Skip to content

Commit

Permalink
Update justice auth flow to use client_secret and prompt login (#1282)
Browse files Browse the repository at this point in the history
Use the client_secret created in Azure app registration, for better
security. This is set as an env var, and will be read from a
Kubernetes secret, which will be added manually elsewhere.
Also update azure client settings to always prompt the user to
complete the login process with their justice identity. This will
avoid confusion if a user is already logged in to their Justice
identity.
  • Loading branch information
michaeljcollinsuk authored Apr 5, 2024
1 parent 12bea09 commit b45def2
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 2 deletions.
4 changes: 4 additions & 0 deletions controlpanel/frontend/views/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

# Third-party
import sentry_sdk
import structlog
from authlib.integrations.django_client import OAuthError
from django.conf import settings
from django.contrib import messages
Expand All @@ -12,6 +13,8 @@
# First-party/Local
from controlpanel.oidc import OIDCLoginRequiredMixin, oauth

log = structlog.getLogger(__name__)


class EntraIdAuthView(OIDCLoginRequiredMixin, View):
"""
Expand All @@ -28,6 +31,7 @@ def _get_access_token(self):
token = oauth.azure.authorize_access_token(self.request)
except OAuthError as error:
sentry_sdk.capture_exception(error)
log.error(error.description)
token = None
return token

Expand Down
5 changes: 3 additions & 2 deletions controlpanel/settings/common.py
Original file line number Diff line number Diff line change
Expand Up @@ -220,13 +220,14 @@
AUTHLIB_OAUTH_CLIENTS = {
"azure": {
"client_id": os.environ.get("AZURE_CLIENT_ID"),
# TODO client_secret is not strictly required but would be better to use
"client_secret": os.environ.get("AZURE_CLIENT_SECRET"),
"server_metadata_url": AZURE_OP_CONF_URL,
"client_kwargs": {
"scope": AZURE_RP_SCOPES,
"response_type": "code",
"token_endpoint_auth_method": "none",
"token_endpoint_auth_method": "client_secret_post",
"code_challenge_method": AZURE_CODE_CHALLENGE_METHOD,
"prompt": "login"
},

}
Expand Down

0 comments on commit b45def2

Please sign in to comment.