Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Specify Microsoft tenant when authenticating with Microsoft AAD #33

Closed
BilboBaagins opened this issue Jun 1, 2022 · 6 comments
Closed
Assignees
Labels
feature New feature

Comments

@BilboBaagins
Copy link

Hi John,

I have an app registration set up on portal.azure.com where I want to only allow users in my organisation's tenant to be able to log into my R Shiny app.

Firebase seems to launch the sign-in popup/redirect with the common/ endpoint by default. I can't seem to find where to change this to use my organisations tenant id.

image

This provides me with an error stating that Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.

Following along the firebase docs for microsoft-oauth I see that after you define a provider

`import { OAuthProvider } from "firebase/auth";

const provider = new OAuthProvider('microsoft.com');`

you can then add custom parameters, such as TENANT_ID.

provider.setCustomParameters({
  // Optional "tenant" parameter in case you are using an Azure AD tenant.
  // eg. '8eaef023-2b34-4da1-9baa-8bc8c9d6a490' or 'contoso.onmicrosoft.com'
  // or "common" for tenant-independent tokens.
  // The default value is "common".
  tenant: 'TENANT_ID'
});

I can't seem to find where I can specify the tenant ID in the docs / code in https://firebase.john-coene.com/.

I know that this probably the file where this addition/edit should be made: JohnCoene/firebase/blob/master/srcjs/components/oauth.js after this block of code.

Can you advise, am I missing some obvious way of achieving this - or has this functionality yet to be added to the JohnCoene/firebase R package on CRAN?

Thank you very much - great package!

JohnCoene added a commit that referenced this issue Jun 1, 2022
@JohnCoene
Copy link
Owner

Thank you for the detailed explanation, helps a ton.
Can you install the development version and try again.

  f <- FirebaseOauthProviders$
    new()$
    set_provider("microsoft.com", tenant = "xxx")

@JohnCoene JohnCoene added the feature New feature label Jun 1, 2022
@JohnCoene JohnCoene self-assigned this Jun 1, 2022
@BilboBaagins
Copy link
Author

BilboBaagins commented Jun 1, 2022

I've installed the dev version of firebase with the following:

library(devtools)
install_github("JohnCoene/firebase")

and modified the example R Shiny app here, adding my tenant ID to tenant arg.

library(shiny)
library(firebase)

ui <- fluidPage(
  useFirebase(),
  actionButton("signin", "Sign in with Microsoft", icon = icon("microsoft")),
  plotOutput("plot")
)

server <- function(input, output, session){
  f <- FirebaseOauthProviders$
    new()$
    set_provider("microsoft.com", tenant = "MY_TENANT_ID")

  observeEvent(input$signin, {
    f$launch()
  })

  output$plot <- renderPlot({
    f$req_sign_in()
    plot(cars)
  })

}

shinyApp(ui, server)

The common/ endpoint is still opening up on both popup and redirect launch unfortunately with the same error listed above.

@BilboBaagins
Copy link
Author

Should this be changed from

Shiny.addCustomMessageHandler('fireblaze-set-oauth-provider', (msg) => {
	oauthProviders[msg.id] = new OAuthProvider(msg.provider);

	if(Object.entries(msg.opts).length == 0)
		oauthProviders[msg.id].setCustomParameters(msg.opts)
});

to

Shiny.addCustomMessageHandler('fireblaze-set-oauth-provider', (msg) => {
	oauthProviders[msg.id] = new OAuthProvider(msg.provider);

	if(Object.entries(msg.opts).length > 0)
		oauthProviders[msg.id].setCustomParameters(msg.opts)
});

JohnCoene added a commit that referenced this issue Jun 1, 2022
@JohnCoene
Copy link
Owner

Whoops, indeed. Should be good now.

@BilboBaagins
Copy link
Author

Hi John,

When trying to sign-in with the below test app - I am being met with the following error: AADSTS900971: No reply address provided.

library(shiny)
library(firebase)

ui <- fluidPage(
  useFirebase(),
  actionButton("signin", "Sign in with Microsoft", icon = icon("microsoft")),
  plotOutput("plot")
)

server <- function(input, output, session){
  f <- FirebaseOauthProviders$
    new()$
    set_provider("microsoft.com", tenant = "MY_TENANT_ID")

  observeEvent(input$signin, {
    f$launch()
  })

  output$plot <- renderPlot({
    f$req_sign_in()
    plot(cars)
  })

}

shinyApp(ui, server)

Have you been successful at signing in with Microsoft AAD to an organisation tenant in the past?

@BilboBaagins
Copy link
Author

Just an update on my previous comment - the above code works perfect with the following instructions for App Registrations in portal.azure.com.

I had mistakenly set up my Redirect URI for a SPA (Single-page application) instead of Web as the instructions suggest.

Also, a final setting I needed to apply to the application was to grant it admin consent - Grant tenant-wide admin consent to an application.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature New feature
Projects
None yet
Development

No branches or pull requests

2 participants