Hello! I’m Dave and I’m a developer at Penn State University. I’ve been working on a Django project for the past six years and we’ve been using django_microsoft_auth for authentication for the past three years or so. Since the project was archived a couple years ago I’ve been looking to get a replacement, but this week I decided to try to multitask and get some experience with Claude while working on this issue. The result is the repo at GitHub - dms117/entra_auth: Claude-created Django library to authenticate with Entra ID · GitHub that I’m now using for my project.
I’m sharing this to ask for any reviews of the results as well as to make the project available for anyone who might be interested. It was really interesting to develop as well as educational.
I ran your repo through Claude and it returned a few security issues that Django provides fixes for out of the box. I didn’t confirm the finding, I just thought it was interesting and wondered if you put the project through an adversarial lens. Good luck, hope that helps!
Here’s an example:
The next parameter (in views, middleware, and decorators) is never validated against the current host. This is an open redirect — an attacker can craft a login link that bounces users to a phishing site after they successfully authenticate with Microsoft. Django provides url_has_allowed_host_and_scheme for exactly this.
Thank you! I reviewed the items and ran the repo through Claude again, or tried to - it was having trouble reading the entire thing. But mentioning your example helped and it was able to add some other updates as well including cycling the session key, addling urlencode to logout redirection, and checking the cookie session engine. I really appreciate your time, this is the kind of feedback I was hoping for.
Hey, congrats on getting this working! Any interaction with Microsoft APIs can be annoying, for example I documented my journey building an MS Teams bot in Django: build a Microsoft Teams bot - Adam Johnson .
I have also written an MS Entra Auth integration for the same client. My implementation is about 10x less code than you have there—just 123 lines—though admittedly without group syncing. LLMs are prone to overbuilding!
Things that you can probably remove from your project include the empty migrations directory, most of the system checks, the middleware, the decorators, and the template tags. They are all either unnecessary or super niche.
Anyway, good work, thanks for sharing, and welcome to the fun world of building open source Django packages!
Thank you Adam, I appreciate your feedback. I’m looking at removing extra items but for the moment the features in question (save for the migrations directory) are being used in my app’s case, in which we are running in a Docker container.
I’m reading your article on building a Teams bot and I found myself feeling a bit of deja vu in your section explaining interacting with Microsoft documentation. We use Dynamics 365 and Power Automate a lot and I’ve had to spend a lot of time trying to find basic answers to simple questions that should be well documented and easily located. Your work here is sparking a lot of ideas though for leveraging further integration with our Django application, which is used for managing time on lab equipment. If we could have real time communication via the application with a staff member in Teams, that would help a great deal with lab management.
Very kind of you to share your experiences, I look forward to my own attempt at integrating Django and Teams!
