Comments (6)
Thanks for the help @JonasKs!
So it turns out that I fucked up 🤦
The mistake was in the React code. Anyways I'm just going to explain below for anyone in the future.
// main.tsx
import { MsalProvider } from "@azure/msal-react";
import { msalInstance } from "./features/utils/aad";
ReactDOM.render(
<React.StrictMode>
<MsalProvider instance={msalInstance}>
<App />
</MsalProvider>
</React.StrictMode>,
document.getElementById("root")
);
// features/utils/aad.tsx
import {
Configuration,
RedirectRequest,
PublicClientApplication,
EventMessage,
EventType,
AuthenticationResult,
} from "@azure/msal-browser";
export const msalConfig: Configuration = {
auth: {
clientId: import.meta.env.VITE_AAD_CLIENT_ID as string,
authority: `https://login.microsoftonline.com/${import.meta.env.VITE_AAD_TENANT_ID}`,
redirectUri: "http://localhost:3000/login",
},
cache: {
cacheLocation: "sessionStorage",
storeAuthStateInCookie: false,
},
};
export const msalInstance = new PublicClientApplication(msalConfig);
msalInstance.addEventCallback((event: EventMessage) => {
if (event.eventType === EventType.LOGIN_SUCCESS && event.payload) {
const payload = event.payload as AuthenticationResult;
const account = payload.account;
msalInstance.setActiveAccount(account);
}
});
// MSAL.js v2 exposes several account APIs, logic to determine which account to use is the responsibility of the developer
const account = msalInstance.getAllAccounts()[0];
export const accessTokenRequest = {
scopes: [`api://${import.meta.env.VITE_AAD_APP_CLIENT_ID}/user_impersonation`],
account: account,
};
The issue was that I had my accessTokenRequest
without the id of the backend app registration
export const accessTokenRequest = {
scopes: [`user_impersonation`],
account: account,
};
from fastapi-azure-auth.
Can you de-code your token at https://jwt.io and show me how it looks? If you're not comfortable posting that information online, you can send it to me at [email protected].
Also, your react frontend is set up exactly as the OpenAPI app registration?
from fastapi-azure-auth.
Sure here is a link to the token(Removed by @JonasKs)
It says it cannot verify the signature.
Yes, the Azure setup should be the same:
from fastapi-azure-auth.
Your tokens aud
(audience) is for Microsoft Graph and not your backend application. So audience verification fails.
Can you provide some react code so I can see how it has been configured? Could it be that it fetches multiple tokens(maybe silently) and you’re using the wrong one?
If not, could you click login and copy the Azure URL you’re signing in from/redirected to?
from fastapi-azure-auth.
On a side note: I'm not a frontend developer, but could it be an idea to switch to @azure/msal-react
instead of using @azure/msal-browser
?
from fastapi-azure-auth.
Glad you figured it out, and thanks for providing an example for future reference.
Have a good week 😊
from fastapi-azure-auth.
Related Issues (20)
- [Question] Graph API call triggers "admin consent required" HOT 1
- SOLVED: CVE-2024-23342 `ecdsa` may be vulnerable to the Minerva attack HOT 3
- Facing authentication issue mentioning pkce required for cross-origin authorization code redemption HOT 1
- [BUG] got claim `acct` in type `int`, but fastapi-azure-auth is waiting for `str` HOT 1
- Add ability to specify audience and issuer to validate token claims against HOT 1
- [BUG/Question] Example use cases for scopes HOT 7
- [Feature request] Support WebSocket connections. HOT 4
- Empty raise HOT 2
- [BUG/Question] Pydantic validation error on email/acr HOT 2
- [Question] Add scopes to redoc and swagger? HOT 1
- [BUG/Question] Scopes are not being validated HOT 4
- [Question] Following https://intility.github.io/fastapi-azure-auth/usage-and-faq/calling_your_apis_from_python/#single--and-multi-tenant but getting Invalid audience HOT 10
- [BUG/Question] Email not present in user object HOT 1
- V5 release
- [BUG/Guest User Evaluation] HOT 4
- [Question] Where is the OpenAPI docs access token stored? HOT 3
- [Documentation - Locking Down on Roles ] HOT 2
- Deprecation Warning: Pydantic V1 style @validator deprecated in Pydantic V2 HOT 2
- [Feature request] Provide a OAuth2PasswordBearer flow that uses `client_id`/`client_secret` and simply calls the appropriate token endpoint HOT 1
- [BUG/Question] Python 3.9 still supported? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fastapi-azure-auth.