ms-auth-0.4.0.0: Microsoft Authentication API
Safe HaskellSafe-Inferred
LanguageHaskell2010

MSAuth

Description

Functions for implementing Azure AD-based authentication

Both Auth Code Grant (i.e. with a user involved in the autorization loop) and Client Credentials Grant (i.e. app only) authentication flows are supported. The former is useful when a user needs to login and delegate some permissions to the application (i.e. accessing personal data), whereas the second is for server processes and automation accounts.

Synopsis

A Client Credentials flow (server-to-server)

type Token t = TVar (Maybe t) Source #

App has (at most) one token at a time

tokenUpdateLoop Source #

Arguments

:: MonadIO m 
=> IdpApplication 'ClientCredentials AzureAD

client credentials grant only

-> Manager 
-> m (Token OAuth2Token) 

Forks a thread and keeps the OAuth token up to date inside a TVar

expireToken :: MonadIO m => Token t -> m () Source #

Delete the current token

readToken :: MonadIO m => Token t -> m (Maybe t) Source #

Read the current value of the token

Default Azure Credential

defaultAzureCredential Source #

Arguments

:: MonadIO m 
=> String

Client ID

-> String

Azure Resource URI (for managed identity auth flow)

-> IdpApplication 'ClientCredentials AzureAD 
-> Token OAuth2Token 
-> Manager 
-> m () 

DefaultAzureCredential mechanism as in the Python SDK https://pypi.org/project/azure-identity/

Order of authentication attempts:

1) token request with client secret

2) token request via managed identity (App Service and Azure Functions) https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#rest-endpoint-reference

B Auth code grant flow (interactive)

OAuth endpoints

loginEndpoint Source #

Arguments

:: MonadIO m 
=> IdpApplication 'AuthorizationCode AzureAD 
-> RoutePattern

e.g. "/login"

-> Scotty m () 

Login endpoint

see azureADApp

replyEndpoint Source #

Arguments

:: MonadIO m 
=> IdpApplication 'AuthorizationCode AzureAD 
-> Tokens UserSub OAuth2Token

token TVar

-> Manager 
-> RoutePattern

e.g. "/oauth/reply"

-> Scotty m () 

The identity provider redirects the client to the reply endpoint as part of the OAuth flow : https://learn.microsoft.com/en-us/graph/auth-v2-user?view=graph-rest-1.0&tabs=http#authorization-response

NB : forks a thread per logged in user to keep their tokens up to date

In-memory user session

type Tokens uid t = TVar (TokensData uid t) Source #

transactional token store

newTokens :: (MonadIO m, Ord uid) => m (Tokens uid t) Source #

Create an empty Tokens object

data UserSub Source #

sub field

Instances

Instances details
FromJSON UserSub Source # 
Instance details

Defined in Network.OAuth2.JWT

Methods

parseJSON :: Value -> Parser UserSub #

parseJSONList :: Value -> Parser [UserSub] #

FromJSONKey UserSub Source # 
Instance details

Defined in Network.OAuth2.JWT

Methods

fromJSONKey :: FromJSONKeyFunction UserSub #

fromJSONKeyList :: FromJSONKeyFunction [UserSub] #

ToJSON UserSub Source # 
Instance details

Defined in Network.OAuth2.JWT

Methods

toJSON :: UserSub -> Value #

toEncoding :: UserSub -> Encoding #

toJSONList :: [UserSub] -> Value #

toEncodingList :: [UserSub] -> Encoding #

ToJSONKey UserSub Source # 
Instance details

Defined in Network.OAuth2.JWT

Methods

toJSONKey :: ToJSONKeyFunction UserSub #

toJSONKeyList :: ToJSONKeyFunction [UserSub] #

IsString UserSub Source # 
Instance details

Defined in Network.OAuth2.JWT

Methods

fromString :: String -> UserSub #

Generic UserSub Source # 
Instance details

Defined in Network.OAuth2.JWT

Associated Types

type Rep UserSub :: Type -> Type #

Methods

from :: UserSub -> Rep UserSub x #

to :: Rep UserSub x -> UserSub #

Show UserSub Source # 
Instance details

Defined in Network.OAuth2.JWT

Methods

showsPrec :: Int -> UserSub -> ShowS #

show :: UserSub -> String #

showList :: [UserSub] -> ShowS #

Eq UserSub Source # 
Instance details

Defined in Network.OAuth2.JWT

Methods

(==) :: UserSub -> UserSub -> Bool #

(/=) :: UserSub -> UserSub -> Bool #

Ord UserSub Source # 
Instance details

Defined in Network.OAuth2.JWT

Methods

compare :: UserSub -> UserSub -> Ordering #

(<) :: UserSub -> UserSub -> Bool #

(<=) :: UserSub -> UserSub -> Bool #

(>) :: UserSub -> UserSub -> Bool #

(>=) :: UserSub -> UserSub -> Bool #

max :: UserSub -> UserSub -> UserSub #

min :: UserSub -> UserSub -> UserSub #

type Rep UserSub Source # 
Instance details

Defined in Network.OAuth2.JWT

type Rep UserSub = D1 ('MetaData "UserSub" "Network.OAuth2.JWT" "ms-auth-0.4.0.0-2DrywkIkrjoDacHmUUoUWQ" 'True) (C1 ('MetaCons "UserSub" 'PrefixI 'True) (S1 ('MetaSel ('Just "userSub") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Text)))

lookupUser Source #

Arguments

:: (MonadIO m, Ord uid) 
=> Tokens uid t 
-> uid

user identifier e.g. sub

-> m (Maybe t) 

Look up a user identifier and return their current token, if any

expireUser Source #

Arguments

:: (MonadIO m, Ord uid) 
=> Tokens uid t 
-> uid

user identifier e.g. sub

-> m () 

Remove a user, i.e. they will have to authenticate once more

tokensToList :: MonadIO m => Tokens k a -> m [(k, a)] Source #

return a list representation of the Tokens object

Scotty misc

Azure App Service

withAADUser Source #

Arguments

:: MonadIO m 
=> Tokens UserSub t 
-> Text

login URI

-> (t -> Action m ())

call MSGraph APIs with token t, etc.

-> Action m () 

Decode the App Service ID token header X-MS-TOKEN-AAD-ID-TOKEN, look its user up in the local token store, supply token t to continuation. If the user sub cannot be found in the token store the browser is redirected to the login URI.

Special case of aadHeaderIdToken

type Scotty = ScottyT Text Source #

type Action = ActionT Text Source #