Appwrite: OAuth2 Tenant Configuration (Microsoft)

Created on 21 Feb 2021  路  5Comments  路  Source: appwrite/appwrite

馃殌 Feature

Hey there,

I discovered a problem where I tried to run an internal business application in Appwrite.
This application uses OAuth2 as authentication method against Microsoft Azure-AD.
The problem here is that internal business applications usually only allow the authentication of users who have already been created in the organization in the microsoft azure ad.
By default, the tenant "common" is hard-coded in the URL in Appwrite.
As a result, the application in Microsoft Azure AD has to be configured as a multi-tenant application, which of course is not always wanted, since access should only take place exclusively for company employees.
Therefore I would like to have an option to configure the tenant type so that you have the option to choose between "common" and "organization".

Have you spent some time to check if this issue has been raised before?

Yes, the only solution currently is to adjust the tenant type manually in Microsoft.php, or to make the application multi-tenant capable.

Have you read the Code of Conduct?

Yes.

Most helpful comment

@eldadfux as I see it, I don't see a huge advantage of creating a separate OAuth Adapter for Microsoft (internal vs external) accounts because the config is largely the same except for the tenant. It would be more sensible to probably have a dropdown in the UI to choose the tenant type. Let's go with an approach similar to Apple OAuth.

All 5 comments

@yous0seri0us Please share the changes you made in the Microsoft.php file, I think it will help us get a better idea of the problem and possible solutions.

@eldadfux of course.
The changes I made are simple in the Microsoft.php:

    public function getLoginURL(): string
    {
        return 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?'.\http_build_query([
            'client_id' => $this->appID,
            'redirect_uri' => $this->callback,
            'state'=> \json_encode($this->state),
            'scope'=> \implode(' ', $this->getScopes()),
            'response_type' => 'code',
            'response_mode' => 'query'
        ]);
    }
public function getAccessToken(string $code): string
    {
        $headers = ['Content-Type: application/x-www-form-urlencoded'];

        $accessToken = $this->request(
            'POST',
            'https://login.microsoftonline.com/organizations/oauth2/v2.0/token',
            $headers,
            \http_build_query([
                'code' => $code,
                'client_id' => $this->appID,
                'client_secret' => $this->appSecret,
                'redirect_uri' => $this->callback,
                'scope' => \implode(' ', $this->getScopes()),
                'grant_type' => 'authorization_code'
            ])
        );

I changed the URL part from https://login.microsoftonline.com/common/ to https://login.microsoftonline.com/organizations/, which gives you the possibility that only employees of the company can log in.
With the 'common' setting, anyone with a Microsoft account can log in.
Of course, the better solution would be to create a configurable variable where you can decide for yourself whether the application runs internally or externally

@christyjacob4 @armino-dev what approach would you guys suggest here?

  1. A new OAuth adapter
  2. A custom credentials with new options similar to what we did for Apple OAuth

image

@eldadfux as I see it, I don't see a huge advantage of creating a separate OAuth Adapter for Microsoft (internal vs external) accounts because the config is largely the same except for the tenant. It would be more sensible to probably have a dropdown in the UI to choose the tenant type. Let's go with an approach similar to Apple OAuth.

Just to conclude what we want to do with this feature request: Currently all of Appwrite OAuth adapters are using the same UI and setting. When we added support for Apple we created a preparation for supporting custom form and settings (https://github.com/appwrite/appwrite/blob/master/app/config/providers.php#L18) -> currently hardcoded, but we can use this setting to include external template files at this locations:

  • app/views/console/users/oauth/apple.phtml
  • app/views/console/users/oauth/microsoft.phtml

We need to create a new form that includes the standard OAuth fields we use and a new dropdown menu (named Type?) with 2 options:

  • Common
  • Organizations

This new option will be used to init the Microsoft adapter, similar to what we do for the Apple adapter.

Open Issues:
For the Apple adapter we used the secret key to store additional data as an encrypted JSON field, if we change the way we store data for the Microsoft adapter we'll have to migrate existing data to a new format. Should we change the way we handle this for all adapters to allow future extension?

Was this page helpful?
0 / 5 - 0 ratings

Related issues

lohanidamodar picture lohanidamodar  路  3Comments

mysticaltech picture mysticaltech  路  3Comments

subinsv picture subinsv  路  5Comments

TorstenDittmann picture TorstenDittmann  路  5Comments

vincentnacar02 picture vincentnacar02  路  6Comments