From 2f3556bb34a81fd6e98787019d960a947b6b4da0 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Fri, 26 Jul 2024 13:02:21 +0100 Subject: [PATCH 1/3] :loud_sound: Better authentication failure message --- apricot/oauth/oauth_client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apricot/oauth/oauth_client.py b/apricot/oauth/oauth_client.py index 49797b3..71abb66 100644 --- a/apricot/oauth/oauth_client.py +++ b/apricot/oauth/oauth_client.py @@ -180,7 +180,7 @@ def verify(self: Self, username: str, password: str) -> bool: client_secret=self.client_secret, ) except InvalidGrantError as exc: - log.msg(f"Authentication failed.\n{exc}") + log.msg(f"Authentication failed for user '{username}'.\n{exc}") return False else: return True From 36ed9587749ceebe1edd63b02e681ce7524f3b9d Mon Sep 17 00:00:00 2001 From: James Robinson Date: Fri, 26 Jul 2024 13:52:39 +0100 Subject: [PATCH 2/3] :recycle: Separate application scopes from delegated scopes --- apricot/oauth/keycloak_client.py | 3 ++- apricot/oauth/microsoft_entra_client.py | 3 ++- apricot/oauth/oauth_client.py | 7 ++++--- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/apricot/oauth/keycloak_client.py b/apricot/oauth/keycloak_client.py index d55fad4..3555610 100644 --- a/apricot/oauth/keycloak_client.py +++ b/apricot/oauth/keycloak_client.py @@ -33,7 +33,8 @@ def __init__( super().__init__( redirect_uri=redirect_uri, - scopes=scopes, + scopes_application=scopes, + scopes_delegated=scopes, token_url=token_url, **kwargs, ) diff --git a/apricot/oauth/microsoft_entra_client.py b/apricot/oauth/microsoft_entra_client.py index 681abb0..46fe9b2 100644 --- a/apricot/oauth/microsoft_entra_client.py +++ b/apricot/oauth/microsoft_entra_client.py @@ -30,7 +30,8 @@ def __init__( self.tenant_id = entra_tenant_id super().__init__( redirect_uri=redirect_uri, - scopes=scopes, + scopes_application=scopes, + scopes_delegated=scopes, token_url=token_url, **kwargs, ) diff --git a/apricot/oauth/oauth_client.py b/apricot/oauth/oauth_client.py index 71abb66..34eddba 100644 --- a/apricot/oauth/oauth_client.py +++ b/apricot/oauth/oauth_client.py @@ -29,7 +29,8 @@ def __init__( client_secret: str, debug: bool, # noqa: FBT001 redirect_uri: str, - scopes: list[str], + scopes_application: list[str], + scopes_delegated: list[str], token_url: str, uid_cache: UidCache, ) -> None: @@ -61,7 +62,7 @@ def __init__( self.session_application = OAuth2Session( client=BackendApplicationClient( client_id=client_id, - scope=scopes, + scope=scopes_application, redirect_uri=redirect_uri, ), ) @@ -76,7 +77,7 @@ def __init__( self.session_interactive = OAuth2Session( client=LegacyApplicationClient( client_id=client_id, - scope=scopes, + scope=scopes_delegated, redirect_uri=redirect_uri, ), ) From 4a0310a51ff6616d1f4612d313a18a148c729694 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Fri, 26 Jul 2024 14:58:49 +0100 Subject: [PATCH 3/3] :recycle: Minimise requested delegated scope --- apricot/oauth/microsoft_entra_client.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/apricot/oauth/microsoft_entra_client.py b/apricot/oauth/microsoft_entra_client.py index 46fe9b2..0970347 100644 --- a/apricot/oauth/microsoft_entra_client.py +++ b/apricot/oauth/microsoft_entra_client.py @@ -23,15 +23,14 @@ def __init__( @param entra_tenant_id: Tenant ID for the Entra ID """ redirect_uri = "urn:ietf:wg:oauth:2.0:oob" # this is the "no redirect" URL - scopes = ["https://graph.microsoft.com/.default"] # this is the default scope token_url = ( f"https://login.microsoftonline.com/{entra_tenant_id}/oauth2/v2.0/token" ) - self.tenant_id = entra_tenant_id + # Use default application scope and minimal delegated scopes super().__init__( redirect_uri=redirect_uri, - scopes_application=scopes, - scopes_delegated=scopes, + scopes_application=["https://graph.microsoft.com/.default"], + scopes_delegated=["openid"], token_url=token_url, **kwargs, )