easyauth | centralized Authentication and Authorization token server | Authorization library
kandi X-RAY | easyauth Summary
kandi X-RAY | easyauth Summary
Create a centralized Authentication and Authorization token server. Easily secure FastAPI endpoints based on Users, Groups, Roles or Permissions to minimize database access requirements of Auth.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Setup the frontend
- Setup API .
- Create a client .
- Initialize the server .
- Setup proxy setup .
- Sets up the database connection .
- Setup tables .
- Setup quorum .
- Handle HEAD request .
- Start the server .
easyauth Key Features
easyauth Examples and Code Snippets
Community Discussions
Trending Discussions on easyauth
QUESTION
SubEthaSMTP server running fine on port 25001. After a successful authentication from my client code to Subethasmtp server i am having this error message org.subethamail.smtp.server.Session: Unexpected error in the SMTP handler thread java.lang.NoClassDefFoundError: jakarta/mail/internet/AddressException
This is my SMTPServerConfig class
...ANSWER
Answered 2022-Feb-27 at 09:24Spring Boot 2.6 and earlier still use the javax.mail namespace for JakartaMail (formerly JavaMail), while your SubEtha SMTP version seems to expect the jakarta.mail namespace. Spring Boot explicitly specifies versions of the JakartaMail package, see Spring Boot Dependency Versions and search for jakarta.mail. For Spring Boot 2.6.4, it lists version 1.6.7, and that version is still based on the javax.mail namespace.
You need to downgrade SubEtha SMTP to a version that still uses the javax.mail namespace of JakartaMail/JavaMail, and wait for Spring Boot 3 before using a version that needs the jakarta.mail namespace.
In theory, you can also set the Maven property jakarta-mail.version to 2.0.1, but this could cause problems in other parts of Spring Boot, so I do not recommend that.
QUESTION
I am very new to Azure Function Apps and OAuth so please bear with me.
My SetupI have an Azure Function App with a simple python-function doing nothing else but printing out the request headers:
...ANSWER
Answered 2021-Jun-10 at 03:48The header X-MS-CLIENT-PRINCIPAL contains the same claims as the id_token. So if we want to get the group claim, we can base64 decode the header.
For example
My code
QUESTION
I'm trying to use EasyAuth (aad) with a SPA, which is on "localhost:8080" at the moment, and an Azure Function which is hosted in Azure ({function-app}.azurewebsites.net. The intent is for the SPA to call a secured endpoint on the Azure Function. So, I have the Azure Function Registered as an application in AD, and the authentication redirect in the SPA to the Azure Function EasyAuth endpoint appears to be working, but the redirect back to the localhost SPA via the post_login_redirect_url is not.
I added http://localhost:8080 to the AAD registered application as an allowed redirect URI. However, if I fully qualify the URL I am redirected back to {function-host}/.auth/login/done. Is there an expectation that the SPA runs under the same hostname as the azure function, or is there a way to configure the setup to allow any URL for the SPA host?
In terms of HTTP data during behavior, once login succeeds .auth/login/aad/callback is loaded with the following prior to redirecting to the default done page and stopping.
- Response Header
Location= {function-host}/.auth/login/done
- Form Data:
state= http://localhost:8080code= auth codeid_token= auth token
ANSWER
Answered 2021-Apr-26 at 02:45Regarding the issue, please refer to the following steps
Register Azure AD application to protect azure function with easy auth
Register client-side application
a. Register single-page application
b. In the Implicit grant and hybrid flows section, select ID tokens and Access tokens.
c. Configure API permissions
Code
a. Integrate Azure AD auth in your spa application with Implicit grant flow. After doing that, when users access your application, they need to enter their AD account to get access token
b. Client exchanges this
accessTokenfor an 'App Service Token'. It does this by making a POST tohttps://{app}.azurewebsites.net/.auth/login/aadwith the content{ "access_token" : "{token from Azure AD}" }. This will return back anauthenticationTokenc. Use that
authenticationTokenin a header namedx-zumo-auth. Make all requests to your function app using that header.
For more details, please refer to here and here. Regarding how to implement Azure AD in spa, please refer to here.
QUESTION
I am using NextAuth to sign in users using Facebook or Twitter. This works fine and I get the AccessToken along with basic user info. On the server I am using the socialId of the logged in user to map to the corresponding local user in the database. Azure Functions has a social login feature called EasyAuth but I am not sure if I need it since I am using NextAuth. I was thinking of two ways:
- Send the loggedin user object with every request? This is probably not save?
- Send the access token with every request and the server calls the corresponding social api to get the user info again?
What would be a good practice security vice when sending the information to the server?
...ANSWER
Answered 2021-Mar-17 at 17:48The client should not be aware of who is currently logged-in. On the client, you just save the access token, and then you send it to the server on every request. The server will figure out who made the request based on the access token and return the appropriate response.
QUESTION
Like demonstrated here, I want to secure an Azure Function app with AzureAD and only be able to call/invoke it from an Azure API Management instance (with system-assigned managed identity enabled). This works fine. However I really want to isolate access to the API (Functions app). As it stands now, ANY app in my tenant would be able to successfully authenticate and invoke the API. Therefore, I chose to enable user-assignment for that app registration.
So basically, there is 1 API (Azure Functions) that is AzureAD protected. Then there is 1 service calling the API (Azure API Management). Without a role-assignment there is the following error message I can understand.
...ANSWER
Answered 2021-Mar-16 at 23:55The MS-Graph link in the doc was false. It referred to the assignment of a role to a user, though an application in the linking text body was implied. This is the correct reference.
