marmelab / ra-auth-msal Goto Github PK

View Code? Open in Web Editor NEW

4.0 7.0 1.0 906 KB

An auth provider for react-admin which handles authentication using the MSAL

License: MIT License

Makefile 0.63% JavaScript 1.02% HTML 0.81% TypeScript 97.53%

ra-auth-msal's Introduction

ra-auth-msal

An auth provider for react-admin that handles authentication using the Microsoft Authentication Library (MSAL).

This is useful when using Azure Active Directory to authenticate your users.

This repository contains:

The actual ra-auth-msal package
A simple demo app you can run locally to try out ra-auth-msal with your own Azure AD instance

Simple Demo

Prerequesites

You need to have an active Azure account. You can create one for free here.

Initial setup

Clone this project

You need to register and configure this demo application to use your own Azure AD instance. Please follow the steps below (taken from the quickstart tutorial):

Sign in to the Azure portal.
If you have access to multiple tenants, use the Directories + subscriptions filter in the top menu to switch to the tenant in which you want to register the application.
Search for and select Azure Active Directory.
Under Manage, select App registrations > New registration.
Enter a Name for your application. Users of your app might see this name, and you can change it later.
Under Supported account types, select Accounts in any organizational directory and personal Microsoft accounts.
Select Register. On the app Overview page, note the Application (client) ID value for later use.
Under Manage, select Authentication.
Under Platform configurations, select Add a platform. In the pane that opens select Single-page application.
Set the Redirect URI value to http://localhost:8080/auth-callback.
Select Configure.

Now it is time to create some users and some groups, which will enable us to demonstrate the permissions feature.

In the Azure portal, Search for and select Azure Active Directory.
Under Groups, create a new group of type 'Security', called admins. Leave all the other options to their default values.
In the same way, create a second group called users.
Under Users, click New user > Create a user.
Choose chris as the User Name and Chris Green as the Name.
In Password, select Allow me to create the password, and choose a password of your choice.
In Groups and roles, select only the users group.
Make sure Block sign in is set to false
Click Create.
Repeat the same steps to create a second user, called John Smith, and assign it both the users and admins groups.

Lastly, we need to configure the app to include the goups claim in the ID token.

In the Azure Active Directory Dashboard
Under Manage, select App registrations > and select the App you created before
Select Token configuration.
Click on Add groups claim.
Select Security groups
Inside both the ID and Access sections, check the Emit group claims as roles checkbox.
Click Save.

Now we can configure the demo app. First we need to setup some environment variables. We can do this by creating a .env file in the root of the project.

cp packages/demo-react-admin/.env.template packages/demo-react-admin/.env

The following variables are required:

VITE_MSAL_CLIENT_ID="12345678-1234-1234-1234-123456789012"
VITE_MSAL_AUTHORITY="https://login.microsoftonline.com/common"
VITE_APP_BASE_URI="http://localhost:8080"

Please fill in the VITE_MSAL_CLIENT_ID with the Application (client) ID you noted earlier.

Lastly, we need to edit the rolesPermissionMap inside packages/demo-react-admin/src/authConfig.ts to match the groups you created earlier.

/**
 * Customize this map to match the ids of the groups you created in Azure AD
 */
const rolesPermissionMap = {
  "12345678-1234-1234-1234-123456789012": "user",
  "12345678-1234-1234-1234-123456789013": "admin",
};

We are now all set to run the demo app.

Running The Demo App

Install the dependencies and start the Demo App with the following command:

make install start

Using the Simple Demo

Now that all is configured and running, you can browse to http://localhost:8080/ to access the React Admin App.

The first time you sign in with any of the users, you'll have to enter their temporary password and will be asked to enter a password of your choice.

Signing in with Chris Green will only grant the user role permissions
Signing in with John Smith will grant full admin role permissions, allowing for instance to see the Users resource in the main menu

Feel free to play around with this demo, along with the MASL config, to understand better how it works!

