I'm developing a web app with Flask and Vuejs (deploy on IIS) and i want to get the remote windows username without login on my application. How can i do that?
i try the following flask rest api but doesn't work. (with IIS configuration: Authentication - Anonymous Authentication ENABLED the result is REMOTE_USER "")
#app.route('/username', methods=['GET'])
def user():
data = request.environ.get("REMOTE_USER")
return jsonify(data)
To get value from REMOTE_USER, please enable windows authentication instead of anonymous authentication.
If you enable anonymous authentication only, IIS will never receive REMOTE_USER request variable.
When you enable windows authentication, client will always pass authenticated user via REMOTE_USER.
you could set IE to automatic login with current username/password. So that client can sign in your website automatically.
However, it is impossible to get username without change configuration and permission on client side.
Related
I built a web app using Django and the wrapper for the Spotify api, Spotipy, and deployed it to Heroku. The problem I am facing is that the redirect uri opens on the machine running the code, which in this case is the linux server used by heroku. Because of this, the user never actually sees the page prompting them to authenticate the app and login to their Spotify accounts, resulting in a request timeout from Heroku. This happens when my REDIRECT_URI is set to http://localhost/. I have tried to set the REDIRECT_URI to https://nameofmyapp.herokuapp.com which then resulted in an EOFError from the Spotipy module. I have not been able to find a solution for this. For context, my authentication flow is set up as follows:
def index(request):
cache_handler = spotipy.DjangoSessionCacheHandler(request=request)
auth_manager = spotipy.oauth2.SpotifyOAuth(
env("CLIENT_ID"), env("CLIENT_SECRET"), env("REDIRECT_URI"), scope=env("SCOPE"), cache_handler=cache_handler)
session = spotipy.Spotify(
oauth_manager=auth_manager, requests_session=True)
I want to know can we use Django oauth Toolkit (DOT) as SSO server?
I am using Django Rest Framework in backend.
Steps I need to achieve :
On clicking the Login Button in the client server, it redirects to the server asking to authorise.
If already logged in it will return the auth code.
If not logged in open the log in prompt.
On successful login step 2 will followed.
Thanks.
Yes, DOT supports OpenID Connect so you can set it up as an SSO server.
Once configured, your server should have the o/authorize endpoint where you can redirect your clients when logging in. DOT will handle the authorization request for you (step 2-4).
With the authorization code, DOT also provides the o/token endpoint for access and id tokens request as well.
I am using azure for hosting web app and web api.
Environment configuration :
web api : Developed using django deployed/hosted on linux vm
Web app : Developed using Angular2 deployed/hosted on App service
For authentication I am using OAUTH2 protocol.
App registration details for OAUTH2
Under single tenant: "my-tenant-id-121"
Registered web api and provided access_as_user permissions
here suppose app_id/client_id : "my-api-id-123"
APP uri : 'api://my-api-id-123'
scope : 'api://my-api-id-123/access_as_user'
client secret is generated but not using it.
Registered web app and provided basic details, redirect uri etc
here suppose webapp app_id/client_id : "my-webapp-id-123"
Under app registration, provided api access permissions for above registered api using API permissions
Authentication :
client(web app): Using ng2-adal library
resource (web api) : using python "jwt" library for access token validation
I have done all the configuration, after authentication I am getting id_token for web app and access_token for postman client.
Token Validation:
I am validating access token at api side which I am receiving through Authorisation header.
I have followed all the references available, through jwt.verify() my token getting validated. Here I am also validating audience, for id_token it is aud: client_app_id and when using postman I am specifying scope, in that case aud :"api://my-api-id-123"
Here comes the main part:
While following all process I never used registered web api app_id i.e "my-webapp-id-123" anywhere.
Then how come client app getting authenticated also access token getting validated.
Also I tried to remove linking between web app and web api from azure app registration and tried to authenticate. In both cases I have received token and validated at api side.
My questions are -
why we need to register Web api at app registration on azure as it is not getting used?
In my current scenario which part I am missing, my concern is if I remove linking (on azure, at client app under api permissions) between "client_app" and "api_app", access_token /id_token retrieved at client app should not get validated at web api.
Thanks in advance.
I am able to authenticate the react app with AAD and I am able to get the access token.
I have the following questions:
My backend is in python flask (WEB API's). How do I make sure that every request sent by react app is also authenticated with the same token?
Should I register a different application for the backend( python flask) or I can use the client ID of the same frontend application?
If I am passing the token in the header while calling every API request from the frontend, how backend will verify is the token is valid? Also, should it verify every API request?
I have seen multiple options like flask-azure-oauth library and some other libraries. For frontend I have tried ADAL and MSAL libraries.
In frontend make sure you append the accessToken in you're each HTTP request like, writing a common HTTP module and use it across the react app. And to make sure you're app is authenticated with same token you need to wrap react app with adal or MSAL or react-adal.
You have to use the same client id which used in react app in you're python backend in-order to verify the token you're sending in the API request.
You need to add before_request hook in flask and verify the accessToken you receive in the request. reference link
you can also check react-adal package for AAD authentication.
I am trying to obtain a token from Azure AD from Python client application. I want users to seamlessly authenticate with just a username and password (client_id / secret will be embedded in the app). I registered my app and given it all permissions and hit the "grant permissions" button in the new portal according to this post:
The user or administrator has not consented to use the application - Send an interactive authorization request for this user and resource
I am sending an http post to:
https://login.microsoftonline.com/{tenant_id}/oauth2/token
with the following data:
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
body = "resource={0}&grant_type=password&username={1}&password={2}&client_id={3}&client_secret={4}&scope=openid".format(app_id_uri,user,password,client_id,client_secret)
I cannot seem to get past this error no matter what I try:
b'{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID \'078c1175-e384-4ac7-9116-efbebda7ccc2\'. Send an interactive authorization request for this user and resource.
Again, my goal:
User enters user / pass and nothing else. App sends user / pass / client_id / client_secret, obtains token.
According to your comment:
The message I'm receiving says to do an interactive request but that is exactly what I'm trying to avoid because this is a python app with no web browser and I'm trying to avoid complexity.
I think you want to build a daemon app or an app only application integrating with Azure AD. You can refer to https://graph.microsoft.io/en-us/docs/authorization/app_only for the general introduction.
Furthermore, you can leverage the ADAL for Python to implement this functionality with a ease. Also, you can refer to client_credentials_sample.py for a quick start.
You should try logging in as an admin to be able to give consent to use the application on your tenant at all.