Add support for SAML

Ondřej Kulatý · Ondřej Kulatý · commit e4fd4e40cf3a · 2025-01-06T16:37:40.000+01:00
diff --git a/auth_token/config.py b/auth_token/config.py
@@ -62,8 +62,10 @@
     'EXPIRATION_DELTA': 0,  # Authorization token expiration will be extended, only if original expiration is at
                             # least "X" seconds older, than new one (default: 0 seconds, i.e. always extend)
     'TAKEOVER_ENABLED': True,  # Turns on/off takeover functionality
-    'MS_SSO_APP_ID': None,  # Set AppID for MS SSO authentication
-    'MS_SSO_TENANT_ID': None,  # Set TentnatID for MS SSO authentication
+    'MS_SSO_PROTOCOL': None, # Protocol of SSO (possible values are "oauth" or "saml")
+    'MS_SSO_APP_ID': None,  # Set AppID for MS SSO authentication (OAuth only)
+    'MS_SSO_TENANT_ID': None,  # Set TentnatID for MS SSO authentication (OAuth only)
+    'MS_SSO_METADATA_URL': None, # Set Metadata URL for MS SSO authentication (SAML only)
 }
 
 
diff --git a/auth_token/contrib/ms_sso/backends.py b/auth_token/contrib/ms_sso/backends.py
@@ -6,29 +6,64 @@
 
 UserModel = get_user_model()
 
-
-class MsSsoBackend(ModelBackend):
+class BaseMsSsoBackend(ModelBackend):
     """
     Authenticates device with MS SSO
     """
 
-    def _get_user_from_ms_user_data(self, ms_user_data):
-        username = ms_user_data['userPrincipalName']
+    def _get_natural_key(self):
+        raise NotImplementedError
+
+    def _get_user_from_natural_key(self, natural_key):
         try:
-            return UserModel._default_manager.get_by_natural_key(username)
+            return UserModel._default_manager.det_by_natural_key(self._get_natural_key())
         except UserModel.DoesNotExist:
             return None
 
-    def authenticate(self, request, mso_token=None, **kwargs):
+    def authenticate(self, request, **kwargs):
         if not mso_token:
             return None
 
-        ms_user_data = get_user_data(mso_token)
-        if not ms_user_data:
+        self.ms_user_data = get_user_data(mso_token)
+        if not self.ms_user_data:
             return None
 
-        user = self._get_user_from_ms_user_data(ms_user_data)
+        user = self._get_user_from_natural_key()
         if user and self.user_can_authenticate(user):
             return user
         else:
             return None
+
+class MsSsoOauthBackend(ModelBackend):
+    """
+    Authenticates device with MS SSO
+    """
+
+    def _get_natural_key(self):
+        username = self.ms_user_data['userPrincipalName']
+        try:
+            return UserModel._default_manager.get_by_natural_key(username)
+        except UserModel.DoesNotExist:
+            return None
+
+    def authenticate(self, request, mso_token=None, **kwargs):
+        if not mso_token:
+            return None
+
+        self.ms_user_data = get_user_data(mso_token)
+        if not self.ms_user_data:
+            return None
+
+        return super().authenticate(request)
+
+
+class MsSsoSamlBackend(ModelBackend):
+    """
+    Authenticates device with MS SSO
+    """
+
+    def _get_natural_key(self):
+        return "ABC"
+
+    def authenticate(self, request, mso_token=None, **kwargs):
+        self.request = request
diff --git a/auth_token/contrib/ms_sso/urls.py b/auth_token/contrib/ms_sso/urls.py
@@ -1,17 +1,37 @@
 from django.urls import path
 
