使用Microsoft Azure AD在多租户应用中进行身份验证

huangapple go评论69阅读模式
英文:

Authentication with Microsoft Azure AD in a multi-tenant app

问题

根据文档,已在任何组织目录中注册了一个应用程序。应用程序所在的租户位于“默认目录”,仅有一个用户,tiagomartinsperes@gmail.com。此外,该应用程序的用户分配(如此处所指出)设置为“否”。

然后,创建了另一个租户(不同目录),并邀请了外部用户me@tiagoperes.eu。这是我在以前创建的应用程序中遇到问题登录的用户。

然后,使用social_core.backends.azuread.AzureADOAuth2从这里)启用OAuth2支持,如此处所示

现在,尝试进行身份验证,与tiagomartinsperes@gmail.com一起工作正常,但对于me@tiagoperes.eu,出现以下错误:

所选用户帐户不存在于租户“默认目录”中,无法访问该租户中的应用程序“a9a22676-8a1c-4297-95d3-8cd89553220e”。首先需要将该帐户添加为租户中的外部用户。请使用不同的帐户。

使用Microsoft Azure AD在多租户应用中进行身份验证

英文:

Following the documentation, registered an application with Accounts in any organizational directory. The Tenant where the application resides is in "Default Directory" and has only one user, tiagomartinsperes@gmail.com. Also, the app has user assignment (as pointed out here) set to No

使用Microsoft Azure AD在多租户应用中进行身份验证

After, created another Tenant (different directory) and invited the external user me@tiagoperes.eu. That's the user I'm getting troubles logging into the previously created app.

Then, enable the OAuth2 support using social_core.backends.azuread.AzureADOAuth2 (from here).

As I try to authenticate now, it works well with tiagomartinsperes@gmail.com but with me@tiagoperes.eu gives the following error

> Selected user account does not exist in tenant 'Default Directory' and cannot access the application 'a9a22676-8a1c-4297-95d3-8cd89553220e' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.

使用Microsoft Azure AD在多租户应用中进行身份验证

答案1

得分: 0

问题出在用户被重定向到的URL上。根据文档,多租户应用程序应该重定向到 https://login.microsoftonline.com/organizations

正如我们在 Python Social Auth AzureADOAuth2 类 中看到的,BASE_URL

BASE_URL = "https://{authority_host}/{tenant_id}"

由于 authority_host = "https://login.microsoftonline.com/"tenant_id="common",我们会得到错误的URL。

更改这一点并使用相同的用户登录,现在我收到一个请求来添加权限

使用Microsoft Azure AD在多租户应用中进行身份验证

也在这里报告了这个问题。

英文:

The problem is the URL the user is redirected to. According to the docs, multi-tenant applications should redirect to https://login.microsoftonline.com/organizations.

As we see in the Python Social Auth AzureADOAuth2 class, the BASE_URL is

BASE_URL = "https://{authority_host}/{tenant_id}"

Since authority_host = "https://login.microsoftonline.com/" and tenant_id="common", we'd get the wrong url.

Changing that and signing in with the same user and now I get a request to add the permissions

使用Microsoft Azure AD在多租户应用中进行身份验证

Reported that issue here too.

huangapple
  • 本文由 发表于 2023年2月8日 23:52:05
  • 转载请务必保留本文链接:https://go.coder-hub.com/75388347.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定