I am currently working on a site that is deployed on an AWS EC2 instance using Apache, Django, and mod_wsgi. I am trying to configure my Apache to use mod_authz_user and a python script for user validation following this tutorial but after implementing it, I get a 500 error when successfully logging into the server and the error logs show nothing except that there was an initial GET request for the home page of the site. The structure of my code follows the tutorial linked above pretty much to tea, so I'm not sure what could be going wrong. The site properly asks the user for the username and password, and I know for sure my authentication script is being called by Apache.
Technically, all I need is the HTTP_AUTHENTICATION head to be set for my Django application, so if I could somehow have the user enter in their credentials but not have Apache validate it (which leads to the 500 error) that would be great. In that case the HTTP_AUTHENTICATION header would be set because the user entered in the credentials and then my Django application could deal with the authentication from there.
For a bit more context, this site runs on an intranet and I am attempting to make it so that not just anybody can access the site internally in the company. Once the Windows user is passed into Django I will check the membership of the user against an AD group.
Related
I'm trying to make an app and I can't figure out how to sign in to a user with the python library firebase_admin. I don't have any code as of this moment. Let me know if you can help me out.
The Firebase Admin SDK is designed to be used in a trusted environment, such as your development machine, a server you control, or Cloud Functions/Cloud Run. It gets its authorization from its context or from a credentials file that you provide to it, and which gives it full, administrative access to the project. Therefor it doesn't need, and doesn't have a way, to sign in as a specific user.
If your use-case requires that you sign a user in to Firebase from your Python code, you can consider calling the REST API to authenticate. But the use-case for this would typically be to then pass the ID token you receive back to a user (similar to the use-case in creating custom tokens).
I have a Django app running via Gunicorn and an Nginx proxy that uses Azure AD authentication (based on the following tutorial: https://learn.microsoft.com/en-us/graph/tutorials/python?tutorial-step=3).
At the moment when a user logs in to the app via Azure AD and isn't assigned to a role, Django shows a generic 500 error page. I want to display something a little more meaningful to the user, but I don't know where exactly I need to capture the oauthlib.oauth2.rfc6749.errors.CustomOAuth2Error and display it.
I can see the Django logs show: "oauthlib.oauth2.rfc6749.errors.CustomOAuth2Error (interaction_required) AADSTS50105: The signed in user '{EmailHidden}' is not assigned to a role for the application '[App ID]'(App Name).”
Would it be within the callback view that I have to check for this error somehow?
I was rather hoping Azure would show the error message by default, but that doesn't seem to the case.
Refer this link for more details of error handling and exception handling in MSAL for Python. An easier approach would be to make the application to handle the custom error message/ custom error display page based on the error capture with in the application.
I created a Flask-Webservice with Python that runs independently inside a docker container. I then uploaded the docker image to an Azure Container Registry. From there I can create a WebService (for Containers) with some few clicks in the Azure Portal, that runs this container. So far so good. It behaves just as I want it to.
But of course I don't want anyone to access the service. So I need some kind if authentication. Luckily (or so I thought) there is a built-in authentication-mechanism (I think it is based on OAuth ... I am not that well versed in security issues). Its documentation is a bit sparse on what actually happens and also concentrates on solutions in C#.
I first created a project with Google as described here and then configured the WebApp-Authentication with the Client-Id and Secret. I of course gave Google a java script source and callback-url, too.
When I now log off my Google account and try a GET-Request to my Webservice in the Browser (the GET should just return a "hello world"-String), I am greeted with a Login Screen ... just as I expected.
When I now login to Google again, I am redirected to the callback-url in the browser with some kind of information in the parameters.
a token perhaps? It looks something like this:
https://myapp.azurewebsites.net/.auth/login/google/callback?state=redirxxx&code=xxx&authuser=xxx&session_state=xxx&prompt=xxx).
Here something goes wrong, because an error appears.
An error occurred.
Sorry, the page you are looking for is currently unavailable.
Please try again later.
If you are the system administrator of this resource then you should check the error log for details.
Faithfully yours, nginx.
As far as I now, nginx is a server software that hosts my code. I can imagine that it also should handle the authentication process. It obviously lets all requests through to my code when authentication is turned off, but blocks un-authenticated accesses otherwise and redirects to the google login. Google then checks if your account is authorized for the application and redirects you to the callback with the access token along with it. This then returns a cookie which should grant my browser access to the app. (I am just reproducing the documentation here).
So my question is: What goes wrong. Does my Browser not accept the cookie. Did I something wrong when configuring Google+ or the Authentication in the WebApp. Do I have to use a certain development stack to use the authentication. Is it not supported for any of the technologies I use (Python, Flask...).
EDIT
#miknik:
In Microsofts documentation of the authentication/authorization it says
The authentication and authorization module runs in the same sandbox
as your application code. When it's enabled, every incoming HTTP
request passes through it before being handled by your application
code.
...