POST /servicePrincipals/{objectId}/appRoleAssignments
Also make sure, that in case you have created the Azure subscription with a personal account (eg. outlook.com, hotmail.com) to not use the bearer token of that user in the graph call. Instead create a user in AzureAD, assign proper permissions, and use that account's token.
QUESTION
ANSWER
Answered 2021-Feb-25 at 01:31If you want to call the Azure API app which enables easy auth, please refer to the following steps
- Get the
Application ID URIof the AD application you use to enable easy auth
a. In the Azure portal menu, select Azure Active Directory or search for and select Azure Active Directory from any page.
b. Select App registrations > Owned applications > View all applications in this directory. Select your web app name, and then select Overview.
- code
QUESTION
so we have typical scenario, basically we have 2 azure app services
1st : API App Service - hosting asp.net core 2.1 web api c# project
2nd : Angular App Service - hosting stand alone angular app.
in 2nd :Stand alone angular app service is configured by this , a easy auth, where we don't need to write any angular authentication code, also we configured this
for that we created one azure add app - we provided API access to API App Service...
in angular app - we got token by calling /.auth/ me - and that token we're sending to API App Service.
on other hand,
API App Service also protected with separate azure ad app.
now question is :
#1 : how do we verify the token being sending ( by angular or any client ) to web API project is valid ?
Thanks a lots.
...ANSWER
Answered 2020-Oct-13 at 06:38To validate the access_token, your app should validate the token's signature, the claims, the issuer, the audience, and the signing tokens, these need to be validated against the values in the OpenID discovery document.
The Azure AD middleware has built-in capabilities for validating access tokens, and you can browse through the samples to find one in the language of your choice.
For more details, see - https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validating-tokens
QUESTION
I'm trying to hook up azure functions with EasyAuth as it is part of the app service platform. I have configured well and its working fine out-of-the-box when authenticating with azure active directory.
But since I want to add authorization as well, I decided to do this with app_roles using this guide.
Still I cannot use this in my code. Here's my only function in the function app:
...ANSWER
Answered 2020-May-16 at 05:11you are correct that "roles" it is in the claims, however. according to the documentation, isinrole does not work as you expect. it looks for role types as per the claimidentity
Each ClaimsIdentity has its own definition of the claim type that represents a role. This claim type can be accessed and set through the ClaimsIdentity.RoleClaimType property.
by default the roleclaimtype is something like "ClaimsType.Role" where as the claims type in the jwt is "roles" it doesn't match so it doesn't consider it a role claim when you call isinrole
you can try to set the claimsidentity roleclaimtype or you can search for the claim using a different method like claims.hasclaim("roles","shizzl") . that will work too?
Hopefully this helps you.
QUESTION
I have a scenario with several APIM instances in front of App Service API’s using EasyAuth. Each APIM instance has a managed Identity that is member of a group. I'm looking for a way to restrict access in the API’s to this specific group (or at least the specific ObjectID of APIM).
Is this scenario supported without writing code (or using IP restrictions)?
I have tried by setting the "User assignment required?" to YES in my AD application (the API, and Azure Function) using the guidance from "Restrict your Azure AD app to a set of users": https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users#update-the-app-to-enable-user-assignment. But I still have access to the API from my APIM that has a Managed Identity even though it's not given the proper assignment in the API. I was expecting this call to fail with 401.
...ANSWER
Answered 2020-Mar-21 at 16:53First of all - you observe a working behavior because you (a) either explicitly assigned the managed identity a role / access to the easy auth app registration; or (b) APIM has a cached token from the time before you enable explicit assignment required for the easy auth app registration.
Generally your approach is correct. With one caveat. Authorizations based on groups will not work (today) for any service principals. This means, if you put a service principal (A) into a group (G) and you assign this group a role to another service principal (B). The first service principal (A) will still not be able to get access token for service principal (B). Any service principal (A) today must be explicitly authorized to another service principal (B). Meaning - if you set to require explicit user assignment for your service principal, then you have to explicitly assign any other service principal you want to grant access to. Anything else will fail in obtaining the access token.
Here are steps to achieve what you want in a clean environment:
- Create the Function App
- Enable Easy Auth for the function app
- Change the settings for require explicit user assignment on the service principal for that app registration (the function app)
- Do not assign any role yet on the service principal for the function app
- Enable managed Identity on APIM
- Use the managed identity in Policy by referring to the application_id for the function app easy auth registration
- Test the APIM
Result before assigning any role on the function app:
QUESTION
I am trying to figure out how to use Azure Function with Facebook login using the EasyAuth but when I try to access my app I keep getting the following error:
URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings. Make sure Client and Web OAuth Login are on and add all your app domains as Valid OAuth Redirect URIs.
On the Facebook developer page I have added in the Facebook Login product and under the option Valid OAuth Redirect URIs I inserted the following urls
...ANSWER
Answered 2020-Jan-03 at 02:52I reproduce your issue with the same error message.
In the Valid OAuth redirect URIs field, just enter the url with https://.azurewebsites.net/.auth/login/facebook/callback and it will work well. Remember to replace with the name of your Azure App Service app.
For more details, you could refer to this article to Configure your App Service app to use Facebook login.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install easyauth
You can use easyauth like any standard Python library. You will need to make sure that you have a development environment consisting of a Python distribution including header files, a compiler, pip, and git installed. Make sure that your pip, setuptools, and wheel are up to date. When using pip it is generally recommended to install packages in a virtual environment to avoid changes to the system.
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
