Develop Reference

Get user username/email after webapp SSO authentification (Azure WebApp)

I have an Azure Webapp running a Docker container (with Python & streamlit). I have secured the access to this webapp by adding a Microsoft SSO allowing only users from my organization to access the application.
On top of this, I would like to get the username or email of the user after the authentication so I can give the users differents levels of access inside the webapp. I have searched through the vast Microsoft documentation but I was not able to find my way through it. Is someone able to put me on the right path to tackle this problem?
For now, I have namely tried to follow the following documentation:
https://learn.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/aad/app-aad-token hoping that I could access the user email with the authentication token from the Azure directory.
But I am stuck with an error that I was not able to solve:
Error 401: "An error of type 'invalid_resource' occurred during the login process: 'YYYYYYYY: The resource principal named xxxxxxxxxxxx was not found in the tenant named tenant_name. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant."
I am now doubting that what I am trying to achieve is even possible. Any help would be appreciated.
Best, clank

• It is aptly written in the documentation link that you have stated that your application should have admin access and its consent for accessing the APIs in Azure databricks. Thus, as per the error statement that you are encountering, it might be that your application might not have the correct permissions to access the respective resources based on its assigned service principal.
• Also, please take note of the token issued by the Azure AD when queried a test application created wherein when decoded on ‘jwt.io’ clearly states the information regarding the user including its email address. This access token issued using authorization code flow as stated in the documentation link connects to the application created successfully but the application fails to decode the token and use the information of the user in it for allowing the user to access its resources. The application fails to decode the token because required MSAL library redirection and resource files were missing at the location of App redirect URI. Similarly, you are trying to access email address from the issued access token and use it for giving varying levels of access in the application which is not possible as the token even if intercepted in between would not be able to access user information from it since it is encrypted using the SSL key certificate and the base 64 encoding.
• To provide access to your users in varying degrees, please refer the below documentation link which describes how you can leverage dynamic groups and Azure AD conditional access policies for your requirement.
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-access-management

How to create an API with a "remember me" function in Flask?

I'm going to build an API in Flask for a (to be created) app which will be built using PhoneGap. In the API many calls will need authentication.
To get into the topic I was reading this tutorial on creating authentication for a Flask-built API. In this tutorial they first show how a user can use basic password authentication for every call, after which token based authentication is introduced.
As far as I understand, the client who calls the API should simply get a token and authenticate every subsequent call with that. In the meantime, the client should keep track of time and either get a new token every 9 minutes (before the old token expires) or simply keep on calling with the token until the client gets an Unauhorized Access message. Am I understanding this correctly?
Moving on, I wonder how it works with Apps on which you login on your phone and then are always logged in whenever you open the app (like for example the Facebook app). This is obviously more convenient to the user than always needing to provide the username/password and I would like to implement something like that as well. I wonder though; how is a permanent logged in feature like this implemented on the server side? Is it done by providing the password and username for every call, or using a never expiring token, or yet a different way?
All tips are welcome!

I've done what you want to do with:
Flask-security https://pythonhosted.org/Flask-Security/:
To manage users and permissions.
Flask-oauth-lib https://flask-oauthlib.readthedocs.org/en/latest/:
Provide oauth functionnality.
So, you have to take a look at Oauth flow, implements a user backend (like Flask-security) and implements an oauth server (with flask oauth lib for example) and bind it to your user backend.
After that, it's oauth standard flow. You just have to give the right token on each api calls and TADA !
With this way you can also, if you want, give access to your api to third-party app thanks to oAuth :)

