auth: Fix up AzureAD Oauth2 docs and config.

This commit brings AzureAD config in line with other backends:
- SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET gets fetched in computed_settings.py
  instead of default_settings, consistent with github/gitlab/etc.
- SOCIAL_AUTH_AZUREAD_OAUTH2_KEY gets fetched in default_settings via
  get_secret(..., development_only=True) like other social backends, to
  allow easier set up in dev environment, in the dev-secrets.conf file.
- The secret gets renamed from azure_oauth2_secret to
  social_auth_azuread_oauth2_secret to have a consistent naming scheme with
  other social backends and with the SOCIAL_AUTH_AZUREAD_OAUTH2_KEY
  name. This is backwards-incompatible.

The instructions for setting it up are updated to fit how this is
currently done in AzureAD.

docs/overview/changelog.md

@@ -96,7 +96,11 @@ log][commit-log] for an up-to-date list of raw changes.
 
 #### Upgrade notes for 6.0
 
-- None yet.
+- Installations using the AzureAD authentication backend will need to
+  update `/etc/zulip/zulip-secrets.conf` after upgrading. The
+  `azure_oauth2_secret` secret was renamed to
+  `social_auth_azuread_oauth2_secret`, to match our other external
+  authentication methods.
 
 ## Zulip 5.x series
 

zproject/computed_settings.py

@@ -1120,6 +1120,8 @@ else:
 
 SOCIAL_AUTH_GITHUB_SECRET = get_secret("social_auth_github_secret")
 SOCIAL_AUTH_GITLAB_SECRET = get_secret("social_auth_gitlab_secret")
+SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET = get_secret("social_auth_azuread_oauth2_secret")
+
 SOCIAL_AUTH_GITHUB_SCOPE = ["user:email"]
 if SOCIAL_AUTH_GITHUB_ORG_NAME or SOCIAL_AUTH_GITHUB_TEAM_ID:
     SOCIAL_AUTH_GITHUB_SCOPE.append("read:org")

zproject/default_settings.py

@@ -76,7 +76,7 @@ SOCIAL_AUTH_GITHUB_ORG_NAME: Optional[str] = None
 SOCIAL_AUTH_GITHUB_TEAM_ID: Optional[str] = None
 SOCIAL_AUTH_GITLAB_KEY = get_secret("social_auth_gitlab_key", development_only=True)
 SOCIAL_AUTH_SUBDOMAIN: Optional[str] = None
-SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET = get_secret("azure_oauth2_secret")
+SOCIAL_AUTH_AZUREAD_OAUTH2_KEY = get_secret("social_auth_azuread_oauth2_key", development_only=True)
 SOCIAL_AUTH_GOOGLE_KEY = get_secret("social_auth_google_key", development_only=True)
 # SAML:
 SOCIAL_AUTH_SAML_SP_ENTITY_ID: Optional[str] = None

zproject/prod_settings_template.py

@@ -509,15 +509,19 @@ SOCIAL_AUTH_SAML_SUPPORT_CONTACT = {
 ##
 ## To set up Microsoft Azure AD authentication, you'll need to do the following:
 ##
-## (1) Register an OAuth2 application with Microsoft at:
-## https://apps.dev.microsoft.com
-## Generate a new password under Application Secrets
-## Generate a new platform (web) under Platforms. For Redirect URL, enter:
-##   https://zulip.example.com/complete/azuread-oauth2/
-## Add User.Read permission under Microsoft Graph Permissions
+## (1) Open "App registrations" at
+## https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade
+## and click "New registration".
 ##
-## (2) Enter the application ID for the app as SOCIAL_AUTH_AZUREAD_OAUTH2_KEY here
-## (3) Put the application password in zulip-secrets.conf as 'azure_oauth2_secret'.
+## (2) In the "Redirect URI (optional)" section, select Web as the platform
+## and enter https://zulip.example.com/complete/azuread-oauth2/ as the redirect URI,
+## based on your values of EXTERNAL_HOST and SOCIAL_AUTH_SUBDOMAIN.
+##
+## (3) After registering the app, go to "Certificates & secrets" and
+## generate a new client secret. Make sure to save the generated Value.
+##
+## (4) Enter the application ID for the app as SOCIAL_AUTH_AZUREAD_OAUTH2_KEY below
+## and the generated secret Value in zulip-secrets.conf as `social_auth_azuread_oauth2_secret`.
 # SOCIAL_AUTH_AZUREAD_OAUTH2_KEY = ""
 
 ########