|
1 | 1 | # reflex-azure-auth |
2 | 2 |
|
| 3 | +> **This repository is archived.** Use the OIDC support built into the |
| 4 | +> `reflex-enterprise` package instead. |
| 5 | +> |
| 6 | +> Notably, this package stores tokens in `LocalStorage`, which is readable by |
| 7 | +> any script running on the page (e.g. via XSS). The `reflex-enterprise` OIDC |
| 8 | +> state stores tokens in HttpOnly, `Secure`, `SameSite=Strict` cookies, and |
| 9 | +> additionally provides refresh tokens with cross-tab sync, nonce / `at_hash` |
| 10 | +> validation, and granted-scope tracking. Functionally, anything this package |
| 11 | +> does is also covered there. |
| 12 | +> |
| 13 | +> ### Migrating |
| 14 | +> |
| 15 | +> Subclass `OIDCAuthState` with `__provider__ = "azure"` — the same |
| 16 | +> `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, and `AZURE_ISSUER_URI` env vars are |
| 17 | +> picked up automatically (config lookup is `{PROVIDER}_*`): |
| 18 | +> |
| 19 | +> ```python |
| 20 | +> import reflex as rx |
| 21 | +> from reflex_enterprise.auth.oidc.state import OIDCAuthState |
| 22 | +> |
| 23 | +> class AzureAuthState(OIDCAuthState, rx.State): |
| 24 | +> __provider__ = "azure" |
| 25 | +> ``` |
| 26 | +> |
| 27 | +> For multi-tenant apps (issuer contains `/common/` or `/organizations/`), |
| 28 | +> override `_valid_issuers` to expand the accepted `iss` claim values to your |
| 29 | +> allow-listed tenants. This replaces the `AZURE_VALID_TENANT_IDS` env var: |
| 30 | +> |
| 31 | +> ```python |
| 32 | +> import os |
| 33 | +> |
| 34 | +> MSA_ISSUER = "9188040d-6c67-4c5b-b112-36a304b66dad" |
| 35 | +> |
| 36 | +> class AzureAuthState(OIDCAuthState, rx.State): |
| 37 | +> __provider__ = "azure" |
| 38 | +> |
| 39 | +> async def _valid_issuers(self) -> list[str] | None: |
| 40 | +> issuer = (await self._issuer_uri()).rstrip("/") |
| 41 | +> if "/consumers/v2.0" in issuer: |
| 42 | +> return [issuer.replace("/consumers/", f"/{MSA_ISSUER}/")] |
| 43 | +> if "/common/" in issuer or "/organizations/" in issuer: |
| 44 | +> template = issuer.replace("/common/", "/{tid}/").replace( |
| 45 | +> "/organizations/", "/{tid}/" |
| 46 | +> ) |
| 47 | +> tenants = [ |
| 48 | +> t.strip() |
| 49 | +> for t in os.environ.get("AZURE_VALID_TENANT_IDS", "").split(",") |
| 50 | +> if t.strip() |
| 51 | +> ] |
| 52 | +> return [template.format(tid=t) for t in tenants] or None |
| 53 | +> return None |
| 54 | +> ``` |
| 55 | +> |
| 56 | +> Render the login button — endpoints are registered automatically on first |
| 57 | +> use, so no explicit `register_auth_endpoints(app)` call is needed: |
| 58 | +> |
| 59 | +> ```python |
| 60 | +> AzureAuthState.get_login_button("Log In with Microsoft") |
| 61 | +> ``` |
| 62 | +> |
| 63 | +> Logout (`redirect_to_logout`) and `userinfo` keep the same names and shape. |
| 64 | +
|
| 65 | +--- |
| 66 | +
|
| 67 | +## Legacy usage (deprecated) |
| 68 | +
|
3 | 69 | This package requires the `reflex_enterprise` package to be installed. |
4 | 70 |
|
5 | 71 | ## Installation |
|
0 commit comments