Migrate users from Google App Engine to Google OpenID

I migrated away from Google App Engine several months ago. But I am still relying on it for authentication, because my users are identified by their user_id attribute on GAE.
For this purpose my (now external) applications redirect the user to a Google App Engine application using a encrypted, signed and timestamped login request. The GAE application then performs the login using GAE's "Users" service. After successfully being logged-in on GAE, the user is again redirected using a encrypted, signed and timestamped response to my external application.
The rudimentary implementation can be found here and here. As you can see, this is very basic and relies on heavy crypto that leads to bad performance.
My external applications, in this case Django applications, are storing the user_id inside the password field of the user table. Besides the user_id, I only get the email address from GAE to store username and email in Django.
Now I would like to remove the dependency on the GAE service. The first approach which comes to mind would probably be to send an email to each user requesting him to set a new password and then perform my own authentication using Django.
I would prefer a solution which relies on Google's OpenID service so that there is actually no difference for the user. This is also preferred, because I need to send the user to Google anyway to get AuthSub tokens for the Google Calendar API.
The problem is that I couldn't find a way to get the GAE user_id attribute of a given Google Account without using GAE. OpenID and all the other authentication protocols use different identifiers.
So now the question is: Does Google provide any API I could use for this purpose which I haven't seen yet? Are there any other possible solutions or ideas on how to migrate the user accounts?
Thanks in advance!

The best way to do this is to show users a 'migration' interstital, which redirects them to the Google OpenID provider and prompts them to sign in there. Once they're signed in at both locations, you can match the two accounts, and let them log in over OpenID in future.

AFAIK, the only common identifier between Google Accounts and Google OpenID is the email.
Get email when user logs into Google Account via your current gae setup. Use User.email(). Save this email along with the user data.
When you have emails of all (most) users, switch to Google OpenID. When user logs in, get the email address and find this user in the database.

Why don't you try a hybrid approach:
Switch to OpenId
If your application already knows the userId, you are done
If not ask the user, if he has an account to migrate
If yes, log him in with the old mechansim and ttransfer the acount
If not create a new account

Google has a unique identifier that's returned as a parameter with a successful OpenID authentication request - *openid.claimed_id* . If you switch to using OpenID you could essentially exchange the user_id for this parameter the first time a user logs in using the new method without the user noticing anything different about their login experience.
Documentation for the authentication process is outlined here. I'd recommend using the hybrid OpenID+OAuth approach so that you can associate your request token with a given id, then, upon return, verify that the openid.claimed_id matches your original request token.

Get All Domain users in Google App Engine

I want to get the list of all the users for the domain on a GAE app (using python). When I hit this URL https://apps-apis.google.com/a/feeds/domain/user/2.0 . I get an authorization error. How can I authenticate for this GET hit.

You'll need to use the Provisioning API, and you'll need to authenticate via OAuth first

To expand on the answer from Chris, prepare for a bit of pain around authentication. You have four options for read-only access, and one if you need read/write:
Marketplace authorization: if your app is on the Google Marketplace and a domain admin added you to the domain, you can use your app's Google Marketplace keys to access the provisioning API in read-only mode.
Domain OAuth: if you can get the domain admin to make a configuration change for you, your app can use the domain-wide OAuth keys for read-only access.
3-legged OAuth: if you are dealing with a superadmin user, you can request that they grant you temporary right to access the API in read-only mode.
Programmatic Login: lastly, you can ask them to give you an admin account username and password to login into the provisioning API. This is the only mechanism that will give you the ability to change anything.

