forked from jupyterhub/oauthenticator
-
Notifications
You must be signed in to change notification settings - Fork 0
/
azuread.py
79 lines (58 loc) · 2.19 KB
/
azuread.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
"""
A JupyterHub authenticator class for use with Azure AD as an identity provider.
"""
import os
import jwt
from jupyterhub.auth import LocalAuthenticator
from traitlets import Unicode, default
from .oauth2 import OAuthenticator
class AzureAdOAuthenticator(OAuthenticator):
user_auth_state_key = "user"
@default("login_service")
def _login_service_default(self):
return os.environ.get("LOGIN_SERVICE", "Azure AD")
@default("username_claim")
def _username_claim_default(self):
return "name"
user_groups_claim = Unicode(
"groups",
config=True,
help="""
Name of claim containing user group memberships.
Will populate JupyterHub groups if Authenticator.manage_groups is True.
""",
)
tenant_id = Unicode(
config=True,
help="""
An Azure tenant ID for which an OAuth application is registered via
`client_id` and `client_secret`.
This is used to set the default values of `authorize_url` and
`token_url`.
""",
)
@default('tenant_id')
def _tenant_id_default(self):
return os.environ.get('AAD_TENANT_ID', '')
@default("authorize_url")
def _authorize_url_default(self):
return f"https://login.microsoftonline.com/{self.tenant_id}/oauth2/authorize"
@default("token_url")
def _token_url_default(self):
return f"https://login.microsoftonline.com/{self.tenant_id}/oauth2/token"
async def update_auth_model(self, auth_model, **kwargs):
auth_model = await super().update_auth_model(auth_model, **kwargs)
if getattr(self, "manage_groups", False):
user_info = auth_model["auth_state"][self.user_auth_state_key]
auth_model["groups"] = user_info[self.user_groups_claim]
return auth_model
async def token_to_user(self, token_info):
id_token = token_info['id_token']
decoded = jwt.decode(
id_token,
options={"verify_signature": False},
audience=self.client_id,
)
return decoded
class LocalAzureAdOAuthenticator(LocalAuthenticator, AzureAdOAuthenticator):
"""A version that mixes in local system user creation"""