I have a python-Flask website I've created for an employee self-service portal. I've registered it in my companies Azure AD tenant. I'm going to deploy it to a single node (its a low-traffic site) and I want to secure it with a certificate since it will be pulling our AD credentials and Single Sign On session information.
I downloaded the sample code here: https://github.com/Azure-Samples/ms-identity-python-webapp
After a little work I managed to re-write my site using that as a guide and I can now authenticate with SSO on my laptop!
To try and deploy it to a server, I followed the guide at DigitalOcean: https://www.digitalocean.com/community/tutorials/how-to-serve-flask-applications-with-uswgi-and-nginx-on-ubuntu-18-04
Now's the problem: How do I deploy this to a server? I need to register the new url in the authentication tab in Azure: Done. I'm using https:// and https://<myservername/getAtoken. I need a certificate: I generated a self-signed cert and uploaded it to my Azure application.
Now the problem is: how do I get Azure to recognize my app when its on the server? If I try to login I just get an error that: "AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: ".
EDIT: I found something. In the URL when I query Azure the return URI being sent is: https://login.microsoftonline.com//oauth2/v2.0/authorize?client_id=&response_type=code&redirect_uri=http%3A%2F%2F%2FgetAtoken&scope=User.ReadBasic.All+offline_access+openid+profile&state=SpOcEwhzdGBXxMsv&code_challenge=<information I'm not sure is wise to sure.
It's sending the URL as http, not https!
To deploy to the server you need to add the certificate identity a client and give the client access to web services calls in your application. Read more about the certificate here. To get Azure to recognize your app when it’s on the server you need to first register your application in Azure AD.
The error AADSTS50011 is referring too when trying to sign into a SAML-based single sign-on (SSO) configured app that has been integrated with Azure Active Directory (Azure AD). You received the error AADSTS50011 when trying to sign into an application that has been setup to use Azure AD for identity management using SAML-based SSO. Learn more here.
I found my problem. In the nginx.conf file I needed to add:
proxy_set_header X-Forwarded-Proto $scheme;
Related
I'm in the process of connecting my React Native UI to Python Django backend using REST framework and unsure of how to go about fetching the data from backend.
I used the fetch(URL) as you can see in the SS below:
The error I get:
I also added my phone as an adb device and connected it through a USB cable before running the app, but same issue. Any suggestions as to how to go about React Native UI and Python Django REST API integration?
A bit late but I hope it will help the next ones.
You cannot use a regular url when connecting DRF (or any other API framework) to a react native app so you need to tunnel it through a reverse proxy such as ngrok. Short answer is, download ngrok, put it in your environment variable then in your shell type :
ngrok http 8000
You will receive an https to replace your localhost:8000 in your API url. Good thing to do is to register to ngrok not to have to replace this new url too often, I think it is only stable for an hour or two if not registered.
Last but not least, in your CORS config whitelist (CORS_ALLOWED_ORIGINS), don't forget to put this new url or you'll get a 404.
Good luck
I have a Python script that should download data from a web resource using link. It so happened that resource is in Azure App Service protected by Active Directory. My user account is allowed to access the link and download data (I can do it from web browser manually, but want to automate this process). The Python script uses requests library. I can't figure out how to authenticate properly, cause when I'm trying to run the script, I get:
Error 403 - Forbidden
The web app you have attempted to reach has blocked your access.
Usual authentication with requests doesn't work (using auth parameter or session.auth or with HttpNtlmAuth).
I know one can use VS Code to authenticate to Azure and then use DefaultAzureCredential, but I can't get where you should use this DefaultAzureCredential object (cause it doesn't work with requests).
I don't need the whole Python app to be registered or somehow else recognizable by Azure resource. It's just a script to download data, that is not supposed to be productionized.
Any ideas how I can scrap the data from Azure?
Note: I'm not an admin or creator of this Azure App, so can't change any restriction settings.
