Skip to main content

Custom Microsoft Entra ID Authentication Backend for Django.

Project description

django-epfl-entra-id

Test Status Coverage Status PyPI version

Custom Microsoft Entra ID Authentication Backend for Django.

Requirements

  • Python 3.6 or later
  • Django 1.11, 2.2, 3.2, 4.2 or 5.2

Installation

pip install django-epfl-entra-id

Documentation

Settings

Add mozilla_django_oidc to INSTALLED_APPS:

INSTALLED_APPS = [
  ...
  "django.contrib.auth",
  "mozilla_django_oidc",  # Load after auth
  ...
]

Add django_epfl_entra_id authentication backend:

AUTHENTICATION_BACKENDS = ("django_epfl_entra_id.auth.EPFLOIDCAB",)

Register your application in the App Portal and add the OIDC configuration:

TENANT_ID = os.environ["TENANT_ID"]

OIDC_RP_CLIENT_ID = os.environ["OIDC_RP_CLIENT_ID"]
OIDC_RP_CLIENT_SECRET = os.environ["OIDC_RP_CLIENT_SECRET"]

AUTH_DOMAIN = f"https://login.microsoftonline.com/{TENANT_ID}"
OIDC_OP_AUTHORIZATION_ENDPOINT = f"{AUTH_DOMAIN}/oauth2/v2.0/authorize"
OIDC_OP_TOKEN_ENDPOINT = f"{AUTH_DOMAIN}/oauth2/v2.0/token"
OIDC_OP_JWKS_ENDPOINT = f"{AUTH_DOMAIN}/discovery/v2.0/keys"
OIDC_OP_USER_ENDPOINT = "https://graph.microsoft.com/oidc/userinfo"
OIDC_RP_SIGN_ALGO = "RS256"

LOGIN_URL = "/auth/authenticate"
LOGIN_REDIRECT_URL = "/"
LOGOUT_REDIRECT_URL = "/"

Routing

Edit your urls.py and add the following:

urlpatterns = [
  ...
  path("", include("django_epfl_entra_id.urls")),
  path("auth/", include("mozilla_django_oidc.urls")),
  ...
]

Example template:

{% if user.is_authenticated %}
  <p>Current user: {{ user.username }}</p>
  <form action="{% url 'oidc_logout' %}" method="post">
    {% csrf_token %}
    <input type="submit" value="logout">
  </form>
{% else %}
  <a href="{% url 'oidc_authentication_init' %}?next={{ request.path }}">
    Login
  </a>
{% endif %}

Optional configuration

AUTH_PROFILE_MODULE = "userprofile.UserProfile"

Restrict Authentication by Rights (Authorizations)

By default, any user with a valid EPFL Entra ID account can authenticate. If you want to restrict access only to users possessing specific application rights (claims injected by the EPFL portal), follow these steps:

Configure your app's settings.py

You need to enable the strict rights verification and define where Django should redirect unauthorized users (e.g., to a 403 Forbidden page). Add the following to your settings:

  # Enable strict rights verification. 
  # (You can dynamically load this from your .env file if preferred)
  OIDC_REQUIRE_AUTHORIZATIONS = True
  
  # Redirect unauthorized users to the dedicated forbidden view
  LOGIN_REDIRECT_URL_FAILURE = "/forbidden"

Note: Ensure that your application rights are properly configured in the EPFL deployment portal (app-portal). Entra ID relies on this configuration to inject the authorizations claim into the user's token.

Logging

Enable these loggers in settings to see logging messages to help you debug:

LOGGING = {
  ...
  "loggers": {
      "mozilla_django_oidc": {
        "handlers": ["console"], 
        "level": "DEBUG"
      },
      "django_epfl_entra_id": {
        "handlers": ["console"],
        "level": "DEBUG",
      },
  ...
}

Make sure to use the appropriate handler for your app.

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django_epfl_entra_id-0.0.9.tar.gz (12.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

django_epfl_entra_id-0.0.9-py3-none-any.whl (14.9 kB view details)

Uploaded Python 3

File details

Details for the file django_epfl_entra_id-0.0.9.tar.gz.

File metadata

  • Download URL: django_epfl_entra_id-0.0.9.tar.gz
  • Upload date:
  • Size: 12.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for django_epfl_entra_id-0.0.9.tar.gz
Algorithm Hash digest
SHA256 ea3b0fe74fe5dcbcfb32f8dc4490de40241f9d654a954afc95623f576e778183
MD5 3f288eb9794b8763b142d9e2c59d1e55
BLAKE2b-256 f966c22f4360696111a6016e2fff7e24836ff4d8fb1e107c09a94cc3e4f467dd

See more details on using hashes here.

Provenance

The following attestation bundles were made for django_epfl_entra_id-0.0.9.tar.gz:

Publisher: release.yml on epfl-si/django-epfl-entra-id

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file django_epfl_entra_id-0.0.9-py3-none-any.whl.

File metadata

File hashes

Hashes for django_epfl_entra_id-0.0.9-py3-none-any.whl
Algorithm Hash digest
SHA256 2b54d9fedf6ce4d03656744b7871fa39f62ece66655572853bee6e6c63b84a78
MD5 089c422d6b24035c4d72252a4230eae6
BLAKE2b-256 ead45011e61787bc76a125d094684feec01eae5f6a02fd6549720db6bc54bfb8

See more details on using hashes here.

Provenance

The following attestation bundles were made for django_epfl_entra_id-0.0.9-py3-none-any.whl:

Publisher: release.yml on epfl-si/django-epfl-entra-id

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page