| From: | Asmita Thapliyal <asmita(dot)thapliyal(at)gmail(dot)com> |
|---|---|
| To: | Yogesh Mahajan <yogesh(dot)mahajan(at)enterprisedb(dot)com> |
| Cc: | "pgadmin-support lists(dot)postgresql(dot)org" <pgadmin-support(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: OAUTH2 Problem with AzureAD |
| Date: | 2022-04-20 12:47:10 |
| Message-ID: | CAMgBNbE_JYObMSehmYNKiMkX2eiWB9UVTVzq5DKhXTOYfEqjGQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-support |
Hello Yogesh,
Done.
https://redmine.postgresql.org/issues/7325
Meanwhile, can the below change easily be incorporated in code to check if
it works? if yes, then could you provide me the details.
Also, the profile returned by Azure AD has the key 'mail' and current
pgadmin code checks the value with key = 'email' to retrieve user email id.
Regards,
Asmita
On Wed, Apr 20, 2022 at 5:03 PM Yogesh Mahajan <
yogesh(dot)mahajan(at)enterprisedb(dot)com> wrote:
> Hi,
>
> I was able to reproduce the issue.
> Below change is required in configuration -
>
> # Name of the Endpoint, ex: user
>
> 'OAUTH2_USERINFO_ENDPOINT': 'me',
>
> And
> Also, the profile returned by Azure AD has the key 'mail' and current
> pgadmin code checks the value with key = 'email' to retrieve user email id.
> Could you please raise a feature request to support Azure AD
> authentication here <https://redmine.postgresql.org/projects/pgadmin4>?
> This will be fixed in the next release.
>
> Thanks,
> Yogesh Mahajan
> EnterpriseDB
>
>
> On Wed, Apr 20, 2022 at 2:58 PM Khushboo Vashi <
> khushboo(dot)vashi(at)enterprisedb(dot)com> wrote:
>
>> Hi,
>>
>> On Tue, Apr 19, 2022 at 11:30 PM Asmita Thapliyal <
>> asmita(dot)thapliyal(at)gmail(dot)com> wrote:
>>
>>> Hello!
>>>
>>> I have configured OAUTH2 with azure ad with below config
>>>
>>> 'OAUTH2_NAME': "azure",
>>>
>>> # The display name, ex: Google
>>>
>>> 'OAUTH2_DISPLAY_NAME': 'MS Azure',
>>>
>>> # Oauth client id
>>>
>>> 'OAUTH2_CLIENT_ID': '<ID>',
>>>
>>> # Oauth secret
>>>
>>> 'OAUTH2_CLIENT_SECRET': '<SECRET>',
>>>
>>> # URL to generate a token,
>>>
>>> # Ex: https://github.com/login/oauth/access_token
>>>
>>> 'OAUTH2_TOKEN_URL': 'https://login.microsoftonline.com/
>>> <TENANT-ID>/oauth2/v2.0/token',
>>>
>>> # URL is used for authentication,
>>>
>>> # Ex: https://github.com/login/oauth/authorize
>>>
>>> 'OAUTH2_AUTHORIZATION_URL': 'https://login.microsoftonline.com/
>>> <TENANT-ID>/oauth2/v2.0/authorize',
>>>
>>> # Oauth base url, ex: https://api.github.com/
>>>
>>> 'OAUTH2_API_BASE_URL': 'https://graph.microsoft.com/v1.0',
>>>
>>> # Name of the Endpoint, ex: user
>>>
>>> 'OAUTH2_USERINFO_ENDPOINT': 'profile',
>>>
>>> # Oauth scope, ex: 'openid email profile'
>>>
>>> # Note that an 'email' claim is required in the resulting
