Extension MSAL


Extension Basics

Title
MSAL
Name
ckanext-msal
Type
Public extension
Description
Sign in users with Microsoft identities using Microsoft Authentication Library (MSAL)
CKAN versions

~2.9, ~2.10, ~2.11

Show details
Download-Url (zip)
https://github.com/DataShades/ckanext-msal.git#egg=ckanext-msal
Download-Url commit date
2025-01-23
Url to repo
https://github.com/DataShades/ckanext-msal
Category
Authentication & Security


Background Infos

Description (long)
Show details

The msal extension enables authentication with Microsoft identities including Azure AD, Microsoft Accounts, and Azure AD B2C accounts using the Microsoft MSAL (Microsoft Authentication Library) for Python. It works with Microsoft 365 accounts. The extension requires CKAN 2.11+ (use version 1.5.2 for CKAN 2.10 and earlier). Configuration includes mandatory client ID and client secret from Azure AD app registration, optional tenant ID (defaults to ‘common’ for multi-tenant), customizable redirect path, session lifetime management via periodic Access token checks, and email domain restrictions (both blacklist and whitelist). Supports conditional policies from Azure AD and provides custom error messages for restricted domains.

Version
1.6.0
Version release date
2025-01-23
Contact name
DataShades
Contakt email
datashades@linkdigital.com.au
Contact Url
(not set)


Installation Guide

Configuration hints

Requirements: - CKAN 2.11+ - For CKAN 2.10 and earlier use version 1.5.2 - Azure AD application registration

Installation: 1. Activate CKAN virtualenv 2. Clone and install: git clone https://github.com/DataShades/ckanext-msal.git cd ckanext-msal pip install -e . pip install -r requirements.txt

Add to ckan.plugins: msal

Configuration:

Application client ID from Azure AD (MANDATORY)

ckanext.msal.client_id = 000000-0000-0000-0000-00000000000

Client secret from Azure AD (MANDATORY)

ckanext.msal.client_secret = 000000-0000-0000-0000-00000000000

Tenant ID (optional, default: ‘common’ for multi-tenant)

Note: Using ‘common’ may cause issues, specify tenant ID for proper function

ckanext.msal.tenant_id = 000000-0000-0000-0000-00000000000

Redirect path - must be configured in Azure AD web app

Handles response from Microsoft (optional, default: /get_msal_token)

ckanext.msal.redirect_path = /get_msal_token

Session lifetime in seconds (optional, default: 3600)

How often to check if Access token is still valid via Microsoft Graph API

Note: Session lifespan itself managed in Azure AD conditional policies

ckanext.msal.session_lifetime = 3600

Restricted email domains - users cannot login with these domains (optional)

ckanext.msal.restrict.domain_list = gmail.com, onmicrosoft.com

Allowed email domains - only these domains allowed (optional)

ckanext.msal.restrict.allowed_domain_list = protonmail.com, orgname.onmicrosoft.com

Error message for restricted domains (optional)

ckanext.msal.restrict.error_message = Your email domain is restricted. Please, contact site admin.

Azure AD Setup: 1. Register application in Azure AD 2. Configure redirect URI matching ckanext.msal.redirect_path 3. Generate client secret 4. Configure conditional policies if needed

Development: git clone https://github.com/DataShades/ckanext-msal.git cd ckanext-msal python setup.py develop pip install -r dev-requirements.txt

Testing: pytest –ckan-ini=test.ini

Plugins to configure (ckan.ini)
msal
CKAN Settings (ckan.ini)
# ckanext.msal.client_id = 000000-0000-0000-0000-00000000000 # ckanext.msal.client_secret = 000000-0000-0000-0000-00000000000 # ckanext.msal.tenant_id = 000000-0000-0000-0000-00000000000 # ckanext.msal.redirect_path = /get_msal_token # ckanext.msal.session_lifetime = 3600 # ckanext.msal.restrict.domain_list = gmail.com, onmicrosoft.com # ckanext.msal.restrict.allowed_domain_list = protonmail.com, orgname.onmicrosoft.com # ckanext.msal.restrict.error_message = Your email domain is restricted. Please, contact site admin.
DB migration to be executed
(not set)
<< back to Extensions