License

This repository and the code it contains are licensed under the MIT License and sponsored by marmelab.

ra-auth-msal's People

Contributors

Stargazers

Watchers

Forkers

devh2t

ra-auth-msal's Issues

Documentation on getIdentityFromAccount

From what I understand, passing a function as getIdentityFromAccount to msalAuthProvider, from this library, sets an identity object which can later be referenced. Am I right in that assessment? If so, how do we reference what we set downstream?

For example, in getIdentityFromAccount function, could I call my API once to get extra database attributes, so that these don't have to be managed separately or repeatedly called, e.g. employee ID (in my database, employee IDs are different to user IDs, which are the same as in Active Directory).

My intended use case is to pass this value to dropdowns, so that logged in user's preferences are prioritized to the top (this I know how to do, and am currently needing to save details to localStorage, which I think by using this feature I can avoid).

Redirect loop in Edge

In version 1.2.0 a redirect loop is introduced.

It seems to only happens in Edge. After redirecting back to /auth-login, the application initiates another redirect to fetch a token, causing a loop. This does not happen in Firefox.

Reverting to 1.1.0 fixes the issues.

Option to hide the "Unauthorized" notification when the user needs to login

This always shows an "Unauthorized" message when the user needs to login, and requireAuth is set to true. This is because the checkAuth method throws an Error.

Should there be an option to hide this message, or even just remove it entirely? From the react-admin docs, it looks like this can be done by rejecting the promise with { message: false }

Feedback on making use of this library in a project

Update: Found the issue, see next comment

Making use of this library in an existing project

There are a few things unclear to a new user of such a library... maybe this issue could be used to clear some things up (i.e. some additions required in docs to smooth things over)

Problem 1:

ra-auth-msal interacts with Azure AD, auth happens, and we get a valid `Authorization` header with `Bearer ${TOKEN}`, how to ensure that it is in a format that matches your data provider?

Answer: I provided an answer to the problem I had getting started with this library in the comment below

Original Issue

I looked for a discussion section (please let me know if there is a better place for this message)...

I might just be missing something super obvious.

I started by following the instructions, and I get the sample app working beautifully.

But when I try to cherry-pick the relevant parts to a new project, no matter what I try it doesn't work. Console errors usually include :

Error: Unauthorized

BrowserAuthError: no_account_error: No account object provided to acquireTokenSilent and no active account has been set. Please call setActiveAccount or provide an account on the request.

Uncaught (in promise) ClientConfigurationError: empty_url_error: URL was empty or null.

I also tried the much more basic implementation as in your docs, but similar issues.

Below are the changes I attempted:

MSAL related commit:

----------------------------- vrmt/ui/package.json -----------------------------
index ce5eca0..79b523c 100644
@@ -10,6 +10,7 @@
   },
   "dependencies": {
     "@promitheus/ra-data-postgrest": "^1.2.2",
+    "ra-auth-msal": "^1.0.0",
     "react": "^18.2.0",
     "react-admin": "^4.9.0",
     "react-dom": "^18.2.0"

----------------------------- vrmt/ui/src/App.tsx -----------------------------
index 76ef1a5..4247452 100644
@@ -1,6 +1,19 @@
-import { Admin, Resource, fetchUtils } from "react-admin";
+import React from "react";
+import { Admin, Resource } from "react-admin";
 // import { ListGuesser } from "react-admin";
-import postgrestRestProvider from '@promitheus/ra-data-postgrest';
+import postgrestRestProvider from "@promitheus/ra-data-postgrest";
+import { PublicClientApplication } from "@azure/msal-browser";
+import { LoginPage, msalAuthProvider, msalHttpClient } from "ra-auth-msal";
+import { BrowserRouter } from "react-router-dom";
+import {
+  getPermissionsFromAccount,
+  loginRequest,
+  msalConfig,
+  tokenRequest,
+} from "./authConfig";
+
+import { CustomLoginPage } from "./CustomLoginPage";
+import Layout from "./Layout";
 
 import { ActivityList } from './sections/activities';
 import { AoEList } from './sections/areas_of_expertise';
@@ -9,38 +22,66 @@ import { EmployeeList } from './sections/employees';
 import { ProjectList } from './sections/projects';
 import { TimeTrackingTaskList } from './sections/time_tracking_tasks';
 
