Improvements to GeoNode OpenID for Entra ID (#12873)

Author: giohappy

geonode/people/adapters.py

@@ -319,9 +319,9 @@ def complete_login(self, request, app, token, response, **kwargs):
                 extra_data.update(profile_data)
             except Exception:
                 logger.exception(OAuth2Error("Invalid profile_url, falling back to id_token checks..."))
-        if not extra_data and "id_token" in response:
+        if "id_token" in response:
             try:
-                extra_data = jwt.decode(
+                extra_data_id_token = jwt.decode(
                     response["id_token"],
                     # Since the token was received by direct communication
                     # protected by TLS between this library and Google, we
@@ -338,6 +338,7 @@ def complete_login(self, request, app, token, response, **kwargs):
                     issuer=self.id_token_issuer,
                     audience=app.client_id,
                 )
+                extra_data.update(extra_data_id_token)
             except jwt.PyJWTError as e:
                 raise OAuth2Error("Invalid id_token") from e
         login = self.get_provider().sociallogin_from_response(request, extra_data)

geonode/settings.py

@@ -1991,11 +1991,12 @@ def get_geonode_catalogue_service():
         "prompt": "select_account",
     },
     "COMMON_FIELDS": {"email": "mail", "last_name": "surname", "first_name": "givenName"},
-    "UID_FIELD": "unique_name",
+    "UID_FIELD": "sub",
     "GROUP_ROLE_MAPPER_CLASS": SOCIALACCOUNT_GROUP_ROLE_MAPPER,
     "ACCOUNT_CLASS": "allauth.socialaccount.providers.microsoft.provider.MicrosoftGraphAccount",
     "ACCESS_TOKEN_URL": f"https://login.microsoftonline.com/{_AZURE_TENANT_ID}/oauth2/v2.0/token",
     "AUTHORIZE_URL": f"https://login.microsoftonline.com/{_AZURE_TENANT_ID}/oauth2/v2.0/authorize",
+    "ID_TOKEN_ISSUER": f"https://login.microsoftonline.com/{_AZURE_TENANT_ID}/v2.0",
     "PROFILE_URL": "https://graph.microsoft.com/v1.0/me",
 }