Safe Haskell | Safe-Inferred |
---|---|
Language | Haskell2010 |
Functions for implementing Azure AD-based authentication
Both Auth Code Grant
(i.e. with browser client interaction) and App-only
(i.e. Client Credentials) authentication flows are supported. The former is useful when a user needs to login and delegate some permissions to the application (i.e. accessing personal data), whereas the second is for server processes and automation accounts.
Synopsis
- applyDotEnv :: MonadIO m => Maybe FilePath -> m ()
- type Token t = TVar (Maybe t)
- newNoToken :: MonadIO m => m (Token t)
- expireToken :: MonadIO m => Token t -> m ()
- readToken :: MonadIO m => Token t -> m (Maybe t)
- fetchUpdateToken :: MonadIO m => IdpApplication 'ClientCredentials AzureAD -> Token OAuth2Token -> Manager -> m ()
- defaultAzureCredential :: MonadIO m => String -> String -> IdpApplication 'ClientCredentials AzureAD -> Token OAuth2Token -> Manager -> m ()
- loginEndpoint :: MonadIO m => IdpApplication 'AuthorizationCode AzureAD -> RoutePattern -> Scotty m ()
- replyEndpoint :: MonadIO m => IdpApplication 'AuthorizationCode AzureAD -> Tokens UserSub OAuth2Token -> Manager -> RoutePattern -> Scotty m ()
- type Tokens uid t = TVar (TokensData uid t)
- newTokens :: (MonadIO m, Ord uid) => m (Tokens uid t)
- data UserSub
- lookupUser :: (MonadIO m, Ord uid) => Tokens uid t -> uid -> m (Maybe t)
- expireUser :: (MonadIO m, Ord uid) => Tokens uid t -> uid -> m ()
- tokensToList :: MonadIO m => Tokens k a -> m [(k, a)]
- withAADUser :: MonadIO m => Tokens UserSub t -> Text -> (t -> Action m ()) -> Action m ()
- type Scotty = ScottyT Text
- type Action = ActionT Text
Documentation
Load, parse and apply a .env
file
NB : overwrites any preexisting env vars
NB2 : if the .env
file is not found the program continues (i.e. this function is a no-op in that case)
A App-only flow (server-to-server)
expireToken :: MonadIO m => Token t -> m () Source #
Delete the current token
:: MonadIO m | |
=> IdpApplication 'ClientCredentials AzureAD | |
-> Token OAuth2Token | token TVar |
-> Manager | |
-> m () |
Fetch an OAuth token and keep it updated. Should be called as a first thing in the app
NB : forks a thread in the background
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
Default Azure Credential
defaultAzureCredential Source #
:: MonadIO m | |
=> String | Client ID |
-> String | Azure Resource URI (for |
-> IdpApplication 'ClientCredentials AzureAD | |
-> Token OAuth2Token | |
-> Manager | |
-> m () |
DefaultAzureCredential mechanism as in the Python SDK https://pypi.org/project/azure-identity/
Order of authentication attempts:
1) token request with client secret
2) token request via managed identity (App Service and Azure Functions) https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference
B Auth code grant flow (interactive)
OAuth endpoints
:: MonadIO m | |
=> IdpApplication 'AuthorizationCode AzureAD | |
-> RoutePattern | e.g. |
-> Scotty m () |
Login endpoint
see azureADApp
:: MonadIO m | |
=> IdpApplication 'AuthorizationCode AzureAD | |
-> Tokens UserSub OAuth2Token | token TVar |
-> Manager | |
-> RoutePattern | e.g. |
-> Scotty m () |
The identity provider redirects the client to the reply
endpoint as part of the OAuth flow : https://learn.microsoft.com/en-us/graph/auth-v2-user?view=graph-rest-1.0&tabs=http#authorization-response
NB : forks a thread per logged in user to keep their tokens up to date
In-memory user session
sub
field
Instances
FromJSON UserSub Source # | |
FromJSONKey UserSub Source # | |
Defined in Network.OAuth2.JWT | |
ToJSON UserSub Source # | |
Defined in Network.OAuth2.JWT | |
ToJSONKey UserSub Source # | |
Defined in Network.OAuth2.JWT | |
IsString UserSub Source # | |
Defined in Network.OAuth2.JWT fromString :: String -> UserSub # | |
Generic UserSub Source # | |
Show UserSub Source # | |
Eq UserSub Source # | |
Ord UserSub Source # | |
type Rep UserSub Source # | |
Defined in Network.OAuth2.JWT |
Look up a user identifier and return their current token, if any
Remove a user, i.e. they will have to authenticate once more
tokensToList :: MonadIO m => Tokens k a -> m [(k, a)] Source #
return a list representation of the Tokens
object
Scotty misc
Azure App Service
:: MonadIO m | |
=> Tokens UserSub t | |
-> Text | login URI |
-> (t -> Action m ()) | call MSGraph APIs with token |
-> Action m () |
Decode the App Service ID token header X-MS-TOKEN-AAD-ID-TOKEN
, look its user up in the local token store, supply token t
to continuation. If the user sub
cannot be found in the token store the browser is redirected to the login URI.
Special case of aadHeaderIdToken