Add Entra ID authentication with role-based access control
Implement Microsoft Entra ID (Azure AD) authentication with user and admin roles. Features: - OAuth 2.0 authentication flow using MSAL - User and admin role-based access control - Tenant ownership and access management - Server-side session storage - Protected routes with authentication decorators Authentication: - Users authenticate via Microsoft organizational accounts - Admin role automatically assigned to DEFAULT_ADMIN_EMAIL - User profiles synced from Microsoft Graph API Access Control: - Admins: Full access to all tenants and server settings - Users: Can create and manage their own tenants only - Tenant association: Auto-created when user adds products - API endpoints remain open for AR application access Database Changes: - New users table with email, azure_oid, name, and role - New user_tenants table for many-to-many tenant ownership - Case-insensitive admin email comparison Configuration: - Environment-based config via .env file - Azure AD credentials (client ID, secret, tenant ID) - Configurable redirect URI and admin email - Updated to Flask 2.2.5 for compatibility
This commit is contained in:
24
.env.example
Normal file
24
.env.example
Normal file
@@ -0,0 +1,24 @@
|
||||
# Flask Configuration
|
||||
SECRET_KEY=your-secret-key-change-this-in-production
|
||||
FLASK_DEBUG=1
|
||||
|
||||
# Entra ID (Azure AD) Configuration
|
||||
# Get these values from your Azure Portal > App Registrations
|
||||
AZURE_CLIENT_ID=your-client-id-here
|
||||
AZURE_CLIENT_SECRET=your-client-secret-here
|
||||
AZURE_TENANT_ID=your-tenant-id-here
|
||||
|
||||
# Redirect URI - Update this to match your deployment URL
|
||||
# For local development: http://localhost:5555/auth/callback
|
||||
# For production: https://yourdomain.com/auth/callback
|
||||
REDIRECT_URI=http://localhost:5555/auth/callback
|
||||
|
||||
# Azure AD Authority URL (usually don't need to change this)
|
||||
AUTHORITY=https://login.microsoftonline.com/
|
||||
|
||||
# Scopes for Microsoft Graph API (to get user info)
|
||||
SCOPE=User.Read
|
||||
|
||||
# Application Settings
|
||||
# Default admin email (this user will have admin role automatically)
|
||||
DEFAULT_ADMIN_EMAIL=admin@yourdomain.com
|
||||
Reference in New Issue
Block a user