Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integration with Django Rest Framework #21

Closed
alafanechere opened this issue Oct 17, 2017 · 8 comments
Closed

Integration with Django Rest Framework #21

alafanechere opened this issue Oct 17, 2017 · 8 comments

Comments

@alafanechere
Copy link

Hi,
I am glad I found your project because I kinda struggling to set an authentication flow with one of my client's ADFS.
I developed a web app with Vue JS & Django Rest Framework.
I wondered if you would have some insights to share about making Django Rest Framework & Django Auth ADFS work together.

Thanks !
@alafanechere
Copy link
Author

alafanechere commented Oct 17, 2017
edited
Loading

So I implemented a Custom Authentication in Django Rest Framework backend this way :

from django_auth_adfs.backend import AdfsBackend


class AdfsAuthentication(authentication.BaseAuthentication):
    backend = AdfsBackend()

    def authenticate(self, request):
        user = self.backend.authenticate(authorization_code=request.GET.get('authorization_code', None))
        if user is not None:
            return user, None
        else:
            return None

What I did next :

  • Followed your documention for setting up of relying party and client id in the IdP
  • Added the LoginRequiredMiddleware

I still encounter one problem :
When I try to access a protected view I am not redirected to the ADFS login page and I straightly have an acces denied errors (MSIS9605) with the login failed message. This is the url of this error : http://localhost:8000/oauth2/login?error=access_denied&error_description=MSIS9605%3a+The+client+is+not+allowed+to+access+the+requested+resource.&client-request-id=3b1b2d03-d8f2-47d5-fa00-0080000000d2

Do you have any idea of where this is coming from ?

@jobec
Copy link
Collaborator

jobec commented Oct 20, 2017

Authentication for Django Rest Framework (DRF) is not supported at the moment but it's on my todo list.

Authentication also works a bit different in DRF and you indeed need a custom authentication class. But you cannot just call AdfsBackend.authenticate() from that class because that function expects an authorization code to fetch the access token. If that fetched access token is valid it's up to Django to further handle the authentication/authorization and, depending on your config, set a session cookie or something like it.

But for DRF you should send the actual access token with every API request and verify/authenticate it each time.

Redirecting the user to ADFS is also not the way to go for REST APIs. Because the "clients" are javascript code or other machines/system not knowing what to do with that redirect and expecting some 4xx HTTP code.
From javascript you also cannot make requests against ADFS. Your browser blocks those requests due to CORS headers missing/not properly sent by ADFS.

Still it is possible and we do it ourselves, but not with the current code base of django-auth-adfs...

@alafanechere
Copy link
Author

alafanechere commented Oct 20, 2017
edited
Loading

Thanks @jobec for these details !
I successfully set up auth the Django way with django-auth-adfs and disabled authentication on DRF (AllowAny default permission class on views).
I guess that, to make authenticated ajax call to DRF, I need to :

  • Send first my user to the ADFS login page, maybe from a classic django view with your get_adfs_auth_url() function.
  • Make my ajax calls from JS ensuring they have the session cookie.

It's not clear to me how I could manage this last step. Would you share other insights on how I could accomplish this flow?

@jobec
Copy link
Collaborator

jobec commented Oct 20, 2017

If everything remains within the same domain, it should work.

You need to use the way you configured it now and have the user authenticated and a session created.
On the DRF side you should then enable the session authentication class.

@alafanechere
Copy link
Author

@jobec thanks it's working properly!
It was complicated at first because on my local env I had JS front and DRF back running on separate port/domain. With reverse proxy on my localhost everything is fine.

@JonasKs
Copy link
Member

JonasKs commented Nov 13, 2018

Authentication for Django Rest Framework (DRF) is not supported at the moment but it's on my todo list.

@jobec , do you have any status on this? We've currently implemented ADFS on Django, but now I need to lock down the APIs in DRF too. Any suggestions on how this should be done / release date on your solution?
This is not an Azure solution.

@JonasKs JonasKs mentioned this issue Nov 15, 2018
Closed
@cyberaa
Copy link

cyberaa commented Aug 28, 2019
edited
Loading

Also interested in a follow up on this.

Is it possible to reopen? Is the project still ongoing?

@jobec
Copy link
Collaborator

jobec commented Aug 28, 2019

This has been implemented already quite some time ago

https://django-auth-adfs.readthedocs.io/en/latest/rest_framework.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cyberaa @JonasKs @alafanechere @jobec