0

I am trying to configure the "mozilla-django-oidc" package in Django. To authenticate I use Azure Active Directory B2C policy, so this is my federation server.

When I click in the login button I got this URL which looks wrong to me, I will split it, just for convenience:

https://TENANTID.b2clogin.com/TENANTID.onmicrosoft.com/oauth2/v2.0/authorize?p=b2c_1_TENANTID_signin?response_type=code&scope=openid+email&client_id=XXXXXXXXXXXXXXX&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Foidc%2Fcallback%2F&state=pt8aYXicnYRSQkkB8kwHSv4hQwt9Xzre&nonce=UfLfk6QovA2inpfo9W7zS2MZHLpO1tkJ

and the URL I need has this format: https://TENANTID.b2clogin.com/TENANTID.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_TENANTID_SIGNIN&client_id=XXXXXXXXXXXXX&nonce=defaultNonce&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Foidc%2Fcallback%2F&scope=openid&response_type=id_token&prompt=login

In the home page I have this code:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Home page</title>
</head>
<body>
  <h3>
    Welcome to home page
  </h3>

 {% if user.is_authenticated %}
  <p>Current user: {{ user.email }}</p>
  <form action="{% url 'oidc_logout' %}" method="post">
    <input type="submit" value="logout">
  </form>
{% else %}
  <a href="{% url 'oidc_authentication_init' %}">Login</a>
{% endif %}

</body>

my code in the settings.py

OIDC_RP_SIGN_ALGO = "RS256"
OIDC_RP_CLIENT_ID = "xxxxxxxxxxxxxx" #fake client id just for this post
# OIDC_RP_CLIENT_SECRET = os.environ['OIDC_RP_CLIENT_SECRET']
OIDC_OP_AUTHORIZATION_ENDPOINT = 
"https://TENANTID.b2clogin.com/TENANTID.onmicrosoft.com/oauth2/v2.0/authorize? 
p=b2c_1_TENANTID_signin"
OIDC_OP_TOKEN_ENDPOINT = "https://TENANTID.b2clogin.com/TENANTID.onmicrosoft.com/oauth2/v2.0/token? 
p=b2c_1_TENANTID_signin"
# OIDC_OP_USER_ENDPOINT = "<URL of the OIDC OP userinfo endpoint>"
LOGIN_REDIRECT_URL = "http://localhost:8000/oidc/callback/"
LOGOUT_REDIRECT_URL = "http://localhost:8000/welcome/

Note: I don't know what to put in this variable "OIDC_RP_CLIENT_SECRET" and also "OIDC_OP_USER_ENDPOINT"

Any help please to get the right URL in this configuration? Thanks

MarcosF8
  • 1,848
  • 5
  • 19
  • 33

2 Answers2

1

I had to update the views.py file from the library in order to get the URL I needed. The documentation was very poor, but at least it is working.

MarcosF8
  • 1,848
  • 5
  • 19
  • 33
  • What did you have to add in order to get this working? – mikebridge Apr 05 '20 at 20:32
  • 1
    in the views.py file of the library, I changed the OIDC parameters after this line: if self.get_settings('OIDC_USE_NONCE', True): . So I changed the json of the configuration as follows: nonce = "defaultNonce" params.update({ 'nonce': nonce, 'response_type': 'id_token', 'scope': 'openid', 'prompt': 'login', }). And then changed the redirect url, removing the "?": redirect_url = '{url}&{query}'.format(url=self.OIDC_OP_AUTH_ENDPOINT, query=query) – MarcosF8 Apr 07 '20 at 11:45
  • Thanks! I ultimately ended up setting up a custom DRF backend and validating the access token successfully via PyJWT. – mikebridge Apr 07 '20 at 15:14
1

In order to get the URL you want, you need to remove the authorization parameter in your endpoints:

  • OIDC_OP_AUTHORIZATION_ENDPOINT
  • OIDC_OP_TOKEN_ENDPOINT

This would yield new endpoints for you as follows.

OIDC_OP_AUTHORIZATION_ENDPOINT = "https://TENANTID.b2clogin.com/TENANTID.onmicrosoft.com/oauth2/v2.0/authorize"
OIDC_OP_TOKEN_ENDPOINT = "https://TENANTID.b2clogin.com/TENANTID.onmicrosoft.com/oauth2/v2.0/token"

Now you are missing a part of your URL so you can add the "policy" authorization parameter back in with the following bit of code:

OIDC_AUTH_REQUEST_EXTRA_PARAMS = {'p': 'b2c_1_TENANTID_signin'}
OIDC_RP_SCOPES = ['openid']

Could you use OIDC_USE_NONCE = False instead of setting nonce to be defaultNonce?

EDIT: I should have mentioned this doesn't resolve your issue around response_type and nonce.

Aaron
  • 379
  • 5
  • 14