The user is not redirected to a microsoft page

[Wissperwind]

Hi,

I use Azure AD. I configured everything like I thought it would work. I opened the django admin site. I typed in my credentials and it said wrong credentials... But I thought it should redirect me to a microsoft site to perform login? Why is Django even asking me for credentials?

[tim-schilling]

By default the django admin URL won't be overriden. You would need to do that in your urls.py file specifically. If you install django-extensions and run python manage.py show_urls, you can see how your URL paths are configured.

[AzureIP]

OK, what exactly do I have to do? I just want that people can log in to django admin. They must somehow be redirected to some microsoft site by django I think. How to achieve this?

[tim-schilling]

You need to define a URL to catch the requests to your admin login flow. The default would be:

path("admin/login/", admin_login_redirect)

Where admin_login_direct is:

from django.conf import settings
from django.contrib.auth.views import LoginView
from django.shortcuts import redirect, render
from django.urls import reverse

def admin_login_redirect(request):
    """Redirect the admin login to our auth login."""
    next = request.GET.get(LoginView.redirect_field_name, reverse("admin:index"))
    return redirect(settings.AUTH_URL + f"?next={next}")

[Wissperwind]

Ok, I did that.

    path("admin/login/", admin_login_redirect),
    path('admin/', admin.site.urls),

The ordering seems to matter.

It now says that I have not set AUTH_URL in settings. What value do I have to set AUTH_URL to? Haven't found anything about AUTH_URL in your doku: https://django-auth-adfs.readthedocs.io/en/latest/search.html?q=AUTH_URL&check_keywords=yes&area=default

[tim-schilling]

Oh, sorry about that. That's a relic of my system allowing us to programatically switch between direct auth and active directory SSO. Rather than settings.AUTH_URL, you want to use reverse("django_auth_adfs:login") or whatever authentication URL you decide to use.

[Wissperwind]

I was now redirected to a microsoft login page correctly and was able to log in:
But afterwards I see a white page with "No authorization code was provided".
In the Urls I found:
AADSTS90008:+The+user+or+administrator+has+not+consented+to+use+the+application+with+ID+'my-id'.+This+happened+because+application+is+misconfigured:+it+must+require+access+to+Microsoft+Graph+by+specifying+at+least+'Sign+in+and+read+user+profile'+permission.

What is your plugin trying to do and what permissions are needed.

[tim-schilling]

What is your plugin trying to do

Please review the documentation. You should have an idea of what the purpose of the library is if you're trying to integrate it.

what permissions are needed.

You identified the missing permissions in the URLs. Additionally, you can review the config guides in the docs and the demo app.

[Wissperwind]

ok, the Azure AD Admin has changed something for me. The URL looks now different.
I Login to microsoft, I am redirected to

https://lap-20-073.ssss.de:8080/foss/oauth2/callback?code=0.AXMA-g66LIO9o0KRJjIRKlj2OBziwPwYzq9ChKFAbkv6osRzAJI.AgABAAIAAAD--DLA3VO7QrddgJg7WevrAgDs_wQA9P9vjdjYs5NGWHI8o9U9DaqZ35HOHJB6wSLGy6Pl7DJJAQXBfAig_rnXdC9eReozMzo4cmgRz7uU8Qj_HGEj1SWlSYYHPaAU3t6LDbL0OiSXQ7u6K9iQwnZfhGKE7sBtDt04aqq0NM9RR4ybdGoBE8HVcom9KU-y5mBeZ6zL7c6yTQ7wu5oVTo_YIxUtoRT4DR93l9R36grqGXgwtMHbjUW1_TJms9LNNLj67z89sRid7aeyYpFiQ-dMUXLA73-z5rE7iTrrj6f1oAyhMDShhY6P7TUg4SRGaCto-uCwzWeeIwTsaW2RVkTODFcY0zfsnz3_Bism0bpq1IHtTnqTehw2RhdmreCiymQ-4svadOuh75g9XlEOIemNKla2PhYMrdEtmiq2-tMpPzswnTSupOvX809f2U1fiWylgTzvCSg3dlm8njb2ylZDgNuLmhhZzNlPlaFge4f7W4gAO9JoblkU_EW75gGL__sTtZ7Yp0caK5ejs25TKm4dwu9_fPmfKHbhIk6MirGiQpxJICaQnYOJSs69OsO7mvzMA1C177YSh6rSA1ugHxhOjfyy8sxW4CCr6WQwKq_9jFPjP84xo0FUPUgOwdaNs2JrNQP7X1lMhF4nF0KSQlR16plZaGVy3PSEejX906v8u3iFJcp7QLiYbb9tKFRin4ctCmkoBI1Rzwn6jiUcc_BvQm83O8FxcfuZsmozqtx3aaPrKDMX-BH0T0ZruXcHJKD6kLzOufl84CjfLSsuW6bZx4SqMJGbDeF39lGQdBVO-QecRHu9U0HLGcFJzfcGNAXlClhbg6A&state=L2Zvc3MvYWRtaW4v&session_state=1c3f2961-5687-4023-9a26-6909a3214ce3#
(I have changed randomly some numbers)
So the text error message in the url is gone, but i am still not logged in into the admin aerea.

Login Failed is displayed and in the log I see:

INFO 2022-10-19 09:12:06,826 django_auth_adfs Loaded settings from ADFS server.
INFO 2022-10-19 09:12:06,826 django_auth_adfs operating mode:         openid_connect
INFO 2022-10-19 09:12:06,827 django_auth_adfs authorization endpoint: https://login.microsoftonline.com/2c6a0efa-bd83-42a3-9126-32112a58f639/oauth2/authorize
INFO 2022-10-19 09:12:06,827 django_auth_adfs token endpoint:         https://login.microsoftonline.com/2c6a0efa-bd83-42a3-9126-32112a58f639/oauth2/token
INFO 2022-10-19 09:12:06,827 django_auth_adfs end session endpoint:   https://login.microsoftonline.com/2c6a0efa-bd83-42a3-9126-32112a58f639/oauth2/logout
INFO 2022-10-19 09:12:06,828 django_auth_adfs issuer:                 https://sts.windows.net/2c6a0efa-bd83-42a3-9126-32112a58f639/
INFO 2022-10-19 09:12:06,828 django_auth_adfs msgraph endpoint:       graph.microsoft.com
DEBUG 2022-10-19 09:12:07,070 django_auth_adfs Authentication backend was called but no access token was received
Unauthorized: /foss/oauth2/callback

(I have changed some numbers)

How to debug this further? How to find the problem?

[aoiheaven]

I was now redirected to a microsoft login page correctly and was able to log in: But afterwards I see a white page with "No authorization code was provided". In the Urls I found: AADSTS90008:+The+user+or+administrator+has+not+consented+to+use+the+application+with+ID+'my-id'.+This+happened+because+application+is+misconfigured:+it+must+require+access+to+Microsoft+Graph+by+specifying+at+least+'Sign+in+and+read+user+profile'+permission.

What is your plugin trying to do and what permissions are needed.

about this issue, you could ref the last section of step-3-register-and-configure-an-azure-ad-frontend-application
request permission: GroupMember.Read.All from your administrator to bypass it.

But for me, some typical case, can we add groups claim in frontend app, aims to limit user group number when generating token as workaround?
important-caveats-for-this-functionality
add-group-claims-to-tokens-for-saml-applications-using-sso-configuration
@tim-schilling Could help comment it?