As you may already know, Open edX was successfully integrated with Office 365 last summer. This eventually meant that by publishing the Cypress version of Open edX, its developers enabled a single sign-on point to multiple Open edX instances. Authorization with Facebook, Google, and Office 365 (using Azure AD OAuth) became possible, further improving the ease of use and convenience.
However, the problem we faced was quite unexpected. Python-social-auth does not work with the Microsoft backend. The process of pointing this out and the solution we came up with is described below.
Standard Microsoft Auth Procedures
As you may know, Microsoft offers two ways of authorization to their products:
- Business entities can log in via Azure AD
- Private persons can use their Microsoft ID
This involves using OAuth 2.0 protocol for user authentication, described in details in this article. More examples and variants of possible user authentication to Microsoft services are depicted in this Microsoft Graph article, providing a tutorial on customer and app authorization.
TL;DR – Microsoft provides a script for your social auth, which leads your customers to Microsoft authorisation page. They should use their login and password for the corresponding social network (or Office 365 account) there, but they do not submit these credentials to you – they submit it to Microsoft. If everything is successful, your app receives an authorization code, required to get an OAuth access token.
However, the users do not log in immediately. Instead, they are redirected to signup page with pre-filled in fields. This is done by Open edX LMS by default. All the information provided in the OAuth access token is used to fill the signup form fields. This is done according to certain pipelines. If some data is missing, signup flow is halted and the user is presented with an HTML-page (“Enter your email address”, for example). Once the required information is received, signup flow continues along the pipeline.
Issues with Studio Social Authorization
While social auth works fine for Open edX LMS, the release of the Cypress version ended this functionality in Studio. We had to apply this strategy for python-social-auth, allowing you to fetch configuration from ConfigurationModels instead of Django settings. This module was developed by Braden MacDonald, and the source code is described in detail on Github.
Another Django Strategy for python-social-auth is depicted here. The point is that it forces your app to use Django auth, not third-party. As a result, this strategy was obsolete for our purposes.
What did we do in the end? We surpassed this issue with a hook – if none of the other strategies work, the app is forced to use a third-party Strategy. And everything seemed to be perfectly fine… until we found some article, mentioning this pull request. The funniest thing is that this request hadn’t been visible until the moment it was merged with the main branch. And while enabling all the functionality we needed, it hadn’t not work until we replaced \COMMON\ with our Active Directory name in AUTHORIZATION_URL.
