From d620c3b5d6ef6351fdd539a2117d481b18f06bce Mon Sep 17 00:00:00 2001 From: Marco Zocca Date: Thu, 10 Aug 2023 15:29:36 +0200 Subject: [PATCH] adding bot framework auth --- ms-auth/ms-auth.cabal | 2 +- .../src/Network/OAuth2/Provider/AzureAD.hs | 31 ++++++++++++++++++- ms-auth/src/Network/OAuth2/Session.hs | 21 +++++++++++++ 3 files changed, 52 insertions(+), 2 deletions(-) diff --git a/ms-auth/ms-auth.cabal b/ms-auth/ms-auth.cabal index 11c7102..413ed74 100644 --- a/ms-auth/ms-auth.cabal +++ b/ms-auth/ms-auth.cabal @@ -1,5 +1,5 @@ name: ms-auth -version: 0.3.0.0 +version: 0.4.0.0 synopsis: Microsoft Authentication API description: Bindings to the Microsoft Identity API / Active Directory (AD) for building applications that use either Authorization Code (User-facing) or (App-only) authorization flows. Helper functions are provided for building OAuth2 authentication flows and keep tokens transactionally secure and up to date. homepage: https://github.com/unfoldml/ms-graph-api diff --git a/ms-auth/src/Network/OAuth2/Provider/AzureAD.hs b/ms-auth/src/Network/OAuth2/Provider/AzureAD.hs index b2e7f42..f1b5ae7 100644 --- a/ms-auth/src/Network/OAuth2/Provider/AzureAD.hs +++ b/ms-auth/src/Network/OAuth2/Provider/AzureAD.hs @@ -8,14 +8,18 @@ -- | Settings for using Azure Active Directory as OAuth identity provider -- -- Both @Auth Code Grant@ (i.e. with browser client interaction) and @App-only@ (i.e. Client Credentials) authentication flows are supported. The former is useful when a user needs to login and delegate some permissions to the application (i.e. accessing personal data), whereas the second is for server processes and automation accounts. +-- +-- Azure Bot Framework is supported since v 0. module Network.OAuth2.Provider.AzureAD ( AzureAD + , AzureBotFramework -- * Environment variables , envClientId , envClientSecret , envTenantId -- * App flow , azureADApp + , azureBotFrameworkOAuthADApp -- * Delegated permissions OAuth2 flow , OAuthCfg(..) , AzureADUser @@ -163,7 +167,7 @@ defaultAzureOAuthADApp = , idpAppAuthorizeState = "CHANGE_ME" -- https://stackoverflow.com/questions/26132066/what-is-the-purpose-of-the-state-parameter-in-oauth-authorization-request , idpAppAuthorizeExtraParams = Map.empty , idpAppRedirectUri = [uri|http://localhost|] -- - , idpAppName = "default-azure-app" -- + , idpAppName = "" -- , idpAppTokenRequestAuthenticationMethod = ClientSecretBasic , idp = defaultAzureADIdp } @@ -178,6 +182,31 @@ defaultAzureADIdp = , idpTokenEndpoint = [uri|https://login.microsoftonline.com/common/oauth2/v2.0/token|] } +-- | +azureBotFrameworkOAuthADApp :: ClientId + -> ClientSecret + -> TL.Text -- ^ app name + -> IdpApplication 'ClientCredentials AzureBotFramework +azureBotFrameworkOAuthADApp clid sec appname = ClientCredentialsIDPAppConfig { + idpAppClientId = clid, + idpAppClientSecret = sec, + idpAppName = appname, + idpAppScope = Set.fromList ["https://api.botframework.com/.default"], + idpAppTokenRequestExtraParams = mempty, + idp = defaultAzureBotFrameworkIdp + } + + +data AzureBotFramework = AzureBotFramework + +defaultAzureBotFrameworkIdp :: Idp AzureBotFramework +defaultAzureBotFrameworkIdp = Idp { + idpFetchUserInfo = authGetJSON @(IdpUserInfo AzureBotFramework) + , idpTokenEndpoint = [uri|https://login.microsoftonline.com/botframework.com/oauth2/v2.0/token|] + , idpUserInfoEndpoint = error $ unwords ["Azure Bot Framework Idp:", "OAuth user info endpoint is not defined"] + , idpAuthorizeEndpoint = error $ unwords ["Azure Bot Framework Idp:", "OAuth authorize endpoint is not defined"] + } + -- | https://learn.microsoft.com/en-us/azure/active-directory/develop/userinfo data AzureADUser = AzureADUser { sub :: T.Text diff --git a/ms-auth/src/Network/OAuth2/Session.hs b/ms-auth/src/Network/OAuth2/Session.hs index 0d6edb1..1e896b1 100644 --- a/ms-auth/src/Network/OAuth2/Session.hs +++ b/ms-auth/src/Network/OAuth2/Session.hs @@ -372,6 +372,27 @@ fetchUpdateTokenACG ts idpApp mgr etoken = ExceptT $ do Left es -> pure $ Left (OASEJWTException es) -- id token validation failed Left es -> pure $ Left (OASEOAuth2Errors es) + +-- -- -- for Bot Framework auth etc +-- fetchUpdateToken' :: MonadIO m => +-- Tokens UserSub OAuth2Token +-- -> IdpApplication 'ClientCredentials i +-- -> Manager +-- -> ExceptT OAuthSessionError m OAuth2Token +-- fetchUpdateToken' ts idpApp mgr = ExceptT $ do +-- tokenResp <- runExceptT $ conduitTokenRequest idpApp mgr -- OAuth2 token +-- case tokenResp of +-- Right oat -> case idToken oat of +-- Nothing -> pure $ Left OASENoOpenID +-- Just idt -> do +-- idtClaimsE <- decValidIdToken idt -- decode and validate ID token +-- case idtClaimsE of +-- Right uid -> do +-- _ <- refreshLoopACG ts idpApp mgr uid oat -- fork a thread and start refresh loop for this user +-- pure $ Right oat + + + -- | 2) fork a thread and start token refresh loop for user @uid@ refreshLoopACG :: (MonadIO m, Ord uid, HasRefreshTokenRequest a) => Tokens uid OAuth2Token