Merge pull request #233 from mwigh/azuread-v2

Handle scope and also removing resource when VERSION=v2.0
snok · May 6, 2022 · c091213 · c091213
2 parents 27b5813 + 14d25fc
commit c091213
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 8 deletions.
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
@@ -30,7 +30,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: [ "3.6", "3.7", "3.8", "3.9", "3.10" ]
+        python-version: [ "3.7", "3.8", "3.9", "3.10" ]
         django-version: [ "2.2", "3.0", "3.1", "3.2", "4.0" ]
         drf-version: [ "3.10", "3.11", "3.12" ]
         exclude:
@@ -57,7 +57,7 @@ jobs:
         uses: actions/cache@v2
         with:
           path: .venv
-          key: ${{ hashFiles('**/poetry.lock') }}-${{ matrix.python-version }}
+          key: ${{ hashFiles('**/poetry.lock') }}-${{ matrix.python-version }}-1
       - run: poetry env use ${{ matrix.python-version }} && poetry install --no-root
         if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
       - run: |

diff --git a/django_auth_adfs/__init__.py b/django_auth_adfs/__init__.py
@@ -4,4 +4,4 @@
 Adding imports here will break setup.py
 """
 
-__version__ = '1.9.5'
+__version__ = '1.9.6'
diff --git a/django_auth_adfs/config.py b/django_auth_adfs/config.py
@@ -337,7 +337,11 @@ def build_authorization_endpoint(self, request, disable_sso=None, force_mfa=Fals
             "state": redirect_to,
         })
         if self._mode == "openid_connect":
-            query["scope"] = "openid"
+            if settings.VERSION == 'v2.0':
+                query["scope"] = f"openid api://{settings.RELYING_PARTY_ID}/.default"
+                query.pop("resource")
+            else:
+                query["scope"] = "openid"
             if (disable_sso is None and settings.DISABLE_SSO) or disable_sso is True:
                 query["prompt"] = "login"
             if force_mfa:

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = 'django-auth-adfs'
-version = "1.9.5"  # Remember to also change __init__.py version
+version = "1.9.6"  # Remember to also change __init__.py version
 description = 'A Django authentication backend for Microsoft ADFS and AzureAD'
 authors = ['Joris Beckers <[email protected]>']
 maintainers = ['Jonas Krüger Svensson <[email protected]>', 'Sondre Lillebø Gundersen <[email protected]>']
@@ -23,7 +23,6 @@ classifiers = [
     'License :: OSI Approved :: BSD License',
     'Programming Language :: Python',
     'Programming Language :: Python :: 3',
-    'Programming Language :: Python :: 3.6',
     'Programming Language :: Python :: 3.7',
     'Programming Language :: Python :: 3.8',
     'Programming Language :: Python :: 3.9',
@@ -36,7 +35,7 @@ classifiers = [
 ]
 
 [tool.poetry.dependencies]
-python = '^3.6'
+python = '^3.7'
 django = [
     { version = '^2.2 || ^3', python = '<=3.7' },
     { version = '^2.2 || ^3 || ^4', python = '>=3.8' },

diff --git a/tests/test_authentication.py b/tests/test_authentication.py
@@ -330,7 +330,7 @@ def test_oauth_redir_2016(self):
         self.assertEqual(qs, qs_expected)
 
     @mock_adfs("azure")
-    def test_oauth_redir_azure(self):
+    def test_oauth_redir_azure_version_one(self):
         from django_auth_adfs.config import django_settings
         settings = deepcopy(django_settings)
         del settings.AUTH_ADFS["SERVER"]
@@ -355,6 +355,32 @@ def test_oauth_redir_azure(self):
             self.assertEqual(redir.path.rstrip("/"), '/01234567-89ab-cdef-0123-456789abcdef/oauth2/authorize')
             self.assertEqual(qs, sq_expected)
 
+    @mock_adfs("azure")
+    def test_oauth_redir_azure_version_two(self):
+        from django_auth_adfs.config import django_settings
+        settings = deepcopy(django_settings)
+        del settings.AUTH_ADFS["SERVER"]
+        settings.AUTH_ADFS["TENANT_ID"] = "dummy_tenant_id"
+        settings.AUTH_ADFS["VERSION"] = 'v2.0'
+        with patch("django_auth_adfs.config.django_settings", settings), \
+                patch("django_auth_adfs.config.settings", Settings()), \
+                patch("django_auth_adfs.views.provider_config", ProviderConfig()):
+            response = self.client.get("/oauth2/login?next=/test/")
+            self.assertEqual(response.status_code, 302)
+            redir = urlparse(response["Location"])
+            qs = parse_qs(redir.query)
+            sq_expected = {
+                'scope': ['openid api://your-adfs-RPT-name/.default'],
+                'client_id': ['your-configured-client-id'],
+                'state': ['L3Rlc3Qv'],
+                'response_type': ['code'],
+                'redirect_uri': ['http://testserver/oauth2/callback']
+            }
+            self.assertEqual(redir.scheme, 'https')
+            self.assertEqual(redir.hostname, 'login.microsoftonline.com')
+            self.assertEqual(redir.path.rstrip("/"), '/01234567-89ab-cdef-0123-456789abcdef/oauth2/authorize')
+            self.assertEqual(qs, sq_expected)
+
     @mock_adfs("2016")
     def test_inactive_user(self):
         user = User.objects.create(**{