Django Azure AD集成

Question

我目前正在使用 Azure AD 為 Django 項目集成 SSO。 我目前正在使用 package： https://github.com/leibowitz/django-azure-ad-auth 。 我已按照文檔設置 Azure AD 身份驗證。 在輸入應用程序 url 時，它會將我帶到 Microsoft 登錄頁面，並在輸入憑據后重定向到應用程序。 但是在 Azure Auth 之后重定向到應用程序時，代碼會在 session 中檢查“nonce”和“state”變量，這些變量奇怪地返回為 None，因此應用程序重定向到失敗 Z572112E421E5A06。

@never_cache
def auth(request):
    backend = AzureActiveDirectoryBackend()
    redirect_uri = request.build_absolute_uri(reverse(complete))
    nonce = str(uuid.uuid4())
    request.session['nonce'] = nonce
    state = str(uuid.uuid4())
    request.session['state'] = state
    login_url = backend.login_url(
        redirect_uri=redirect_uri,
        nonce=nonce,
        state=state
    )
    return HttpResponseRedirect(login_url)


@never_cache
@csrf_exempt
def complete(request):
    backend = AzureActiveDirectoryBackend()
    method = 'GET' if backend.RESPONSE_MODE == 'fragment' else 'POST'
    original_state = request.session.get('state')
    state = getattr(request, method).get('state')
    if original_state == state:
        token = getattr(request, method).get('id_token')
        nonce = request.session.get('nonce')
        user = backend.authenticate(token=token, nonce=nonce)
        if user is not None:
            login(request, user)
            return HttpResponseRedirect(get_login_success_url(request))
    return HttpResponseRedirect('failure')

這是用於身份驗證的代碼。

Settings.py 示例如下：

AUTHENTICATION_BACKENDS = (
    'django.contrib.auth.backends.ModelBackend',
    'azure_ad_auth.backends.AzureActiveDirectoryBackend',
)

LOGIN_REDIRECT_URL = '/login_successful/'

AAD_TENANT_ID = 'd472b4f4-95c5-4eb3-8a9a-3615c837eada'
AAD_CLIENT_ID = '75e38b53-8174-4dc6-a8f6-bb7a913f1565'

SESSION_EXPIRE_AT_BROWSER_CLOSE = True
SESSION_SAVE_EVERY_REQUEST = True
SESSION_COOKIE_AGE = 86400 # sec
SESSION_COOKIE_DOMAIN = None
SESSION_COOKIE_NAME = 'DSESSIONID'
SESSION_COOKIE_SECURE = True

追溯

TypeError at /TypeError at /project/azure/complete/
must be str, not NoneType
Request Method: POST
Request URL:    http://testdomain.com/project/azure/complete/
Django Version: 2.2.4
Exception Type: TypeError
Exception Value:    
must be str, not NoneType
Exception Location: /home/project/azure_auth/views.py in complete, line 57
Python Executable:  /home/project/app/venv/bin/python3
Python Version: 3.6.8
Python Path:    
['/home/project/app/project',
 '/home/project/app/venv/bin',
 '/home/project/app/venv/lib64/python36.zip',
 '/home/project/app/venv/lib64/python3.6',
 '/home/project/app/venv/lib64/python3.6/lib-dynload',
 '/usr/lib64/python3.6',
 '/usr/lib/python3.6',
 '/home/project/app/venv/lib/python3.6/site-packages']
Server time:    Tue, 19 Nov 2019 05:21:10 +0000/azure/complete/
must be str, not NoneType
Request Method: POST
Request URL:    http://testdomain.com/project/azure/complete/
Django Version: 2.2.4
Exception Type: TypeError
Exception Value:    
must be str, not NoneType
Exception Location: /home/project/app/project/azure_auth/views.py in complete, line 57
Python Executable:  /home/project/app/venv/bin/python3
Python Version: 3.6.8
Python Path:    
['/home/project/app/project',
 '/home/project/app/venv/bin',
 '/home/project/app/venv/lib64/python36.zip',
 '/home/project/app/venv/lib64/python3.6',
 '/home/project/app/venv/lib64/python3.6/lib-dynload',
 '/usr/lib64/python3.6',
 '/usr/lib/python3.6',
 '/home/project/app/venv/lib/python3.6/site-packages']
Server time:    Tue, 19 Nov 2019 05:21:10 +0000


