Microsoft Entra ID Authentication for Jampy
39 views
Skip to first unread message
Stephen Castles
Jun 20, 2024, 1:10:06 PMJun 20
to Jam.py Users Mailing List
I would like to set up Microsoft Entra ID to provide access control for Jam.py. I originally tried hosting Jam.py on the Azure platform as an app service, and I was able to integrate Entra ID very quickly and seamlessly. Though Jam.py did function on Azure to some extent, I kept running into strange issues and eventually it broke completely and I could not get it running again, which pushed me to try hosting it at PythonAnwhere instead.
The instance running on PythonAnywhere is working great and was much easier to get running, but the trade off has been more difficulty with getting Entra ID working. The first solution I tried was the password based Single Sign On method to use the existing Jam.py login system. Though configuration was simple, unfortunately it was very buggy and also required a browser extension to function.
I am now looking into using OAuth 2.0 or OpenID Connect to integrate Entra ID with Jam.py, however it is unclear to me how Jam.py is structured and what point in the files/code where I would need to integrate the required libraries. Any information or clues are greatly appreciated. Thanks.
The instance running on PythonAnywhere is working great and was much easier to get running, but the trade off has been more difficulty with getting Entra ID working. The first solution I tried was the password based Single Sign On method to use the existing Jam.py login system. Though configuration was simple, unfortunately it was very buggy and also required a browser extension to function.
I am now looking into using OAuth 2.0 or OpenID Connect to integrate Entra ID with Jam.py, however it is unclear to me how Jam.py is structured and what point in the files/code where I would need to integrate the required libraries. Any information or clues are greatly appreciated. Thanks.
Dean D. Babic
Jun 20, 2024, 10:00:56 PMJun 20
to Jam.py Users Mailing List
Hi Steve,
have you seen the OAuth in action from here?
And SAML here:
The auth.jampyapplicationbuilder.com is now pointed to ipam2. Since
ipam2 was running SAML demo too, I decided to run OAuth
demo instead. No worth running the same on two sites.
There is NO need to touch any Jam files to get this running on v7.
All is happening as usual in Task/Server Module. The libs
are installed with pip, just like jam.
The certificates might be needed for the App, but that's not jam issue.
Also, a local file is used to store the secrets.
I do not know about Entra ID, sounds like a LDAP, so this is really simple
to configure. It was discussed here, and it should work with v5:
Btw, the SSL is a must.
However, the SAML (OAuth), intention was always business users.
This is because of the infrastructure complexity, certificates, etc
and the need to support this project financially.
and the need to support this project financially.
Both wont work with v5, I'm afraid.
So, the option is to test v7 and see how it goes for you.
If all working well, decide about which auth method to use,
and we can go from there.
Regarding Azure and Jam, instead of the App service,
the proper VM is better. Why? Because App service has no LibreOffice (LO).
App Service will work, no issues.
But SAML needs a cert, and that cert is the Azure cert.
The LDAP with v5 still might work as usual on App Service,
still, no reports because no LO.
Regards
D.
Stephen
Jun 21, 2024, 1:32:26 AMJun 21
to Jam.py Users Mailing List
Hi D,
I am still very new to Entra ID, but it seems to support all of the standard protocols including OAuth and SAML. I didn't know that LDAP was an option, I will have to do some more reading on it.
As a learning exercise, I wrote a very simple Flask webapp that uses OAuth to interface with Entra ID using the msal library from Microsoft. After successful login to Microsoft and receiving a token, it shows a hello world message. After I got that working, I thought it may be possible to integrate similar code into Jam.py v5. Is this possible? If there are no major limitations in the way, I may be willing to invest some time into making it work.
v7 sounds very promising. How stable is it right now? Can a configuration from v5 be easily migrated or duplicated into v7? Is it available for download?
Thanks,
Stephen
I am still very new to Entra ID, but it seems to support all of the standard protocols including OAuth and SAML. I didn't know that LDAP was an option, I will have to do some more reading on it.
As a learning exercise, I wrote a very simple Flask webapp that uses OAuth to interface with Entra ID using the msal library from Microsoft. After successful login to Microsoft and receiving a token, it shows a hello world message. After I got that working, I thought it may be possible to integrate similar code into Jam.py v5. Is this possible? If there are no major limitations in the way, I may be willing to invest some time into making it work.
v7 sounds very promising. How stable is it right now? Can a configuration from v5 be easily migrated or duplicated into v7? Is it available for download?
Thanks,
Stephen
Dean D. Babic
Jun 21, 2024, 2:09:27 AMJun 21
to Jam.py Users Mailing List
It's Dean :)
Yeah mate, Flask has routing.
Jam v5 is SPA, so there is no routing.
Hence, Flask\Django example won't work with Jam v5.
Jam v7 has routing, so it is not SPA. But, the Docs are not
ready, so can't advise on that yet. Pls visit demos to get the idea
of usability.
cd into it
pip install .
OR:
python setup.py install
- backup index.html from your app
- copy index.html from v7 Demo to your app
- copy template.html from v7 Demo to your app
- start the App
- move stuff from index backup to Template on Builder
- move stuff from index backup to Index on Builder
Hope this helps.
D.
Dean D. Babic
Jun 21, 2024, 8:17:08 AMJun 21
to Jam.py Users Mailing List
Hi,
did have a quick look at here:
As mentioned, Flask demo has this routing:
@app.route("/login")
@app.route(app_config.REDIRECT_PATH)
@app.route("/logout")
@app.route("/")
@app.route("/call_downstream_api")
It also has redirects:
return redirect(url_for("index"))
return redirect(auth.log_out(url_for("index", _external=True))
return redirect(url_for("login"))
Hence, v5 can't be used. Luckily, v7 does routing and redirects.
Danijel provided great examples how to do redirects in here:
D.
Stephen Castles
Jun 21, 2024, 3:53:16 PMJun 21
to Jam.py Users Mailing List
Hi Dean,
I appreciate you going into further depth about the inner workings of v5 vs v7, this has been a big learning experience for me.
I was able to get the v7 demo running on PythonAnywhere, but when I try to link it to my own database and reconfigure it I run into some issues. For the sake of keeping things organized here I will start a new thread for my questions about that.
Thanks,
Stephen
Reply all
Reply to author
Forward
0 new messages