-const httpClient = (url, options = {}) => {
-  if (!options.headers) {
-      options.headers = new Headers({ Accept: 'application/json' });
-  }
-  // add your own headers here
-  options.headers.set('Authorization', 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoidnJtdF9wb3dlciJ9.fOzb_9hhUa2YzyMgM_o6_p_9B75BOWwX5R6cGk3y8Tc');
-  return fetchUtils.fetchJson(url, options);
-};
+const redirectOnCheckAuth = true;
+
+const myMSALObj = new PublicClientApplication(msalConfig);
+
+const App = () => {
+  const authProvider = msalAuthProvider({
+    msalInstance: myMSALObj,
+    loginRequest,
+    tokenRequest,
+    getPermissionsFromAccount,
+    redirectOnCheckAuth,
+  });
 
-const dataProvider = postgrestRestProvider(
-  'http://localhost:3000',
-  httpClient,
-  'eq',
-  new Map([
+  const httpClient = msalHttpClient({
+    msalInstance: myMSALObj,
+    tokenRequest,
+  });
+
+  const dataProvider = postgrestRestProvider(
+    'http://localhost:3000',
+    httpClient,
+    'eq',
+    new Map([
       ['activities', ['activity_id']],
       ['areas_of_expertise', ['aoe_id']],
       ['areas_of_work', ['aow_id']],
       ['employees', ['employee_id']],
       ['projects', ['project_id']],
       ['time_tracking_tasks', ['time_tracking_task_id']],
-  ])
-);
-
-const App = () => (
-    <Admin dataProvider={dataProvider} title="VRMT">
-        <Resource name="employees" list={EmployeeList} />
-        <Resource name="activities" list={ActivityList} />
-        <Resource name="areas_of_expertise" list={AoEList} />
-        <Resource name="areas_of_work" list={AoWList} />
-        <Resource name="projects" list={ProjectList} />
-        <Resource name="time_tracking_tasks" list={TimeTrackingTaskList} />
-    </Admin>
-);
+    ])
+  );
+
+  return (
+    <BrowserRouter>
+      <Admin
+        authProvider={authProvider}
+        dataProvider={dataProvider}
+        title="VRMT"
+        layout={Layout}
+        loginPage={redirectOnCheckAuth ? LoginPage : CustomLoginPage}
+      >
+        {(permissions) => (
+          <>
+            <Resource name="activities" list={ActivityList} />
+            <Resource name="areas_of_expertise" list={AoEList} />
+            <Resource name="areas_of_work" list={AoWList} />
+            <Resource name="projects" list={ProjectList} />
+            <Resource name="time_tracking_tasks" list={TimeTrackingTaskList} />
 
+            {permissions ? (
+              <>
+                {permissions.includes("admin") ? (
+                  <Resource name="employees" {...EmployeeList} />
+                ) : null}
+              </>
+            ) : null}
+          </>
+        )}
+      </Admin>
+    </BrowserRouter>
+  );
+};
 export default App;

----------------------- vrmt/ui/src/CustomLoginPage.tsx -----------------------
new file mode 100644
index 0000000..79a8b29
@@ -0,0 +1,76 @@
+import {
+  Box,
+  Button,
+  Card,
+  CardActions,
+  CardContent,
+  CircularProgress,
+  Typography,
+} from "@mui/material";
+import * as React from "react";
+import { useLogin, useNotify, useSafeSetState } from "react-admin";
+
+/**
+ * Csutom Login Page used to trigger the redirection to the MS login page.
+ */
+export const CustomLoginPage = () => {
+  const login = useLogin();
+  const [loading, setLoading] = useSafeSetState(false);
+  const notify = useNotify();
+
+  const submit = () => {
+    setLoading(true);
+    login({})
+      .then(() => {
+        setLoading(false);
+      })
+      .catch((error) => {
+        setLoading(false);
+        const errorMsg =
+          typeof error === "string"
+            ? error
+            : error && error.message
+            ? error.message
+            : undefined;
+        notify(errorMsg, {
+          type: "error",
+          messageArgs: {
+            _: errorMsg,
+          },
+        });
+      });
+  };
+
+  return (
+    <Box
+      component="form"
+      onSubmit={submit}
+      display="flex"
+      justifyContent="center"
+    >
+      <Card sx={{ width: 300, m: 8 }}>
+        <CardContent>
+          <Typography variant="h5" component="div" textAlign="center">
+            Custom login page
+          </Typography>
+          <CardActions>
+            <Button
+              variant="contained"
+              type="submit"
+              color="primary"
+              disabled={loading}
+              fullWidth
+              sx={{ mt: 2 }}
+            >
+              {loading ? (
+                <CircularProgress size={19} thickness={3} sx={{ m: 0.3 }} />
+              ) : (
+                "Sign in with Microsoft"
+              )}
+            </Button>
+          </CardActions>
+        </CardContent>
+      </Card>
+    </Box>
+  );
+};

