auth: Fix up AzureAD Oauth2 docs and config.

This commit brings AzureAD config in line with other backends:
- SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET gets fetched in computed_settings.py
  instead of default_settings, consistent with github/gitlab/etc.
- SOCIAL_AUTH_AZUREAD_OAUTH2_KEY gets fetched in default_settings via
  get_secret(..., development_only=True) like other social backends, to
  allow easier set up in dev environment, in the dev-secrets.conf file.
- The secret gets renamed from azure_oauth2_secret to
  social_auth_azuread_oauth2_secret to have a consistent naming scheme with
  other social backends and with the SOCIAL_AUTH_AZUREAD_OAUTH2_KEY
  name. This is backwards-incompatible.

The instructions for setting it up are updated to fit how this is
currently done in AzureAD.
This commit is contained in:
Mateusz Mandera 2022-09-05 13:30:17 +02:00 committed by Tim Abbott
parent 3826fc8af9
commit 16829bd84b
4 changed files with 20 additions and 10 deletions

View File

@ -96,7 +96,11 @@ log][commit-log] for an up-to-date list of raw changes.
#### Upgrade notes for 6.0 #### Upgrade notes for 6.0
- None yet. - Installations using the AzureAD authentication backend will need to
update `/etc/zulip/zulip-secrets.conf` after upgrading. The
`azure_oauth2_secret` secret was renamed to
`social_auth_azuread_oauth2_secret`, to match our other external
authentication methods.
## Zulip 5.x series ## Zulip 5.x series

View File

@ -1120,6 +1120,8 @@ else:
SOCIAL_AUTH_GITHUB_SECRET = get_secret("social_auth_github_secret") SOCIAL_AUTH_GITHUB_SECRET = get_secret("social_auth_github_secret")
SOCIAL_AUTH_GITLAB_SECRET = get_secret("social_auth_gitlab_secret") SOCIAL_AUTH_GITLAB_SECRET = get_secret("social_auth_gitlab_secret")
SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET = get_secret("social_auth_azuread_oauth2_secret")
SOCIAL_AUTH_GITHUB_SCOPE = ["user:email"] SOCIAL_AUTH_GITHUB_SCOPE = ["user:email"]
if SOCIAL_AUTH_GITHUB_ORG_NAME or SOCIAL_AUTH_GITHUB_TEAM_ID: if SOCIAL_AUTH_GITHUB_ORG_NAME or SOCIAL_AUTH_GITHUB_TEAM_ID:
SOCIAL_AUTH_GITHUB_SCOPE.append("read:org") SOCIAL_AUTH_GITHUB_SCOPE.append("read:org")

View File

@ -76,7 +76,7 @@ SOCIAL_AUTH_GITHUB_ORG_NAME: Optional[str] = None
SOCIAL_AUTH_GITHUB_TEAM_ID: Optional[str] = None SOCIAL_AUTH_GITHUB_TEAM_ID: Optional[str] = None
SOCIAL_AUTH_GITLAB_KEY = get_secret("social_auth_gitlab_key", development_only=True) SOCIAL_AUTH_GITLAB_KEY = get_secret("social_auth_gitlab_key", development_only=True)
SOCIAL_AUTH_SUBDOMAIN: Optional[str] = None SOCIAL_AUTH_SUBDOMAIN: Optional[str] = None
SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET = get_secret("azure_oauth2_secret") SOCIAL_AUTH_AZUREAD_OAUTH2_KEY = get_secret("social_auth_azuread_oauth2_key", development_only=True)
SOCIAL_AUTH_GOOGLE_KEY = get_secret("social_auth_google_key", development_only=True) SOCIAL_AUTH_GOOGLE_KEY = get_secret("social_auth_google_key", development_only=True)
# SAML: # SAML:
SOCIAL_AUTH_SAML_SP_ENTITY_ID: Optional[str] = None SOCIAL_AUTH_SAML_SP_ENTITY_ID: Optional[str] = None

View File

@ -509,15 +509,19 @@ SOCIAL_AUTH_SAML_SUPPORT_CONTACT = {
## ##
## To set up Microsoft Azure AD authentication, you'll need to do the following: ## To set up Microsoft Azure AD authentication, you'll need to do the following:
## ##
## (1) Register an OAuth2 application with Microsoft at: ## (1) Open "App registrations" at
## https://apps.dev.microsoft.com ## https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade
## Generate a new password under Application Secrets ## and click "New registration".
## Generate a new platform (web) under Platforms. For Redirect URL, enter:
## https://zulip.example.com/complete/azuread-oauth2/
## Add User.Read permission under Microsoft Graph Permissions
## ##
## (2) Enter the application ID for the app as SOCIAL_AUTH_AZUREAD_OAUTH2_KEY here ## (2) In the "Redirect URI (optional)" section, select Web as the platform
## (3) Put the application password in zulip-secrets.conf as 'azure_oauth2_secret'. ## and enter https://zulip.example.com/complete/azuread-oauth2/ as the redirect URI,
## based on your values of EXTERNAL_HOST and SOCIAL_AUTH_SUBDOMAIN.
##
## (3) After registering the app, go to "Certificates & secrets" and
## generate a new client secret. Make sure to save the generated Value.
##
## (4) Enter the application ID for the app as SOCIAL_AUTH_AZUREAD_OAUTH2_KEY below
## and the generated secret Value in zulip-secrets.conf as `social_auth_azuread_oauth2_secret`.
# SOCIAL_AUTH_AZUREAD_OAUTH2_KEY = "" # SOCIAL_AUTH_AZUREAD_OAUTH2_KEY = ""
######## ########