2017-07-24 43 views
0

我們正在創建一個用於我們組織的應用程序,但我們只希望我們組織中的人員能夠使用該應用程序。我們有想過使用微軟的OAuth端點來驗證用戶是否屬於我們組織的一部分。這個想法是在用戶可以輸入他們的Office 365用戶名和密碼的屏幕上顯示一個登錄信息,然後他們可以在提交他們的憑證後使用我們的應用程序。使用OAuth使用Django對Office 365/Graph用戶進行身份驗證

我們的應用程序在Django上運行,並且我只使用Flask和Microsoft's Graph API connect sample for Python(請參閱下面的代碼片段)找到了解決此問題的解決方案。此示例使用與上面類似的想法登錄到應用程序。 Django有沒有類似的驗證方法?

import requests 
from flask import Flask, redirect, url_for, session, request, render_template 
from flask_oauthlib.client import OAuth 

# read private credentials from text file 
client_id, client_secret, *_ = open('_PRIVATE.txt').read().split('\n') 
if (client_id.startswith('*') and client_id.endswith('*')) or \ 
    (client_secret.startswith('*') and client_secret.endswith('*')): 
    print('MISSING CONFIGURATION: the _PRIVATE.txt file needs to be edited ' + \ 
     'to add client ID and secret.') 
    sys.exit(1) 

app = Flask(__name__) 
app.debug = True 
app.secret_key = 'development' 
oauth = OAuth(app) 

# since this sample runs locally without HTTPS, disable InsecureRequestWarning 
requests.packages.urllib3.disable_warnings() 

msgraphapi = oauth.remote_app(\ 
    'microsoft', 
    consumer_key=client_id, 
    consumer_secret=client_secret, 
    request_token_params={'scope': 'User.Read Mail.Send'}, 
    base_url='https://graph.microsoft.com/v1.0/', 
    request_token_url=None, 
    access_token_method='POST', 
    access_token_url='https://login.microsoftonline.com/common/oauth2/v2.0/token', 
    authorize_url='https://login.microsoftonline.com/common/oauth2/v2.0/authorize' 
          ) 

@app.route('/login') 
def login(): 
    """Handler for login route.""" 
    guid = uuid.uuid4() # guid used to only accept initiated logins 
    session['state'] = guid 
    return msgraphapi.authorize(callback=url_for('authorized', _external=True), state=guid) 

@app.route('/login/authorized') 
def authorized(): 
    """Handler for login/authorized route.""" 
    response = msgraphapi.authorized_response() 

    if response is None: 
     return "Access Denied: Reason={0}\nError={1}".format(\ 
      request.args['error'], request.args['error_description']) 

    # Check response for state 
    if str(session['state']) != str(request.args['state']): 
     raise Exception('State has been messed with, end authentication') 
    session['state'] = '' # reset session state to prevent re-use 

    # Okay to store this in a local variable, encrypt if it's going to client 
    # machine or database. Treat as a password. 
    session['microsoft_token'] = (response['access_token'], '') 
    # Store the token in another session variable for easy access 
    session['access_token'] = response['access_token'] 
    me_response = msgraphapi.get('me') 
    me_data = json.loads(json.dumps(me_response.data)) 
    username = me_data['displayName'] 
    email_address = me_data['userPrincipalName'] 
    session['alias'] = username 
    session['userEmailAddress'] = email_address 
    return redirect('main') 

回答

0

您應該可以使用Python的任何OAUTH 2.0庫。我還沒有與Django合作過,但我知道Python中有好幾個。

我碰到了django-azure-ad-auth這似乎正是你在找什麼。

我還發現了一個名爲django-allauth的通用OAUTH庫,它似乎有很多活動。它沒有內置的提供者,但是他們用於提供者的模型看起來很簡單,所以你可以在沒有太多麻煩的情況下擴展它。

相關問題