Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[AzureAD] Add config to map Azure's concept of AppRoles to conclude if a user is allowed and/or if the user is an admin #446

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

[AzureAD] Add config to map Azure's concept of AppRoles to conclude if a user is allowed and/or if the user is an admin #446

Changes from 6 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
4129ae3
Draft implementation of app roles for AzureAD
weisdd Jul 15, 2021
4fd4fb9
Reformat azuread.py
weisdd Aug 18, 2021
6dc41a6
Multiple changes:
weisdd Aug 19, 2021
4d535d6
Multiple changes:
weisdd Aug 19, 2021
22626f5
Reorder imports
weisdd Aug 19, 2021
eab9ac8
Removed the "revoke_stale_admin_privileges" feature
weisdd Aug 20, 2021
cd98b92
Removed check_user_has_role()
weisdd Aug 20, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions oauthenticator/azuread.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
from jupyterhub.auth import LocalAuthenticator
from tornado.httpclient import HTTPRequest
from traitlets import default
from traitlets import Set
from traitlets import Unicode

from .oauth2 import OAuthenticator
Expand All @@ -19,6 +20,10 @@
PYJWT_2 = V(jwt.__version__) >= V("2.0")


def check_user_has_role(member_roles, allowed_roles):
consideRatio marked this conversation as resolved.
Show resolved Hide resolved
return any(role in member_roles for role in allowed_roles)


class AzureAdOAuthenticator(OAuthenticator):
login_service = Unicode(
os.environ.get('LOGIN_SERVICE', 'Azure AD'),
Expand All @@ -38,6 +43,20 @@ def _tenant_id_default(self):
def _username_claim_default(self):
return 'name'

app_roles_help_message = "More details on app roles: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps"

admin_users_app_roles = Set(
config=True,
help="Users with one of these app roles in their identity token claim 'roles' are treated as admins. "
+ app_roles_help_message,
)

allowed_users_app_roles = Set(
config=True,
help="Only users with one of these app roles in their identity token claim 'roles' will be allowed to login into JupyterHub. Admins do not fall under this restriction. "
+ app_roles_help_message,
)

@default("authorize_url")
def _authorize_url_default(self):
return 'https://login.microsoftonline.com/{0}/oauth2/authorize'.format(
Expand Down Expand Up @@ -94,6 +113,17 @@ async def authenticate(self, handler, data=None):
# results in a decoded JWT for the user data
auth_state['user'] = decoded

roles = auth_state['user'].get("roles", [])

if self.admin_users_app_roles:
if check_user_has_role(roles, self.admin_users_app_roles):
userdict["admin"] = True
return userdict

if self.allowed_users_app_roles:
if not check_user_has_role(roles, self.allowed_users_app_roles):
return None

return userdict


Expand Down