Comments (17)
orcharddweller
commented on June 19, 2024
2
I'll try to sit on this tomorrow.
from fastapi-azure-auth.
Bulga-xD
commented on June 19, 2024
1
We just implement B2C and tid is there.
from fastapi-azure-auth.
JonasKs
commented on June 19, 2024
1
Thank you! I assume something else is up, I've never heard of the tid key missing.
I'd love if someone would contribute with a B2C tutorial, since it's hard to troubleshoot these things without a "best practice base".
from fastapi-azure-auth.
Bulga-xD
commented on June 19, 2024
1
Sure @JonasKs I will try to add a tutorial this week!
from fastapi-azure-auth.
orcharddweller
commented on June 19, 2024
1
I'll have a look, but the difference is I'm not using multi-tenant, so I think that would explain the difference.
I think the posts I linked clearly show, that tid might be missing in many B2C scenarios.
from fastapi-azure-auth.
orcharddweller
commented on June 19, 2024
1
Still, it's really cool that you contributed, @kristiqntashev! I'll try to have a look at it this week, thanks!
from fastapi-azure-auth.
JonasKs
commented on June 19, 2024
Hi. Weird, I thought it would 🤔 @robteeuwen, could you confirm?
from fastapi-azure-auth.
orcharddweller
commented on June 19, 2024
This is interesting, because everything seems to be working on my side, besides this.
My setup is basically the same as the Single Tenant one, but:
azure_scheme = AzureAuthorizationCodeBearerBase(
openapi_authorization_url=f"https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/authorize?p={policy}&nonce=defaultNonce&prompt=login",
app_client_id=settings.APP_CLIENT_ID,
openapi_token_url=f"https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token",
openid_config_url=f"https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/v2.0/.well-known/openid-configuration",
scopes={
f'https://{tenant}.onmicrosoft.com/{settings.APP_CLIENT_ID}/user_impersonation': 'user_impersonation',
},
)
azure_scheme.scheme_name = "B2C"
and I've picked this option when setting up app registrations:
from fastapi-azure-auth.
JonasKs
commented on June 19, 2024
That would be awesome! 👏 👏
I am on summer vacation from the 9th, so if you're able to make a PR before then I'll be able to give feedback pretty much immediately 😊
from fastapi-azure-auth.
JonasKs
commented on June 19, 2024
I've never used Azure B2C, but I suspect the lack of tid is because of the fact that you're using a B2C tenant, and the appreg is within that tenant. These other guys are using a combination of multi-tenant and B2C tenants, where the app is registered in the multi-tenant tenant, and then exposed to the B2C tenant?
I'm happy to accept a PR where the tid field is optional.
from fastapi-azure-auth.
Bulga-xD
commented on June 19, 2024
We also using B2C tenant and tid is there. From my point of view, this is a configuration problem in Azure.
from fastapi-azure-auth.
orcharddweller
commented on June 19, 2024
I've investigated a bit, and it looks like it's normal for B2C to miss tid:
MSAL.Net supports a token cache. The token caching key is based on the claims returned by the Identity Provider. Currently MSAL.Net needs two claims to build a token cache key: :
tid which is the Azure AD Tenant Id and
preferred_username
Both these claims are missing in many of the Azure AD B2C scenarios.
also:
I read the B2C access token documentation, and I noticed that the tenantId claim (tid) is not in the list. This is different from the normal Azure Active Directory access token claims.
https://stackoverflow.com/questions/55978290/azure-b2c-access-token-missing-tenantid
There seem to be workarounds for this, but I think it would be best if the lib worked without those.
from fastapi-azure-auth.
Bulga-xD
commented on June 19, 2024
This is still strange for me because in our case we don't have any problems with tid. @marcinplatek, can you test with my PR? This is a solution that worked in our project.
from fastapi-azure-auth.
Bulga-xD
commented on June 19, 2024
I'll have a look, but the difference is I'm not using multi-tenant, so I think that would explain the difference.
I think the posts I linked clearly show, that
tidmight be missing in many B2C scenarios.
That's possible! We only try with Multitenant!
from fastapi-azure-auth.
JonasKs
commented on June 19, 2024
I'm happy to accept a PR where tid is a optional field. 😊 I'm going on vacation on Friday, so I'll fix it before then if no PR is created. 😊
from fastapi-azure-auth.
Bulga-xD
commented on June 19, 2024
I'll try to sit on this tomorrow.
Ping me if you want we can work together. Happy to help!
from fastapi-azure-auth.
orcharddweller
commented on June 19, 2024
@kristiqntashev, sorry, I was busy and got to do this a bit late. Thanks for the offer, anyway!
from fastapi-azure-auth.
Related Issues (20)
- [Feature request] support Pydantic v2 syntax / @validator -> @field_validator HOT 5
- [BUG/Question] Fixing TypeError during WebSocket Authentication Migration from FastAPI 0.96 to 0.97 HOT 8
- Calling your APIs from Python not working HOT 22
- [Question] Middleware logging does not get request.state.user HOT 2
- Make leeway a setting available for configuration
- [Question] HOT 6
- [BUG/Question] auth_time is parsed as a string, should be int HOT 2
- [BUG/Question] Got 'Token contains invalid claims' error for the `single tenant setup example ` HOT 6
- [Question] Validate bearer token from Angular SPA (Azure AD) in FastAPI HOT 4
- [BUG/Question] Error calling openid_config.load_config with Httpx 0.25.1 HOT 4
- [Bug/Question] HOT 2
- Adding new fields for Client Secret JWT HOT 1
- [Question] Graph API call triggers "admin consent required" HOT 1
- SOLVED: CVE-2024-23342 `ecdsa` may be vulnerable to the Minerva attack HOT 3
- Facing authentication issue mentioning pkce required for cross-origin authorization code redemption HOT 1
- [BUG] got claim `acct` in type `int`, but fastapi-azure-auth is waiting for `str` HOT 1
- Add ability to specify audience and issuer to validate token claims against HOT 1
- [BUG/Question] Example use cases for scopes HOT 6
- [Feature request] Support WebSocket connections. HOT 3
- Empty raise HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fastapi-azure-auth.