[Security fix] AzureADOAuth2 backend

[mike667]

Proposed changes

Hello, my changes involve replacing the user_data method for AzureADOAuth2. Since the old method simply decoded data from the JWT token without verifying its signature, any user could modify data in the JWT and authenticate on the site. In the new method, the data is extracted from the Microsoft Graph API using the access token, which fixes this vulnerability. Additionally, aliases for data have been added so that in future pipelines, functions like associate_by_email and user_details can retrieve the data.

Please tell me if these changes make sense, if so, I will update the tests. (Currently, this code is in production on my project.)

Types of changes

Please check the type of change your PR introduces:

• Release (new release request)
• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (PEP8, lint, formatting, renaming, etc)
• Refactoring (no functional changes, no api changes)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Build related changes (build process, tests runner, etc)
• Other (please describe):

Checklist

Put an x in the boxes that apply. You can also fill these out after creating
the PR. If you're unsure about any of them, don't hesitate to ask. We're here to
help! This is simply a reminder of what we are going to look for before merging
your code.

• Lint and unit tests pass locally with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added documentation to https://github.com/python-social-auth/social-docs

Other information

Any other information that is important to this PR such as screenshots of how
the component looks before and after the change.

[mike667]

Related to Issue

[nijel]

I think this change makes sense as this is similar what other OAuth2 backends do. Do you see any risks in breaking existing users? I think some details will have a different value after your changes.

[nijel]

username was based on name before.

[nijel]

email used to fall back to userPrincipalName if not present, this is now gone.

[mike667]

Hi, after thinking about it a bit, there is no point in changing AzureADOAuth2 if it is very similar to MicrosoftOAuth2. It is better to just use MicrosoftOAuth2, and add a note for AzureADOAuth2 so that new users understand that AzureADOAuth2.user_data is not completely secure. Therefore, I am closing this request pool and opening a new one for documentation.