Uid not set on Azure AD authentication and NoneType error

[twschiller]

I'm trying to setup social-core, social-core-django, and Azure AD backend to authenticate using Azure Active Directory. The initial authentication works and creates a User and User Social Auth. However, subsequent attempts to authorize result in:

• A new User object (but no corresponding User Social Auth object)
• The server error 'NoneType' object has no attribute 'provider' raised at social_core/actions.py in do_complete, line 69

Some relevant information:

• The Uid field in the User Social Auth object created from the first Authorization is None
• The Azure AD is set up to include the "Sign in and read user profile" delegated permission (which corresponds to the User.Read permission)
• Reading the backend code, it looks like the email address and ID is supposed to come from a field 'upn' corresponding to the user's on-premises user principal name (UPN). The User Name field as listed in Azure AD
• The id_token JWT contains the following fields: aud, iss, iat, nbf, exp, aio, amr, email, family_name, given_name, idp, ipaddr, name, oid, platf, sub, tid, unique_name, uti, and ver. Note that the JWT does not contain the upn.
• The extra data stored with the User Social Auth includes auth_time, access_token, id_token, refresh_token, expires, expires_on, not_before (null), first_name, last_name, token_type, and resource (null)

What I've tried so far:

• I've tried using both the default pipeline, and the pipeline described in the documentation at https://python-social-auth-docs.readthedocs.io/en/latest/configuration/django.html#personalized-configuration

Key questions:

• How is the Azure AD server supposed to pass the upn back to the client? Is it in the JWT?
• Is the missing UPN also the root cause for the NoneType server error on subsequent authentications?

I'm going to follow up with Microsoft Azure AD support to understand why the UPN is not being returned given my configuration, and will include their response

[twschiller]

Responses below from MS. Looks like I'm going to have to create a modified version of the azure ad backend that uses oid for uid and the email field for the email

---

Given my configuration, should the Azure AD server be returning a UPN?

It depends. If you are authN to AAD as a user of that tenant then you should get the upn claim. However, if the user is not a member of the tenant or if you’re authN as an application using a key then you won’t.

If so, where would the UPN be returned? Would it be returned in the JWT?

It would be in the jwt. https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-claims

If not, 1) what information returned from the server can/should be used as a unique identified, or 2) what changes would I need to make to our Azure AD setup to get access to the UPN?

You could also use the oid claim (see above link for details).

[NBajanca]

Hi @twschiller,

How have you solved this?
I'm using AzureAD but inside an organization so I always get an upn, but it would be nice to understand how to do it in your case.

PS: I think the solution is using Azure AD v2.0 and using prefered_username
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-tokens
But a new backend is required to do so.

[twschiller]

In our case, we now get a upn. I think the problem was that I was testing with our Azure account user which shows up as a member of the directory, but has an email address/domain that doesn't match the application tenant. (I think it was a bug in Azure that let me authenticate with that account, as it took a lot of cajoling to authenticate the first time with it, and I can no longer authenticate with it.)

If you need to use the oid, it's just a matter of creating a AzureADOAuth2 with a modified get_user_id (to use oid) and get_user_details (to get the email from a different field). The main caveat is that you then can't rely on email to distinguish users.

[fthiery]

Actually i'm getting a similar call trace when trying to log twice from Azure AD:

Traceback:
File "/usr/lib/python3/dist-packages/django/core/handlers/exception.py" in inner
  41.             response = get_response(request)
File "/usr/lib/python3/dist-packages/django/core/handlers/base.py" in _get_response
  187.                 response = self.process_exception_by_middleware(e, request)
File "/usr/lib/python3/dist-packages/django/core/handlers/base.py" in _get_response
  185.                 response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/usr/lib/python3/dist-packages/django/views/decorators/cache.py" in _wrapped_view_func
  57.         response = view_func(request, *args, **kwargs)
File "/usr/lib/python3/dist-packages/django/views/decorators/csrf.py" in wrapped_view
  58.         return view_func(*args, **kwargs)
File "/usr/lib/python3/dist-packages/social_django/utils.py" in wrapper
  50.             return func(request, backend, *args, **kwargs)
File "/usr/lib/python3/dist-packages/social_django/views.py" in complete
  32.                        redirect_name=REDIRECT_FIELD_NAME, *args, **kwargs)
File "/usr/lib/python3/dist-packages/social_core/actions.py" in do_complete
  69.                                          social_user.provider)
Exception Type: AttributeError at /complete/azuread-oauth2/
Exception Value: 'NoneType' object has no attribute 'provider'
Request Method: GET

The user gets properly created in the backend the first time, but as soon as i am trying to log again, i'm getting this. Is that related or should i file a new bug ?

[kowenhouston]

Hey guys, I'm getting the same error as @fthiery. Log in first time and user is able to log in. Log out using logout button (no disconnect), log back in and comes up with this:

Internal Server Error: /complete/azuread-tenant-oauth2/
Traceback (most recent call last):
  File "/Users/kowen/venvs/azuread/lib/python3.7/site-packages/django/core/handlers/exception.py", line 34, in inner
    response = get_response(request)
  File "/Users/kowen/venvs/azuread/lib/python3.7/site-packages/django/core/handlers/base.py", line 126, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "/Users/kowen/venvs/azuread/lib/python3.7/site-packages/django/core/handlers/base.py", line 124, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/Users/kowen/venvs/azuread/lib/python3.7/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/Users/kowen/venvs/azuread/lib/python3.7/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/Users/kowen/venvs/azuread/lib/python3.7/site-packages/social_django/utils.py", line 49, in wrapper
    return func(request, backend, *args, **kwargs)
  File "/Users/kowen/venvs/azuread/lib/python3.7/site-packages/social_django/views.py", line 33, in complete
    *args, **kwargs)
  File "/Users/kowen/venvs/azuread/lib/python3.7/site-packages/social_core/actions.py", line 71, in do_complete
    social_user.provider)
AttributeError: 'NoneType' object has no attribute 'provider'

I noticed it created two users, 1. was created on the first login attempt and 2. was created on the second.

1. kowen.houston@emailaddress.comHouston
2. kowen.houston@emailaddress.comHoustond41e8ad101ca4f5c

A also noticed that on the "user social auths" table there was a record for the first user but not the second:

Does anyone have any answers?

[kowenhouston]

Found the issue in azuread_tenant.py and submitted pull request #298
The issue is because azuread_tenant was looking for an "oid" from the azure ad response but it wasn't provided. Overrode the function and made it get the userPrincipalName (or "subject") which now works 100%.

[omab]

#298 merged, thanks!

[tiago-peres]

I still get this error

which then if I try to sign up with another user leads to

IntegrityError at /social-auth/complete/azuread-oauth2/
duplicate key value violates unique constraint "social_auth_usersocialauth_provider_uid_e6b5e668_uniq"
DETAIL: Key (provider, uid)=(azuread-oauth2, None) already exists.