Skip to content
This repository has been archived by the owner on Mar 22, 2024. It is now read-only.

User's mail should definitely not be taken from the "email" field in OAuth response #459

Open
peterkappelt opened this issue Jul 14, 2021 · 5 comments
Open

User's mail should definitely not be taken from the "email" field in OAuth response #459

peterkappelt opened this issue Jul 14, 2021 · 5 comments

Comments

@peterkappelt
Copy link

Hey folks, hope y'all doing well.

In this code snippet, the mail of a new user is taken from the field email in the OAuth response.

django_microsoft_auth/microsoft_auth/backends.py

Lines 167 to 180 in 2c50bcf

try:
# create new Django user from provided data
user = User.objects.get(email=data["email"])
if user.first_name == "" and user.last_name == "":
user.first_name = first_name
user.last_name = last_name
user.save()
except User.DoesNotExist:
user = User(
username=data["preferred_username"][:150],
first_name=first_name,
last_name=last_name,
email=data["email"],

This is really dangerous and should definitely not be done this way! The email field can be set by the tenant administrator and does not necessarily represent the actual user's mail. Please, take the upn field from the response. It actually represents an unique username
@JordanReiter
Copy link
Contributor

This should be a configurable field. I have an app, already written, with users in the database, and the value is coming from data["email"] and will break if forced to the other field name.

Suggested solution:

# settings.py
MICROSOFT_AUTH_EMAIL_FIELD = "email" # defaults to "upn"

And then in backends:


    from .conf import MICROSOFT_AUTH_EMAIL_FIELD

    ms_email = data.get(MICROSOFT_AUTH_EMAIL_FIELD) or data.get('upn') # default to upn if provided field is missing
    
    ...

       user = User.objects.get(email=ms_email)

@hazraa
Copy link
Contributor

hazraa commented Nov 10, 2021

We have existing admin users prior to adding django_microsoft_auth (dma).
One issue we have is that if the django admin user email doesn't match, dma
creates a new django user which is not what we want. Instead,
we only want to tie an existing django user with matching email to the microsoft
account and not create a new one. This is a change I am using and if considered
useful, I can create pull request for this.

@AngellusMortis
Copy link
Owner

Instead, we only want to tie an existing django user with matching email to the microsoft account and not create a new one.

That should already be supported. Set MICROSOFT_AUTH_AUTO_CREATE = False

@AngellusMortis
Copy link
Owner

Ideally (for full AD support), the Microsoft / Django field mappings should be configurable. As previously stated elsewhere, this package was only really designed for the common tenant (Microsoft accounts).

@hazraa
Copy link
Contributor

hazraa commented Nov 10, 2021

With MICROSOFT_AUTH_AUTO_CREATE = False , It seems it doesn't create a
microsoft auth token in admin when I have a matching email address.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@JordanReiter @AngellusMortis @hazraa @peterkappelt