feat: add Microsoft Azure AD login via allauth

.env.example

@@ -4,6 +4,8 @@
 SECRET_KEY=change-me-in-production
 DEBUG=True
 ALLOWED_HOSTS=localhost,127.0.0.1
+# Server port (default: 8000)
+PORT=8000
 
 # LLM Provider: "openai", "azure", or "azure_mistral"
 LLM_PROVIDER=openai
@@ -51,6 +53,11 @@ SHAREPOINT_CLIENT_ID=
 SHAREPOINT_CLIENT_SECRET=
 SHAREPOINT_TENANT_ID=
 
+# Azure AD SSO (Microsoft login via allauth)
+AZURE_CLIENT_ID=
+AZURE_CLIENT_SECRET=
+AZURE_TENANT_ID=
+
 # Confluence (optional)
 CONFLUENCE_URL=
 CONFLUENCE_USERNAME=

dashboard/templates/account/login.html

@@ -1,9 +1,23 @@
 {% extends "account/base_auth.html" %}
-{% load i18n %}
+{% load i18n socialaccount %}
 {% block title %}{% trans "Connexion" %} - SCORE{% endblock %}
 {% block subtitle %}{% trans "Connectez-vous à votre compte" %}{% endblock %}
 
 {% block content %}
+{% get_providers as socialaccount_providers %}
+
+{% if socialaccount_providers %}
+<a href="{% provider_login_url 'microsoft' %}" class="btn btn-outline-primary w-100 d-flex align-items-center justify-content-center gap-2 mb-3">
+    <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 21 21"><rect x="1" y="1" width="9" height="9" fill="#f25022"/><rect x="1" y="11" width="9" height="9" fill="#00a4ef"/><rect x="11" y="1" width="9" height="9" fill="#7fba00"/><rect x="11" y="11" width="9" height="9" fill="#ffb900"/></svg>
+    {% trans "Se connecter avec Microsoft" %}
+</a>
+<div class="d-flex align-items-center my-3">
+    <hr class="flex-grow-1" style="border-color: var(--ds-grey-500);">
+    <span class="px-3 text-muted" style="font-size: 13px;">{% trans "ou" %}</span>
+    <hr class="flex-grow-1" style="border-color: var(--ds-grey-500);">
+</div>
+{% endif %}
+
 {% if form.errors %}
 <div class="alert alert-danger">{% trans "Identifiants invalides. Veuillez réessayer." %}</div>
 {% endif %}

score/middleware.py

@@ -15,7 +15,8 @@ class ContentSecurityPolicyMiddleware:
             "style-src 'self' 'unsafe-inline' cdn.jsdelivr.net",
             "img-src 'self' data: blob:",
             "font-src 'self' cdn.jsdelivr.net",
-            "connect-src 'self'",
+            "connect-src 'self' login.microsoftonline.com",
+            "form-action 'self' login.microsoftonline.com",
             "worker-src 'self' blob:",
             "frame-src 'self'",
             "object-src 'none'",

score/settings.py

@@ -55,8 +55,8 @@
     # Auth
     "allauth",
     "allauth.account",
-    # "allauth.socialaccount",
-    # "allauth.socialaccount.providers.microsoft",
+    "allauth.socialaccount",
+    "allauth.socialaccount.providers.microsoft",
     # Celery
     "django_celery_results",
     "django_celery_beat",
@@ -151,6 +151,29 @@
 
 EMAIL_BACKEND = "django.core.mail.backends.console.EmailBackend"
 
+# --- Azure AD SSO (allauth social) ---
+AZURE_CLIENT_ID = env("AZURE_CLIENT_ID", default="")
+AZURE_CLIENT_SECRET = env("AZURE_CLIENT_SECRET", default="")
+AZURE_TENANT_ID = env("AZURE_TENANT_ID", default="")
+
+SOCIALACCOUNT_PROVIDERS = {
+    "microsoft": {
+        "APPS": [
+            {
+                "client_id": AZURE_CLIENT_ID,
+                "secret": AZURE_CLIENT_SECRET,
+                "settings": {
+                    "tenant": AZURE_TENANT_ID or "common",
+                },
+            },
+        ],
+    },
+}
+
+SOCIALACCOUNT_AUTO_SIGNUP = True
+SOCIALACCOUNT_EMAIL_AUTHENTICATION_AUTO_CONNECT = True
+SOCIALACCOUNT_LOGIN_ON_GET = True
+
 # --- Session security ---
 SESSION_COOKIE_AGE = 3600 * 8  # 8 hours
 SESSION_SAVE_EVERY_REQUEST = True  # Reset expiry on each request