marknadig / omniauth-azure-oauth2 Goto Github PK
View Code? Open in Web Editor NEWLicense: MIT License
License: MIT License
Hi,
I've recently been trying to use your gem for a project i'm working on and I can't seem to get it working.
During the callback when the token is requested. The azure AD instance is throwing the following error:
AADSTS70002: Error validating credentials. AADSTS50011: The reply address does not match.
At first I thought I had a typo inside my app setup in azure but that wasn't the case.
Azure seems to complain about the fact that the underlying auth2 implementation of callback_url appends the code parameter on the end of the redirect_uri and therefore it doesn't match what is is expecting.
Just wondering if you have run into this scenario?
Thanks
Hello, maintainer of OmniAuth here.
I just wanted to make the maintainers of this gem aware of the discussion that I have opened regarding v2.0.0 of OmniAuth. I invite you to join in and voice any concerns you may have here: omniauth/omniauth#1017
Would be very helpful to have a helper method to use the refresh token to get a fresh access token?
Any guidance on this?
Please consider adding a release tag for the current state of master as of a88593a.
In my experience while configuring GitLab 8.11.2 from source, the commits after the 0.0.6 release proved essential in getting Azure AD authentication working.
Currently the entry for this gem in my Gemfile looks like this:
gem 'omniauth-azure-oauth2', git: 'https://github.com/KonaTeam/omniauth-azure-oauth2.git', branch: 'master'
Which works fine at this moment, but I would like to fixate the version I am installing.
A new release would simplify the install of the correct version of this gem.
Thank you for maintaining this project in the first place ;)
The oAuth plug-in is working great, except one thing: The user’s email address is incorrect. The plug-in is populating the email address as the short name and the Active Directory domain, neither of which are correct. Example my email address is [email protected] but the oAuth plugin is making the email address [email protected]. Is there a way to add something to the code that populates the user account as the ‘mail’ attribute in LDAP or Active Directory. https://meta.discourse.org/t/discourse-azure-ad-plugin-not-working/65249/10
For accounts created on Office 365 Germany
https://products.office.com/en-gb/business/office-365-germany
the AZURE_BASE_URL must be https://login.microsoftonline.de/
I'm looking to implement a multi-tenant SaaS app where customers can sign up and use the Consent Framework to automatically have my application registered in their respective Azure Directories. Given it uses oauth2, I've come across your gem.
When requesting an authorization code, we have the option to specify a specific tenant or just use a common (tenant-independent) endpoint.
I am wondering why the tenant-id
value is required. You're currently building authorize_url
and token_url
with it. Can't you just use the common endpoint instead?
#{BASE_AZURE_URL}/common/oauth2/authorize
#{BASE_AZURE_URL}/common/oauth2/token
This should remove the requirement for us to know the tenant prior to the user signing in for the first time.
Happy to try and provide a pull request if this will work? I'll leave the ability to specify the tenant-id
but not require it.
Thanks for your great work so far.
My organization uses MFA through our SSO in Azure AD. For whatever reason, I am not prompted for MFA when accessing the v1
endpoint (/<tenant>/oauth2/authorize
). When I manually change this to the v2
endpoint (/<tenant>/oauth2/v2.0/authorize
) and add a scope such as User.Read
, I am prompted for MFA.
I can probably make this change, and submit a PR, but I am not very familiar with Ruby and do not have much time right now. If someone would like to add the v2
endpoint, I would be very grateful.
Hi,
We've been using the gem for both single tenant and multi tenant applications. For multi tenant, we added strategy to include tid
in info
, so that we can use that to query against the specific tenant. I wonder if we should add this in the gem so that everyone get this by default? I can send a pull request if that makes sense.
Thanks!
Dennis
So I use this gem to authenticate users and it works just fine. Now I am trying to use Azure to define users/groups roles and did that by editing the app manifest in Azure AD. My question is there a way to include those roles in the access token received by rails app ? I used JWT gem to read the token but it does not include the roles I defined in Azure.
Is the right configuration correct?
gitlab_rails['omniauth_external_providers'] = ['azure_oauth2']
gitlab_rails['omniauth_providers'] = [
{
"name" => "azure_oauth2",
"args" => {
"client_id" => "my client id",
"client_secret" => "my client secret",
"tenant_id" => "my tenant id",
# Note: This is the auth site of China
"base_azure_url" => "https://login.chinacloudapi.cn",
},
}
]
I configured Gitlab-CE in accordance with the above method, and then sudo gitlab-ctl reconfigure
it.
When I open the landing page again, the Azure AD button appears on the page as shown below.
But when I click the Azure AD button, the page to jump to https://login.microsoftonline.com/MyTenantId/oauth2/authorize (see below). It should jump to https://login.chinacloudapi.cn/MyTenantId/oauth2/authorize
### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ce/integration/omniauth.html
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['azure_oauth2']
gitlab_rails['omniauth_sync_email_from_provider'] = 'azure_oauth2'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['azure_oauth2']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'azure_oauth2'
gitlab_rails['omniauth_block_auto_created_users'] = true
gitlab_rails['omniauth_auto_link_ldap_user'] = true
# gitlab_rails['omniauth_auto_link_saml_user'] = false
gitlab_rails['omniauth_external_providers'] = ['azure_oauth2']
gitlab_rails['omniauth_providers'] = [
{
"name" => "azure_oauth2",
"args" => {
"client_id" => "My client_id",
"client_secret" => "My client_secret",
"tenant_id" => "My tenant_id",
# Uhhh, where is the right place to write?
"base_azure_url" => "https://login.chinacloudapi.cn",
},
# Uhhh, where is the right place to write?
"base_azure_url" = "https://login.chinacloudapi.cn"
}
]
# Uhhh, where is the right place to write?
gitlab_rails['base_azure_url'] = "https://login.chinacloudapi.cn"
# Uhhh, where is the right place to write?
gitlab_rails['omniauth_base_azure_url'] = "https://login.chinacloudapi.cn"
Can you tell me how to configure omniauth-azure-oauth2 to jump to https://login.chinacloudapi.cn?
Endless thanks
Just got some information that Azure AD v2.0 addressed some bugs I'm noticing (e.g. login using a Microsoft id through Azure AD doesn't work, even though the account is in an Azure AD). Any plan to update the code to v2.0? Any objection if I go and attempt to make the update?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.