As you may already know, Open edX was successfully integrated with Office 365 last summer. This eventually meant that by publishing Cypress version of Open edX, its developers enabled a single sign-on point to multiple Open edX instances. Authorisation with Facebook, Google and Office 365 (using Azure AD OAuth) became possible, further improving the ease of use and convenience.
However, the problem we faced was quite unexpected. Python-social-auth does not work with Microsoft backend. The process of pointing this out and the solution we came up with is described below.
Standard Microsoft Auth Procedures
As you may know, Microsoft offers 2 ways of authorisation to their products:
- Business entities can log in via Azure AD
- Private persons can use their Microsoft ID
This involves using OAuth 2.0 protocol for user authentication, described in details in this article. More examples and variants of possible user authentication to Microsoft services are depicted in this Microsoft Graph article, providing a tutorial on customer and app authorization.
TL;DR – Microsoft provides a script for your social auth, which leads your customers to Microsoft authorisation page. They should use their login and password for the corresponding social network (or Office 365 account) there, but they do not submit these credentials to you – they submit it to Microsoft. If everything is successful, your app receives an authorization code, required to get an OAuth access token.
However, the users do not log in immediately. Instead, they are redirected to signup page with pre-filled in fields. This is done by Open edX LMS by default. All the information provided in the OAuth access token is used to fill the signup form fields. This is done according to certain pipelines. If some data is missing, signup flow is halted and the user is presented with an HTML-page (“Enter your email address”, for example). Once the required information is received, signup flow continues along the pipeline.
Issues with Studio Social Authorization
While social auth works fine for Open edX LMS, the release of Cypress version put an end to this functionality in Studio. We had to apply this strategy for python-social-auth, allowing you to fetch configuration from ConfigurationModels instead of django.settings. This module was developed by Braden MacDonald and the source code was described in details on Github.
Another Django Strategy for python-social-auth is depicted here. The point is, it forces your app to use Django auth, not python-third-party-auth. As a result, this strategy was obsolete for our purposes.
What did we do in the end? We surpassed this issue with a hook – if none of other strategies work, the app is forced to use third-party-auth Strategy. And everything seemed to be perfectly fine… until we found this article, mentioning this pull request. The funniest thing is, this request hadn’t been visible untill the moment it was merged with the main branch. And while enabling all the functionality we needed, it hadn’t not work until we replaced \COMMON\ with our Active Directory name in AUTHORIZATION_URL.
Thus said, we now have means of enabling single login point via social accounts for Open edX in Raccoon University.