Simple registration+login using OAuth 2.0

I am a bit confused about OpenID OAuth stuff.
(by OAuth - i mean OAuth 2.0 here and later)
My target is to create a site with OpenID (or OAuth) auth as well as with legacy
email + password auth. The site will be on django framework. (python)
I understand difference between OAuth and OpenID and diff between authorization and authentification.
My primary goal is to implement openid login with google as identity provider.
The login and register flow must be just like on many sites.
As i see:
register scenario:
1) user enters openid url (clicks google button)
2) user gets redirected to auth provider ( google )
page says:
"Awesome site" ask for your:
email, language, country...
3) user says yes.. gets redirected back
behind the scenes "Awesome site"
retries email language and other user info
using access token
4) User fill other stuff needed in profile..
and this is it.. hes now registered.
Login scenario:
1) user enters openid url (clicks google button)
1.a) if user already logged in on auth provider
hmm... it is unclear to me.. but somehow user
get logged in without displaying a provider page (maybe it is closes fast? )
1.b) if the user not logged on provider
then provider displays login page and redirect back
to awesome site on success.
Because i have to get some user data
it is seem to me that i have to use:
OAuth or Hybrid ( OpenID + OAuth extentions )
protocol.
The things that are not clear to me:
How do i get scopes for info i need..
i searched but cant find.. found on someones blog
"https://www.googleapis.com/auth/userinfo#email" for email
but how about user language, country.. etc.. where it is documented ?
If i will use OAuth - will it be enough
to do both - the registration and login
or i will have to fetch user data wuth OAuth
and login with OpenID?
Is it ok to use OAuth 2.0 in my scenario ?
or it will be more simple to use 1.0 because i dont need
user data anymore after initial account registration ?
(i think 1.0 is more complex because it has 3 phases ..
but 2.0 is more complex because access token expires.. but
expiration wont be a problem in my scenario as i don't need user data
after registration)
There are few libs lying out there:
while reading google api docs i found:
google-api-python-client
openid-python-openid
gdata-python-client
( supposed to be api to google services dont know if it has oauth in it
hm.. according to this http://code.google.com/intl/ru/apis/gdata/docs/auth/oauth.html
it have oauth in it
)
python-oauth-client (http://code.google.com/p/python-oauth-client/)
i though thats a lot but then found:
http://your-move.appspot.com ( source files: https://github.com/sje397/Chess )
which seems to be using google.app.engine lib
from google.appengine.api import users
So which one to choose ?
So far i came that the simplest implementation would be:
Like this:
http://code.google.com/p/google-api-python-client/source/browse/samples/oauth2/django_sample/buzz/views.py
But lines 38-44: in my case would fetch user email language and other stuff (and also i will use other scope .. line 29 )
for a new registered user.. or if it is registered user just ignore credential and delete it. ( continue with the site session )
Am i wrong ?
I saw so many implementation on libs mentioned above that i doubt that i am right.
And also another question:
my fallback legacy auth will use email as login..
If an identity provider is email provider ( google )..
When user tries to log in i can fetch email from provider.. and search
email fetched from provider in database.. so i can find user.
What if identity provider not an email provider:
like facebook ? How i will search user in database ?

In my opinion, OpenID and OAuth 2.0 are two different concepts.
OpenID as its name explained mainly focused in manage Identity. So it is more like a framework or protocol to manage User Identity.
OAuth 2.0 was designed to provide a protocol which can make internet based applications manage authorization with some third party Authorization Providers. I do suggest you go through the IEFT OAuth 2.0 Spec before get your hand dirty. You can as well find some good information in this article A simplified explanation of OAuth2.0
Seems you wish your own website can handle user authorization by itself, that means in OAuth 2.0 area your own website is an AuthorizationServer.
To you question:
The scope are provided by the Authorization Provider, please refer to their documentation.
OAuth only provide the framework for authorizing your Web APP to access the Resource Owner's protected information. For the google example, the end user who authorize your app to access his/her protected information are still a google user unless your Web APP automatically create a user account for him/her in your own user account database - I think this step is what you mean Registration. OAuth doesn't cover anything about registration because it is out of the scope of authorization.
In you scenario you still have your own account database and wish users can authenticate themselves with username and password. OAuth 2.0 really can handle this scenario if you implement your own AuthorizationServer and use the “Resource Owner Password Credentials” auth flow.
I am not python guy, but I can tell you before you evaluate these libs you must understand different roles defined in OAuth 2.0 spec. Some of the libs play Authorization Server role, some play Resource Server role.

Why not just use the library, that does all the hard work of integrating with the open-id providers.
You can use SocialAuth, or any one of the other auth packages with similar functionality.

I would recommend not using Google or Facebook (or even worst Twitter) for testing OAuth/OpenID login as their setup is confusing, the scope is not clearly documented and requires SSL even on local to test. Instead I would suggest Github as it's more developer-friendly. SimpleLogin is also a good option (Disclaimer: I'm SimpleLogin founder) as it whitelists by default localhost to facilitate local development. Its doc is on https://docs.simplelogin.io.
If you want to learn more about OAuth/OpenID I think it's better to implement the redirection and callback yourself. Later it's better to use library to handle this though as they follow more closely the protocol. A very good article on this topic for Django is https://scotch.io/tutorials/django-authentication-with-facebook-instagram-and-linkedin.