CKAN is not redirecting to Miscorsoft Entra ID

[davilla41]

Hello, I have installed the ckanext-msal extension using the documentation, this is my ckan.ini plugin configuration:

ckan.plugins = activity datatables_view datastore xloader scheming_datasets msal
ckan.resource_proxy.timeout = 5

ckanext.msal.client_id = <client_id>
ckanext.msal.client_secret = <client_secret>
ckanext.msal.tenant_id = <tenant_id>
ckanext.msal.redirect_path = https://<my_domain>/get_msal_token

I added this redirection URI to my app registration for CKAN on Azure:

https://my_domain/get_msal_token

Everything is a CKAN Source installation made by the book on a headless Ubuntu 20.04 virtual machine with Nginx and uWSGI

But still the the redirection is not happening when I restart my server and click on the login button. Any suggestions?

[davilla41]

Update, I double check the plug in installation and configuration and I discover that I miss this command:
pip install -e .

Maybe because is written funny in the documentation, as you can see here in the image below:

But now I'm getting a 502 Bad Gateway error that only disappears if I remove the msal extension name from the ckan.ini CKAN configuration file, in that case the site goes back to live again.

Any solution?

[davilla41]

Update:
Whatever is happening is triggered by this configuration parameter:
ckanext.msal.redirect_path = https://<my_domain>/get_msal_token
The error message from uWSGI contains something like this:

File "/usr/lib/ckan/default/lib/python3.10/site-packages/werkzeug/routing.py", line 698, in __init__
    raise ValueError("urls must start with a leading slash")
ValueError: urls must start with a leading slash
unable to load app 0 (mountpoint='') (callable not found or import error)

If I remove the whole line the site is live again and even if I use this the site also works:
ckanext.msal.redirect_path = /get_msal_token

But in any case the login to Microsoft Entra ID is happening. Still lost here.

I also tried using the direct redirection URI directly on the browser:
https://my-domain.com/get_a_token
the result was a redirection to a 404 page.

[ryangermann-gov-on-ca]

(sorry, I can't help you with this specific CKAN extension for Single Sign On, but I have implmented the ongov/msal CKAN SSO extension, so if you would consider using that one I'd be happy to help you get it set up.

[davilla41]

(sorry, I can't help you with this specific CKAN extension for Single Sign On, but I have implmented the ongov/msal CKAN SSO extension, so if you would consider using that one I'd be happy to help you get it set up.

That will be great Ryan, just let me know how we meet or how I follow your instructions.

[ryangermann-gov-on-ca]

That will be great Ryan, just let me know how we meet or how I follow your instructions.

Please google "InfoGo" which is the site listing all government of Ontario employees, and look me up by name. My email address is there.

The repository is at:

https://github.com/ongov/ckanext-msal

I didn't ask what version of CKAN you're using, I am not sure if it works with CKAN >2.10.