chainlit icon indicating copy to clipboard operation
chainlit copied to clipboard
verified publisher icon Chainlit

Changed Azure AD Login Flow

Open shabirjan opened this issue 1 year ago • 4 comments

Added Hybrid Flow for Authorization grant to reterive user id_token. Changed Redirect from Get to Post as Hybrid Flow needs form_post instead of query and returns the response as Form body.

shabirjan avatar Mar 12 '24 12:03 shabirjan

hello @shabirjan, I think there was a misunderstanding, in your code in backend/chainlit/server.py, you are changing the behavior for folks who are doing GET /auth/oauth/{provider_id}/callback, and this isn't something we can do.

Could you separate the code from GET /auth/oauth/{provider_id}/callback and POST /auth/oauth/azure-ad/callback to make sure we don't break other oauth providers?

tpatel avatar Apr 02 '24 08:04 tpatel

hello @shabirjan, I think there was a misunderstanding, in your code in backend/chainlit/server.py, you are changing the behavior for folks who are doing GET /auth/oauth/{provider_id}/callback, and this isn't something we can do.

Could you separate the code from GET /auth/oauth/{provider_id}/callback and POST /auth/oauth/azure-ad/callback to make sure we don't break other oauth providers?

Hi @tpatel , Can you please explain a bit, what exactly you need me to do? What code should I separate?

shabirjan avatar Apr 02 '24 08:04 shabirjan

hi @shabirjan, I've been working on this PR so that we can merge your changes. However I tried to look for the reason behind the PR and I could gather that you're interested by getting the user role?

Would this following snippet (without the code changes from this PR) work for your needs?

@cl.oauth_callback
def oauth_callback(
  provider_id: str,
  token: str,
  raw_user_data: Dict[str, str],
  default_user: cl.User,
) -> Optional[cl.User]:
  
  import httpx
  res = httpx.get("https://graph.microsoft.com/v1.0/me/appRoleAssignments", headers={"Authorization": f"Bearer {token}"})
  print(res.json()) # This contains the user "App Roles Assignments"

  return default_user

tpatel avatar Apr 29 '24 15:04 tpatel

hi @tpatel , We already discussed almost 2-3 month ago on the call, that we can't use that endpoint as it returns user roles for all the AAD Applications in the tenant for that specific user, which we are not looking for. Our use case for that implementation was check the role assigned to the currently logged in user on behalf of the Specific AAD App Registration.

shabirjan avatar May 01 '24 10:05 shabirjan

closing in favor of https://github.com/Chainlit/chainlit/pull/1046 (I've implemented the azure hybrid flow as needed in a separate oauth provider and route so that it doesn't brake the integration for other users).

tpatel avatar May 31 '24 09:05 tpatel