

AADSTS70002: Error validating credentials. AADSTS50011: The reply address does not match.

At first I thought I had a typo inside my app setup in azure but that wasn't the case.

Azure seems to complain about the fact that the underlying auth2 implementation of callback_url appends the code parameter on the end of the redirect_uri and therefore it doesn't match what is is expecting.

Just wondering if you have run into this scenario?

Thanks