diff --git a/controlpanel/frontend/views/auth.py b/controlpanel/frontend/views/auth.py index c761e60c7..8313728fb 100644 --- a/controlpanel/frontend/views/auth.py +++ b/controlpanel/frontend/views/auth.py @@ -2,6 +2,7 @@ # Third-party import sentry_sdk +import structlog from authlib.integrations.django_client import OAuthError from django.conf import settings from django.contrib import messages @@ -12,6 +13,8 @@ # First-party/Local from controlpanel.oidc import OIDCLoginRequiredMixin, oauth +log = structlog.getLogger(__name__) + class EntraIdAuthView(OIDCLoginRequiredMixin, View): """ @@ -28,6 +31,7 @@ def _get_access_token(self): token = oauth.azure.authorize_access_token(self.request) except OAuthError as error: sentry_sdk.capture_exception(error) + log.error(error.description) token = None return token diff --git a/controlpanel/settings/common.py b/controlpanel/settings/common.py index de1bddc9a..fb2f45087 100644 --- a/controlpanel/settings/common.py +++ b/controlpanel/settings/common.py @@ -220,13 +220,14 @@ AUTHLIB_OAUTH_CLIENTS = { "azure": { "client_id": os.environ.get("AZURE_CLIENT_ID"), - # TODO client_secret is not strictly required but would be better to use + "client_secret": os.environ.get("AZURE_CLIENT_SECRET"), "server_metadata_url": AZURE_OP_CONF_URL, "client_kwargs": { "scope": AZURE_RP_SCOPES, "response_type": "code", - "token_endpoint_auth_method": "none", + "token_endpoint_auth_method": "client_secret_post", "code_challenge_method": AZURE_CODE_CHALLENGE_METHOD, + "prompt": "login" }, }