---------------------------- vrmt/ui/src/Layout.tsx ----------------------------
new file mode 100644
index 0000000..22cacde
@@ -0,0 +1,16 @@
+import * as React from 'react';
+
+import { ReactQueryDevtools } from 'react-query/devtools';
+import { Layout } from 'react-admin';
+import { CssBaseline } from '@mui/material';
+
+export default props => (
+    <>
+        <CssBaseline />
+        <Layout {...props} />
+        <ReactQueryDevtools
+            initialIsOpen={false}
+            toggleButtonProps={{ style: { width: 20, height: 30 } }}
+        />
+    </>
+);

-------------------------- vrmt/ui/src/authConfig.ts --------------------------
new file mode 100644
index 0000000..cd9a069
@@ -0,0 +1,65 @@
+import {
+    Configuration,
+    RedirectRequest,
+    SilentRequest,
+    AccountInfo,
+  } from "@azure/msal-browser";
+  
+  /**
+   * Configuration object to be passed to MSAL instance on creation.
+   * For a full list of MSAL.js configuration parameters, visit:
+   * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/configuration.md
+   */
+  export const msalConfig: Configuration = {
+    auth: {
+      // 'Application (client) ID' of app registration in Azure portal - this value is a GUID
+      clientId: import.meta.env.VITE_MSAL_CLIENT_ID,
+      // Full directory URL, in the form of https://login.microsoftonline.com/<tenant-id>
+      authority: import.meta.env.VITE_MSAL_AUTHORITY,
+      // Full redirect URL, in form of http://localhost:8080/auth-callback
+      redirectUri: `${import.meta.env.VITE_APP_BASE_URI}/auth-callback`,
+      // We need to disable this feature because it is already handled by react-admin, and would otherwise conflict
+      navigateToLoginRequestUrl: false,
+    },
+    cache: {
+      cacheLocation: "sessionStorage", // This configures where your cache will be stored
+      storeAuthStateInCookie: false, // Set this to "true" if you are having issues on IE11 or Edge
+    },
+  };
+  
+  /**
+   * Scopes you add here will be prompted for user consent during sign-in.
+   * By default, MSAL.js will add OIDC scopes (openid, profile, email) to any login request.
+   * For more information about OIDC scopes, visit:
+   * https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes
+   */
+  export const loginRequest: RedirectRequest = {
+    scopes: ["User.Read"],
+  };
+  
+  /**
+   * Add here the scopes to request when obtaining an access token for MS Graph API. For more information, see:
+   * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/resources-and-scopes.md
+   */
+  export const tokenRequest: SilentRequest = {
+    scopes: ["User.Read"],
+    forceRefresh: false, // Set this to "true" to skip a cached token and go to the server to get a new token
+  };
+  
+  /**
+   * Customize this map to match your own roles and permissions
+   */
+  const rolesPermissionMap = {
+    "363472b9-7c21-466c-be1a-d9151b6ad21c": "user",
+    "9bb5f9e0-0746-405b-8494-01be926009c5": "admin",
+  };
+  
+  /**
+   * Custom function to map roles to permissions, using the rolesPermissionMap above.
+   * Alternatively, you can use the MS Graph API to get more information about the user's roles and groups.
+   */
+  export const getPermissionsFromAccount = async (account: AccountInfo) => {
+    const roles = account?.idTokenClaims?.roles ?? [];
+    return roles.map((role) => rolesPermissionMap[role]);
+  };
+  
\ No newline at end of file