In short, the part of script making request looks like:
params = {"param1": param1,
"param2": param2}
session = requests.Session()
session.auth = HttpNtlmAuth(USERNAME, PASSWORD)
url = "my-app.azurewebsites.net/the-rest-of-the-path"
response = session.get(url, params=params, verify=False)
If you want to access the Azure App Service, you have to authenticate the Azure App Service. If you don't have access for Azure App Service, we cannot access the Azure resources.
Genereally, when a web server stops you from accessing the page you're trying to open in your browser, you'll get a 403 Forbidden Error. There isn't much you can do most of the time. However, occasionally the issue is on your end.
Here are some points that can cause this error.
If you have an open public API and public access is not allowed on Azure App Service.
Your app's IP address, which you're using to call the app service, isn't whitelisted.
If you have a gateway in the middle, it's possible that it's also blocking your calls.
Here are the possible solutions that you can try:
Remove the access restrictions from your web app's Networking page.
Try adding 0.0.0.0/0 to give access to all. You can later add restrictions based on your needs.
The order of the restrictions is important, so double-check it. It may have an impact if you have a blocked call before an approved call.
You can also have restrictions based on http-headers like X-Forwarded-For. Please double-check that. This can also happen in code, depending on how you handle errors.
Protocol support for HTTP headers in Azure Front Door | Microsoft Docs
Chech this, if your API is behind the Gateway Application Gateway integration with service endpoints
There is an issue of getting real user request IP address inside web application that is running on Cloud Run service. By some reason the web application obtains the same IP address for all users requests - 169.254.8.129 . I'm assuming it's a load balancer in front of cloud run service overrides requests IPs with his own.
I have double checked already this issue with different apps on Flask, FastApi and ASP.NET Core in Cloud Run. All apps returning the same results and all having the same issue.
But, when I am checking those apps on VM and everything works fine there.
How can I get the user's IP-Address in my Cloud-Run Flask app?
I have found some part of the answer, but still cannot handle the same for FastApi.
The address 169.254.8.129 is the address of the proxy sitting in front of your Cloud Run service.
You can extract the list of IP addresses from the HTTP header X-Forwarded-For. This list usually includes the client and each proxy or load balancer in between the client and your application.
X-Forwarded-For
Newbie working on a Salesforce project for a job interview. I'm trying to build a Django form that will submit a case ticket to the Salesforce backend. Using django-salesforce django-salesforcelibrary, and I'm at the point where I'm creating the a new connected app. How do I deal with the callback URL if I'm testing on localhost? The callback url needs to be an https secure connection. Can I just set the callback as http://localhost:8000? Having a hard time figuring it out and on a strict time limit so no time to learn the salesforce API.
No you cannot do that. Because they will try to redirect you to that site also few oauth providers need it a valid url to do so.
You can use https://ngrok.com to publicly expose your local server.
ngrok exposes your local server and port to a publicly accessible url. Internally it created a tunnel from the generated url and your machine. So you can expose your local django server to world using it.
Then pass on the generated link to the OAuth app.
I am starting work on a project that will involve sending an auto generated email to a user. I am (most likely) going to build the application using Python and Django and host it as an Azure web app. The outgoing email address (hello#example.com) is hosted on Office 365. After some digging it looks like the recommended method of sending emails is the 365 Outlook API. All the documentation shows how to authenticate using AAD for a user that is logging in. However, I need to access the same email address regardless of who is using the web app.
Is there a way to securely get access to an AAD token on the backed of the server without storing a password in plaintext? Preferably the it would be in Python or REST but if need be I can switch technologies.
You can create an app only following Client Credentials Grant flow, leveraging which you can authenticate and authorize for AAD in backend.
Here is a code sample on GitHub https://github.com/Azure-Samples/active-directory-python-graphapi-oauth2-0-access, which builds an app-only app leveraging AAD in Django.
Any further concern, please feel free to let me know.