/home/project/app/project/azure_auth/views.py in complete
            f.write("nonce -->"+nonce+"\n") …
▼ Local vars
Variable    Value
backend 
<azure_auth.backends.AzureActiveDirectoryBackend object at 0x7f5c688dce80>
data    
['82aff4f9-2cc0-4521-aea7-ad3281d20774\n',
 'ba821364-86c9-4233-881f-bdc772f7c488\n']
f   
<_io.TextIOWrapper name='t1.txt' mode='w' encoding='UTF-8'>
method  
'POST'
n   
'82aff4f9-2cc0-4521-aea7-ad3281d20774'
nonce   
None
original_state  
None
request 
<WSGIRequest: POST '/project/azure/complete/'>
state   
'fd93da6a-9009-4363-9640-9364df7f64df'
token   
'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkJCOENlRlZxeWFHckdOdWVoSklpTDRkZmp6dyIsImtpZCI6IkJCOENlRlZxeWFHckdOdWVoSklpTDRkZmp6dyJ9.eyJhdWQiOiI0MDMyODJjZi1kYjlmLTQ1OTYtOWM1My0wMmI1MTA2ZDA0MDIiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9mYmM0OTNhOC0wZDI0LTQ0NTQtYTgxNS1mNGNhNThlOGMwOWQvIiwiaWF0IjoxNTc0MTQwNTY5LCJuYmYiOjE1NzQxNDA1NjksImV4cCI6MTU3NDE0NDQ2OSwiYWlvIjoiNDJWZ1lCQSt4TFhqNEdVTjRRWEJiU3ZOZmF4NXBHY2NPenFoNzFuNDlXMmxnYTYzMjIwQiIsImFtciI6WyJwd2QiXSwiZmFtaWx5X25hbWUiOiJFIEsgUyIsImdpdmVuX25hbWUiOiJTdXNyZWV0aGEiLCJpbl9jb3JwIjoidHJ1ZSIsImlwYWRkciI6IjE4Mi43NS4xNjcuMTg4IiwibmFtZSI6IkUgSyBTLFN1c3JlZXRoYSIsIm5vbmNlIjoiODgyNTg4ZjgtMGM3MC00Y2JlLTk4MTktY2JkNjUyZmI0MDQ5Iiwib2lkIjoiNTU0ZjYzZWEtOTg4Yi00MmMwLTk4NjUtMTIxMDNkZTdhZTBmIiwib25wcmVtX3NpZCI6IlMtMS01LTIxLTYwMzE5MzI1LTExNjA5ODI5NTEtMTYwMTc3MzkwNy02NTg1OTMiLCJzdWIiOiI2aERUa1hYYkN3Wm5rcHEwSU9wRTRVWk56RHZlRFhvVjM3RGV5U3dkaDZRIiwidGlkIjoiZmJjNDkzYTgtMGQyNC00NDU0LWE4MTUtZjRjYTU4ZThjMDlkIiwidW5pcXVlX25hbWUiOiJTRTA3NTA0OEBjZXJuZXIubmV0IiwidXBuIjoiU0UwNzUwNDhAY2VybmVyLm5ldCIsInV0aSI6IkZTQmhnVDg4UTAyUHNfU293ZDdtQUEiLCJ2ZXIiOiIxLjAifQ.Rvc6xcPRZ01iebYtEyAWeyDnQEUVtqV1L1mapr658jLog-_yIASyEm3kMrkt6dIWWEO3dJSe3k05xOJlbnHqcjaR5LKAwOZzGR_oBmyIyB8-IvuEankNVpwYtcz8mY7kFr6AqQmIsx7xLLgv4grp-bSy4eRqjk36VeLX_LwMBuM_U6V70w0gXN1vvFCj0tjsv-VtTAmNgvdxS0ltzdD3rzZ87DoXbPWmoozLtO9WBRsJvMuvn-frBtYUYkIhs3I-eVAO9ZG2IWEuLQx6k7RBmzX6HgFi9SVpyEhNru7fmwO-qj5uRj9FQa45lCZluUV25o_AV1NQ94d5lnFyeMh7uw'
user    
None

嘗試將 session 變量寫入文件時出現上述錯誤（用於調試。）

Answer 1

我知道這個問題有點老了，但是 session 將無法檢索（以及原始的 state 和隨機數），並且如果瀏覽器未發送 cookie，則比較將失敗。

在 django 2.1+ 中默認不發送 cookie，因為默認設置添加SameSite=Lax

用於 django.contrib.sessions、django.contrib.messages 的 cookies 現在默認將 SameSite 標志設置為 Lax。 尊重此標志的瀏覽器不會在跨域請求中發送這些 cookies。 如果您依賴舊行為，請將 SESSION_COOKIE_SAMESITE 和/或 CSRF_COOKIE_SAMESITE 設置設置為無。

https://docs.djangoproject.com/en/3.0/releases/2.1/#samesite-cookies

從理論上講，這仍然應該發送 cookie（據我了解），但由於某種原因，chrome 似乎沒有發送。 有些東西我顯然不明白，所以如果有人知道更好，請發表評論。

無論如何，通過SESSION_COOKIE_SAMESITE = None更改設置應該有效。