------------------------------ vrmt/ui/yarn.lock ------------------------------
index f1ffa6b..c6a1860 100644
@@ -10,6 +10,18 @@
     "@jridgewell/gen-mapping" "^0.1.0"
     "@jridgewell/trace-mapping" "^0.3.9"
 
+"@azure/msal-browser@^2.16.1":
+  version "2.34.0"
+  resolved "https://registry.yarnpkg.com/@azure/msal-browser/-/msal-browser-2.34.0.tgz#e2aa497e74bfa3480c7f03cccd57244e8ab7de00"
+  integrity sha512-stoXdlfAtyVIMOp1lS5PorgO5f66MGRi3Q1FBlXhVZFTsTfAWrNdSOx1m/PXWHskWE9aXO+NEzXVOoWmDNnvNA==
+  dependencies:
+    "@azure/msal-common" "^11.0.0"
+
+"@azure/msal-common@^11.0.0":
+  version "11.0.0"
+  resolved "https://registry.yarnpkg.com/@azure/msal-common/-/msal-common-11.0.0.tgz#d35bfa6cdd2a5b8c036ce427aa3fd36f8f985239"
+  integrity sha512-SZH8ObQ3Hq5v3ogVGBYJp1nNW7p+MtM4PH4wfNadBP9wf7K0beQHF9iOtRcjPOkwZf+ZD49oXqw91LndIkdk8g==
+
 "@babel/code-frame@^7.0.0", "@babel/code-frame@^7.18.6":
   version "7.18.6"
   resolved "https://registry.yarnpkg.com/@babel/code-frame/-/code-frame-7.18.6.tgz#3b25d38c89600baa2dcc219edfa88a74eb2c427a"
@@ -1505,6 +1517,14 @@ query-string@^7.1.1:
     split-on-first "^1.0.0"
     strict-uri-encode "^2.0.0"
 
+ra-auth-msal@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/ra-auth-msal/-/ra-auth-msal-1.0.0.tgz#0941ca5e9778b6713ca886a9bfa427c2eb28f6d0"
+  integrity sha512-60MM9YDB9l4u7Gpbqcb+R+hbJfdMZs1N8wvtpgZjmLXoailByxU1TXUDXz2OEJSV6hl+yy3xbJbPJgkFbmXvSw==
+  dependencies:
+    "@azure/msal-browser" "^2.16.1"
+    react-admin "^4.7.0"
+
 ra-core@^4.9.0:
   version "4.9.0"
   resolved "https://registry.yarnpkg.com/ra-core/-/ra-core-4.9.0.tgz#763d7f2eb2696ea6f27c4e1d33c4eb29646b34af"
@@ -1555,7 +1575,7 @@ ra-ui-materialui@^4.9.0:
     react-query "^3.32.1"
     react-transition-group "^4.4.1"
 
-react-admin@^4.9.0:
+react-admin@^4.7.0, react-admin@^4.9.0:
   version "4.9.0"
   resolved "https://registry.yarnpkg.com/react-admin/-/react-admin-4.9.0.tgz#da8be76a527c506f71259a2858c58d01c0443d3e"
   integrity sha512-h7JI/zVZObXEU0z2+KPM7PXbmNkl2VczfpXnbMK1m3UJ5T1KdJml3xOp0phYHNV30DjJV9tqiwOkQ9t3cNMviw==

Token refresh issues

To reproduce:

log into the system using your Azure AD credentials
Check your JWT at https://jwt.ms
See the "exp" key, and copy its value to https://www.epochconverter.com to see when the current JWT expires
Navigate your application just before the expiry time comes around, you will be logged out and asked which account you want to be logged out of, and you are forced to redo the login.
Side effect: Bearer tokens from re-login is not attached to the data provider requests, thus returning a 401 and kicking you out of the system again due to authentication error.

What should happen, is that the frontend should refresh the token in time in the background, so that the ID or Access token sent to APIs does not expire.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.