Class ::ms::Authorize (public)
::nx::Class ::ms::Authorize![[i]](/resources/acs-subsite/ZoomIn16.gif)
Defined in packages/xooauth/tcl/ms-procs.tcl
Support for the Microsoft Microsoft identity platform ID tokens to login/logout via MS Azure accounts. https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens
- Testcases:
- No testcase defined.
Source code: :property {pretty_name "Azure"} :property {tenant} :property {version ""} :property {responder_url /oauth/azure-login-handler} :property {scope {openid offline_access profile}} :property {response_type {code id_token}} :public method login_url { {-prompt} {-return_url ""} {-login_hint} {-domain_hint} {-code_challenge} {-code_challenge_method} } { # # Returns the URL for logging in # # "oauth2/authorize" is defined in RFC 6749, but requests # for MS id-tokens inversion v1.0 and v2.0 are defined # here: # https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens # if {${:version} in {"" "v1.0"}} { set base https://login.microsoftonline.com/common/oauth2/authorize } else { # # When version "v2.0" is used, the concrete tenant # (i.e. not "common" as in the earlier version) has to # be specified, unless the MS application is # configured as a multi-tenant application. # set base https://login.microsoftonline.com/${:tenant}/oauth2/${:version}/authorize } set client_id ${:client_id} set scope ${:scope} set response_type ${:response_type} set nonce [::xo::oauth::nonce] set response_mode form_post set state [:encoded_state -return_url $return_url] set redirect_uri [:qualified ${:responder_url}] return [export_vars -no_empty -base $base { client_id response_type redirect_uri response_mode state scope nonce prompt login_hint domain_hint code_challenge code_challenge_method }] } :public method logout_url { {-return_url ""} } { # # Returns the URL for logging out. After the logout, azure # redirects to the given page. # set base https://login.microsoftonline.com/common/oauth2/logout set post_logout_redirect_uri [:qualified $return_url] return [export_vars -no_empty -base $base { post_logout_redirect_uri }] } :public method logout {} { # # Perform logout operation form MS in the background # (i.e. without a redirect). # ns_http run [:logout_url] } :method get_user_data { -token } { # # Get data via the provided token (which comes from the # "id_token"). In case of an error or incomplete data, # add this information the result dict. # # See here for AD claim sets: # https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims # # The error codes returned by Azure are defined here: # https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-error-codes # Extra errors for OpenACS are prefixed with "oacs-" # # @return return a dict containing the extracted fields set result {} lassign [split $token .] jwt_header jwt_claims jwt_signature #ns_log notice "[self]: jwt_header <[:json_to_dict [encoding convertfrom "utf-8" [ns_base64urldecode -- $jwt_header]]]>" if {$jwt_claims eq ""} { dict set result error [ns_queryget error] return $result } # # At least in the case of Azure, the jwt content is # already in UTF-8, so no "-binary" flag is needed. # set claims [:json_to_dict [encoding convertfrom "utf-8" [ns_base64urldecode -- $jwt_claims]]] dict set result claims $claims set data [:get_required_fields -claims $claims -mapped_fields { {upn email} {family_name last_name} {given_name first_names} }] if {[dict exists $data error]} { set result [dict merge $data $result] } else { set result [dict merge $result [dict get $data fields]] } return $result }XQL Not present: Generic, PostgreSQL, Oracle
