Azure OAuth documentation and html templates

README.md

@@ -12,7 +12,7 @@ A PowerDNS web interface with advanced features.
 - User access management based on domain
 - User activity logging
 - Support Local DB / SAML / LDAP / Active Directory user authentication
-- Support Google / Github / OpenID OAuth
+- Support Google / Github / Azure / OpenID OAuth
 - Support Two-factor authentication (TOTP)
 - Dashboard and pdns service statistics
 - DynDNS 2 protocol support
@@ -179,3 +179,24 @@ source .env
 ```
 eralchemy -i 'mysql://${PDA_DB_USER}:${PDA_DB_PASSWORD}@'$(docker inspect powerdns-admin-mysql|jq -jr '.[0].NetworkSettings.Networks.powerdnsadmin_default.IPAddress')':3306/powerdns_admin' -o /tmp/output.pdf
 ```
+
+### OAuth Authentication
+
+#### Microsoft Azure
+
+To link to Azure for authentication, you need to register PowerDNS-Admin in Azure.  This requires your PowerDNS-Admin web interface to use an HTTPS URL.
+
+* Under the Azure Active Directory, select App Registrations, and create a new one.  Give it any name you want, and the Redirect URI shoule be type 'Web' and of the format https://powerdnsadmin/azure/authorized (replace the host name approriately).
+* Select the newly-created registration
+* On the Overview page, the Application ID is your new Client ID to use with PowerDNS-Admin
+* On the Overview page, make a note of your Directory/Tenant ID - you need it for the API URLs later
+* Ensure Access Tokens are enabled in the Authentication section
+* Under Certificates and Secrets, create a new Client Secret.  Note this secret as it is the new Client Secret to use with PowerDNS-Admin
+* Under API Permissions, you need to add permissions.  Add permissions for Graph API, Delegated.  Add email, openid, profile, User.Read and possibly User.Read.All.  You then need to grant admin approval for your organisation.
+
+Now you can enable the OAuth in PowerDNS-Admin.
+* For the Scope, use 'User.Read openid mail profile'
+* Replace the [tenantID] in the default URLs for authorize and token with your Tenant ID.
+* Restart PowerDNS-Admin
+
+This should allow you to log in using OAuth.

app/models.py

@@ -2081,7 +2081,7 @@ class Setting(db.Model):
         'azure_oauth_enabled': False,
         'azure_oauth_key': '',
         'azure_oauth_secret': '',
-        'azure_oauth_scope': 'User.Read',
+        'azure_oauth_scope': 'User.Read openid email profile',
         'azure_oauth_api_url': 'https://graph.microsoft.com/v1.0/',
         'azure_oauth_token_url': 'https://login.microsoftonline.com/[tenancy]/oauth2/v2.0/token',
         'azure_oauth_authorize_url': 'https://login.microsoftonline.com/[tenancy]/oauth2/v2.0/authorize',

app/templates/admin_setting_authentication.html

@@ -676,6 +676,40 @@
     {% endif %}
     // END: Github tab js
 
+    // START: Azure tab js
+    // update validation requirement when checkbox is togged
+    $('#azure_oauth_enabled').iCheck({
+        checkboxClass : 'icheckbox_square-blue',
+        increaseArea : '20%'
+    }).on('ifChanged', function(e) {
+        var is_enabled = e.currentTarget.checked;
+        if (is_enabled){
+            $('#azure_oauth_key').prop('required', true);
+            $('#azure_oauth_secret').prop('required', true);
+            $('#azure_oauth_scope').prop('required', true);
+            $('#azure_oauth_api_url').prop('required', true);
+            $('#azure_oauth_token_url').prop('required', true);
+            $('#azure_oauth_authorize_url').prop('required', true);
+        } else {
+            $('#azure_oauth_key').prop('required', false);
+            $('#azure_oauth_secret').prop('required', false);
+            $('#azure_oauth_scope').prop('required', false);
+            $('#azure_oauth_api_url').prop('required', false);
+            $('#azure_oauth_token_url').prop('required', false);
+            $('#azure_oauth_authorize_url').prop('required', false);
+        }
+    });
+    // init validation requirement at first time page load
+    {% if SETTING.get('azure_oauth_enabled') %}
+        $('#azure_oauth_key').prop('required', true);
+        $('#azure_oauth_secret').prop('required', true);
+        $('#azure_oauth_scope').prop('required', true);
+        $('#azure_oauth_api_url').prop('required', true);
+        $('#azure_oauth_token_url').prop('required', true);
+        $('#azure_oauth_authorize_url').prop('required', true);
+    {% endif %}
+    // END: Azure tab js
+
     // START: OIDC tab js
     $('#oidc_oauth_enabled').iCheck({
         checkboxClass : 'icheckbox_square-blue',

app/templates/login.html

@@ -84,13 +84,17 @@
         <!-- /.col -->
       </div>
     </form>
-    {% if SETTING.get('google_oauth_enabled') or SETTING.get('github_oauth_enabled') or SETTING.get('oidc_oauth_enabled') %}
+    {% if SETTING.get('google_oauth_enabled') or SETTING.get('github_oauth_enabled') or SETTING.get('oidc_oauth_enabled') or SETTING.get('azure_oauth_enabled') %}
     <div class="social-auth-links text-center">
       <p>- OR -</p>
       {% if SETTING.get('oidc_oauth_enabled') %}
       <a href="{{ url_for('oidc_login') }}" class="btn btn-block btn-social btn-openid btn-flat"><i class="fa fa-openid"></i> Sign in using
         OpenID Connect</a>
       {% endif %}
+      {% if SETTING.get('azure_oauth_enabled') %}
+      <a href="{{ url_for('azure_login') }}" class="btn btn-block btn-social btn-github btn-flat"><i class="fa fa-azure"></i> Sign in using
+        Microsoft Azure</a>
+      {% endif %}
       {% if SETTING.get('github_oauth_enabled') %}
       <a href="{{ url_for('github_login') }}" class="btn btn-block btn-social btn-github btn-flat"><i class="fa fa-github"></i> Sign in using
         Github</a>