>>> profile
>>>
>>> 'OAUTH2_SCOPE': 'User.Read email openid profile',
>>>
>>> # Font-awesome icon, ex: fa-github
>>>
>>> 'OAUTH2_ICON': 'fa-github',
>>>
>>> # UI button colour, ex: #0000ff
>>>
>>> 'OAUTH2_BUTTON_COLOR': None,
>>>
>>>
>>> After testing I found below error
>>>
>>>
>>> requests.exceptions.HTTPError: 400 Client Error: Bad Request for url:
>>> https://graph.microsoft.com/profile
>>>
>>> 2022-04-19 14:34:38,717: INFO werkzeug: 49.37.172.20 - -
>>> [19/Apr/2022 14:34:38] "*GET
>>> /oauth2/authorize?code=0.ARsA3jZYM-9CokOxRTSMLunKW_3a3dHcJP5MrfqQQJh5-YcbAAA.AQABAAIAAAD--DLA3VO7QrddgJg7Wevrdrp6mz5VUBPbc2M4Bs4hmaPP7YfekSA8Yt9vmf1zMQFku0U1U1xfWkuaKw8eFQjW9sNkh1-Gl6XaDfqOV6NQ0dAxvBNW5K_GOC9VChtUG_s8DXVKvZ05dvryfX1K-NUgDFoXiSU7Xmyc40UWiIr1fBse7PLdvaFDL4KmUbO4Ivm6j7fuh3l0Q5sB-lMB56NmbV9NCDSoy-ccbnGwm-2pVN42HErVzE9b8P0Gowba3QWfNUvLSmbkbVv_UQHnQ2jgZfNK7oPcggZJojU8biYXJN6KcpOL7eQmP1oUjhUafRJw5TLr5LSSYGHbXVmL7zgJ7RCuWBJAS_VSrYr5hMaRhvxBMLgC6bwQmI8euv_hC9GZ0vmxqNY6T11M72Ye8NkQrA_5zM9qPiFh1bZCsLyllkxN1LCgfEI_t--qiq0N2dd-SL2hE23VUAk5Wen_nwwjJQBKTpuE4v7BwjOwfpPqniNq2xLqALaXaBZfmjmGCjfrVHlw4e5ADsxU0VBY4eH7BiKwye7o8AQdJC7w39Y8VteOJTLvCw5y0hPALIpzlCQtUtBhHjrKpzEPqgpZWfb55JSZ45YtjbZENcXyQk_sdRRo4SqNJxqU5W9yqcyY53PbtfzX0LTRTJ9FAfc5uqlgksyMcxZaXLcONWYocB1oGjaRTBbl7kZFZRScHzKNVQbXsnQVAURe3lesqOzlv--QtfMZHfYPA6igkryni8xPKETI9UyL0mRLTbxHOHZFvt0faNcvM1uCLiavNDgw4EkBljbLDDMIdCLrfOvSaIsMJA6vzRmFODq00iAZYIfqxQcgAA&state=ZmClT3NK4XExYAP8NQrdp5zIMaoM4m&session_state=ee30bdda-dd80-4ab9-aeee-1c61b8ffa63c
>>> HTTP/1.1*" 500 -
>>>
>>> 2022-04-19 14:34:38,722: ERROR werkzeug: Error on request:
>>>
>>
>> Looks like the profile fetch request is giving this error.
>> Can you please check whether OAUTH2_API_BASE_URL is correct or not.
>> Also try, OAUTH2_API_BASE_URL = *https://graph.microsoft.com/v1.0
>> <https://graph.microsoft.com/v1.0>/ (put / at the end)*
>>
>> Thanks,
>> Khushboo
>>
>>
>>>
>>> I tried to print response, this is the one, not sure what does it mean
>>> by Invalid version. I tried to change accesstokenversion in azure ad but
>>> received same issue.
>>>
>>>
>>> {'error': {'code': 'BadRequest', 'message': 'Invalid version.',
>>> 'innerError': {'date': '2022-04-19T14:34:38', 'request-id':
>>> 'c2da3799-bab5-4c38-a485-78cf7b74567c', 'client-request-id':
>>> 'c2da3799-bab5-4c38
>>>
>>> -a485-78cf7b74567c'}}}
>>>
>>>
>>> Any clue? or is there a way I can check more details of innerError?
>>>
>>>
>>> Regards,
>>>
>>> Asmita
>>>
>>>
>>> Regards,
>>>
>>> Asmita
>>>
>>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Yogesh Mahajan | 2022-04-21 05:38:38 | Re: OAUTH2 Problem with AzureAD |
| Previous Message | Yogesh Mahajan | 2022-04-20 11:33:22 | Re: OAUTH2 Problem with AzureAD |