-from .views import MsCallback, MsLogin
+from .views import MsOauthLogin, MsSamlLogin, MsSamlCallback, MsOauthCallback
+from auth_token.config import settings
+
+
+def _get_view(key):
+    VIEWS = {
+        "oauth": {
+            "login": MsOauthLogin,
+            "callback": MsOauthCallback,
+        },
+        "saml": {
+            "login": MsSamlLogin,
+            "callback": MsSamlCallback,
+        }
+    }
+    protocol = settings.MS_SSO_PROTOCOL
+    if settings.MS_SSO_PROTOCOL not in VIEWS.keys():
+        raise ValueError("MS SSO Protocol \"{protocol}\" is not supported.")
+
+    return VIEWS[protocol][key]
+
 
 
 urlpatterns = [
     path(
         'login/mso',
-        MsLogin.as_view(),
+        _get_view("login").as_view(),
         name='ms-sso-login',
     ),
     path(
         'login/mso/callback',
-        MsCallback.as_view(),
+        _get_view("callback").as_view(),
         name='ms-sso-redirect',
     ),
 ]
diff --git a/auth_token/contrib/ms_sso/views.py b/auth_token/contrib/ms_sso/views.py
@@ -11,7 +11,7 @@
 from .helpers import get_sign_in_flow, acquire_token_by_auth_code_flow
 
 
-class MsLogin(RedirectView):
+class MsOauthLogin(RedirectView):
 
     def get_redirect_url(self, *args, **kwargs):
         sign_flow = get_sign_in_flow()
@@ -23,26 +23,19 @@ def get_redirect_url(self, *args, **kwargs):
         return sign_flow['auth_uri']
 
 
-class MsCallback(RedirectView):
+class MsSamlLogin(RedirectView):
 
-    allowed_cookie = True
-    allowed_header = False
+    def get_redirect_url(self, *args, **kwargs):
+        return "http://placeholder"
 
-    def get(self, *args, **kwargs):
-        if not hasattr(self.request, 'session'):
-            raise ImproperlyConfigured('Django SessionMiddleware must be enabled to use MS SSO')
 
-        sign_flow = self.request.session.get('auth_token_ms_sso_auth_flow')
-        if not sign_flow:
-            messages.error(self.request, gettext('Microsoft SSO login was unsuccessful, please try it again'))
-            return redirect_to_login('')
+class BaseMsCallback(RedirectView):
 
-        result = acquire_token_by_auth_code_flow(sign_flow, self.request.GET)
-        if 'access_token' not in result:
-            messages.error(self.request, gettext('Microsoft SSO login was unsuccessful, please try it again'))
-            return redirect_to_login(sign_flow['next'])
+    allowed_cookie = True
+    allowed_header = False
 
-        user = authenticate(mso_token=result['access_token'])
+    def _do_login(self, **kwargs):
+        user = authenticate(**kwargs)
         if not user:
             messages.error(
                 self.request, gettext('Microsoft SSO login was unsuccessful, please use another login method')
@@ -57,3 +50,28 @@ def get(self, *args, **kwargs):
                 two_factor_login=False
             )
             return HttpResponseRedirect(sign_flow['next'])
+
+
+class MsOauthCallback(BaseMsCallback):
+
+    def get(self, *args, **kwargs):
+        if not hasattr(self.request, 'session'):
+            raise ImproperlyConfigured('Django SessionMiddleware must be enabled to use MS SSO')
+
+        sign_flow = self.request.session.get('auth_token_ms_sso_auth_flow')
+        if not sign_flow:
+            messages.error(self.request, gettext('Microsoft SSO login was unsuccessful, please try it again'))
+            return redirect_to_login('')
+
+        result = acquire_token_by_auth_code_flow(sign_flow, self.request.GET)
+        if 'access_token' not in result:
+            messages.error(self.request, gettext('Microsoft SSO login was unsuccessful, please try it again'))
+            return redirect_to_login(sign_flow['next'])
+
+        return _do_login(mso_token=result['access_token'])
+
+
+class MsSamlCallback(BaseMsCallback):
+
+    def post(self, *args, **kwargs):
+        return self._do_login(saml_callback_request=self.request)