The module runs separately from your application code and is
configured using app settings. No SDKs, specific languages, or changes
to your application code are required.
So while you are probably right that the information in the callback-redirect is the authorization grant/code and that after that this code should now be used to get an access token from Google, I don't quite understand how this would work in my situation.
As far as I can see it Microsofts WebApp for Container-Resource on Azure should take care of getting the token automatically and return it as part of the response to the callback-request. The documentation states 4 steps:
Sign user in: Redirects client to /.auth/login/.
Post-authentication: Provider redirects client to /.auth/login//callback.
Establish authenticated session: App Service adds authenticated cookie to response.
Serve authenticated content: Client includes authentication cookie in subsequent requests (automatically handled by browser).
It seems to me that step 2 fails and that that would be exactly what you wrote: that the authorization grant is to be used by the server to get the access token but isn't.
But I also don't have any control over that. Perhaps someone could clear things up by correcting me on some other things:
First I can't quite figure out which parts of my problem represent which role in the OAuth-scheme.
I think I am the Owner, and by adding users to the list in the Google+-Project I authorize them to use my service.
Google is obviously the authorization server
my WebService (or better yet my WebApp for Containers) is the resource server
and finally an application or postman that does the requests is the Client
In the descriptions of OAuth I read the problematic step boils down to: the resource server gets the access token from the authorization server and passes it along to the client. And Azures WebApps Resource is prompted (and enabled) to do so by being called with the callback-url. Am I right somewhere in this?
Alas, I agree that I don't quite understand the whole protocol. But I find most descriptions on the net less than helpful because they are not specific to Azure. If anyone knows a good explanation, general or Azure-specific, please make a comment.
I found a way to make it work and I try to explain what went wrong as good as I can. Please correct me if I go wrong or use the wrong words.
As I suspected the problem wasn't so much that I didn't understand OAuth (or at least how Azure manages it) but the inner workings of the Azure WebApp Service (plus some bad programming on my part). Azure runs an own Server and is not using the built-in server of flask. The actual problem was that my flask-program didn't implement a WSGI-Interface. As I could gather this is another standard for python scripts to interact with any server. So while rudimentary calls from the server (I think Azure uses nginx) were possible, more elaborate calls, like the redirect to the callback url went to dev/null.
I build a new app following this tutorial and then secured it by following the authentication/authorization-tutorial and everything worked fine. The code in the tutorial implements WSGI and is probably more conform to what Azure expects. My docker solution was too simple.
My conclusion: read up on this WSGI-standard that flask always warned me about and I didn't listen and implement it in any code that goes beyond fiddeling around in development.
Where I work currently there are many Django projects, each running on their own VPS, and each is running under their own subdomain (foo.example.com, bar.example.com, ...) as shown in the following diagram:
What I want to do is to have a central Django Server that manages all the login process (authorization and authentication) for each application, and when a user logins in foo.example.com and then goes to bar.example.com, his session keeps active and doesn't need to enter credentials again (user/password), the same if the user logs out, he couldn't see anything on the other projects until he logins in again.
Similar as what Google does when you login on gmail.com and go to youtube.com or blogger.com (or more similar to what I want to do: you login in google.com and go to drive.google.com, photos.google.com, calendar.google.com) or any other Google's site, your session keeps active.
Is there any django-package or any other way that would help me accomplish it?
I would use the django rest framework and login with that. This will install a session cookie, which you can check every time the user opens a page that they need to be logged in for. Once the cookie expires, or django expires the cookie, the user is logged out, and pages should not be served to them if your authentication checks are good. This means that if they log in to the django server anywhere, they remain logged in, even on your page, just like with facebook or google. When they log out of the django server, anywhere, they will be logged out of your remote pages as well.
You can read more about the django rest framework authentication here.
I could not comment on #shaihulud comment because I don't have up to 50 reputations. To answer the question, I wrote an article that addresses that, for anyone that might run into this problem in the future, you can find the article here
I have a simple site made with python (django). User registers, inputs some basic info and it stores it to mysql. User then is able to log in with his username/password which he created...
Now i want to add a flex application which will run once the user is logged in, but i dont want the user to have to log in twice (once into django, once into flex app). For the sake of learning i just want the flex app to also load some information from the mysql database, like the users firstname or something.
So my question is how would i go about passing session information into the flex app? Any info or guidance, or opinion would be great.
If your Python/DJango app uses cookies for tracking sessions; then you just have to make sure that your SWF is served off the same domain that the Python app is served from.
The Flash Player will pass the appropriate cookies to the remote server whenever it makes a call to that server. As long as your "Flash Call" exists in the same Application space on the server, it should have access to the same session variables available on the server.
If you want to validate the user has logged in before loading the SWF; just make a remote call from the SWF to the server side to validate that the session exists, and the user is appropriately logged in. Don't activate any of the controls in the app until you get confirmation from the server that the user is allowed to use the app.