flaskoauth-2.0apache-supersetflask-appbuilderazure-oauth2

Force Flask-AppBuilder to perform MFA authentication with OAuth2

I'm running an instance of Apache Superset, a Python Flask app that uses Flask-AppBuilder's security module.

I'm using an Azure SSO config similar to that from the docs:

    {
        "name": "azure",
        "icon": "fa-windows",
        "token_key": "access_token",
        "remote_app": {
            "client_id": "AZURE_APPLICATION_ID",
            "client_secret": "AZURE_SECRET",
            "api_base_url": "https://login.microsoftonline.com/AZURE_TENANT_ID/oauth2",
            "client_kwargs": {
                "scope": "User.read name preferred_username email profile upn",
                "resource": "AZURE_APPLICATION_ID",
                # Optionally enforce signature JWT verification
                "verify_signature": False
            },
            "request_token_url": None,
            "access_token_url": "https://login.microsoftonline.com/AZURE_TENANT_ID/oauth2/token",
            "authorize_url": "https://login.microsoftonline.com/AZURE_TENANT_ID/oauth2/authorize",
        },
    },

I have a problem where if a user has not already performed MFA authentication in their browser for another reason, their SSO sign-in to Superset will fail. They'll put in their username and password, but instead of being redirected to perform MFA, they get a message "Access is denied" with the Superset logs showing:

ERROR:flask_appbuilder.security.views:Error authorizing OAuth access token: interaction_required: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0000-c000-000000000000'.

What can I add to my config to force an MFA login?

Solution

  • I switched to the /v2.0/ version of Azure's OAuth endpoint and that did the trick. I submitted a pull request to Flask-AppBuilder with the new example config and will share it here as well:

        {
        "name": "azure",
        "icon": "fa-windows",
        "token_key": "access_token",
        "remote_app": {
            "client_id": "AZURE_APPLICATION_ID",
            "client_secret": "AZURE_SECRET",
            "api_base_url": "https://login.microsoftonline.com/AZURE_TENANT_ID/oauth2/v2.0",
            "client_kwargs": {
                "scope": "email profile openid",
                "resource": "AZURE_APPLICATION_ID",
                # Optionally enforce signature JWT verification
                "verify_signature": False
            },
            "request_token_url": None,
            "access_token_url": "https://login.microsoftonline.com/AZURE_TENANT_ID/oauth2/v2.0/token",
            "authorize_url": "https://login.microsoftonline.com/AZURE_TENANT_ID/oauth2/v2.0/authorize",
            "jwks_uri": "https://login.microsoftonline.com/common/discovery/v2.0/keys",
        },