From 2a1da859ea85f90773fde65d32a1d95d2ad548de Mon Sep 17 00:00:00 2001 From: Mateusz Mandera Date: Sat, 14 Oct 2023 01:08:34 +0200 Subject: [PATCH] auth: Update AzureADAuthBackend to use the newer Microsoft API. As detailed in the comment in the code: The upstream implementation uses the outdated /oauth2/authorize API (instead of the v2.0 API), which doesn't allow us to authenticate users with just a personal Microsoft account. v2.0 API is required. This requires us to override the default URLs to use it as well as adjust the requested scopes, to match this new API. The backend in its previous state was only able to authenticate users that were tied to an organizational directory, even if the application settings in Azure were set up to also allow personal accounts. Users trying to use a personal account would face an error from Microsoft: AADSTS500200: User account 'xxxx@example.com' is a personal Microsoft account. Personal Microsoft accounts are not supported for this application unless explicitly invited to an organization https://github.com/python-social-auth/social-core/issues/723 is a related upstream issue. --- zproject/backends.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/zproject/backends.py b/zproject/backends.py index d7ae8c28ba..ff27c2a497 100644 --- a/zproject/backends.py +++ b/zproject/backends.py @@ -2229,6 +2229,15 @@ class GitHubAuthBackend(SocialAuthMixin, GithubOAuth2): @external_auth_method class AzureADAuthBackend(SocialAuthMixin, AzureADOAuth2): + # The upstream implementation uses the outdated /oauth2/authorize + # API (instead of the v2.0 API), which doesn't allow us to authenticate + # users with just a personal Microsoft account. v2.0 API is required. + # This requires us to override the default URLs to use it as well + # as adjust the requested scopes, to match this new API. + AUTHORIZATION_URL = "{base_url}/oauth2/v2.0/authorize" + ACCESS_TOKEN_URL = "{base_url}/oauth2/v2.0/token" + DEFAULT_SCOPE = ["User.Read profile openid email"] + sort_order = 50 name = "azuread-oauth2" auth_backend_name = "AzureAD"