Merge pull request #2 from Azure-Samples/app2

Pyton Web App with sign-in, calling MS Graph API, and sign-out

Author: rayluo

README.md

@@ -1,14 +1,13 @@
 ---
 page_type: sample
-languages: python
-product: azure-active-directory
-services: active-directory
-platforms: python
-author: abpati
-level: 300
-client: Python Web Application
-service: Microsoft Graph
-endpoint: Microsoft Identity platform (formerly Azure AD v2.0)
+languages:
+- python
+- powershell
+- html
+products:
+- azure-active-directory
+description: "This sample demonstrates a Java web application calling a Microsoft Graph that is secured using Azure Active Directory."
+urlFragment: ms-identity-python-webapp
 ---
 # Integrating Microsoft Identity Platform with a Python web application
 
@@ -18,7 +17,7 @@ endpoint: Microsoft Identity platform (formerly Azure AD v2.0)
 
 ### Overview
 
-This sample demonstrates a Python web application that signs-in users with the Microsoft identity platform and calls the Microsoft Graph 
+This sample demonstrates a Python web application that signs-in users with the Microsoft identity platform and calls the Microsoft Graph.
 
 1. The python web application uses the Microsoft Authentication Library (MSAL) to obtain a JWT access token from the Microsoft identity platform (formerly Azure AD v2.0):
 2. The access token is used as a bearer token to authenticate the user when calling the Microsoft Graph.
@@ -27,16 +26,16 @@ This sample demonstrates a Python web application that signs-in users with the M
 
 ### Scenario
 
-This sample shows how to build a Python web app that uses OAuth2 to get access to Microsoft Graph using MSAL Python. For more information about how th eprotocols work in this scenario and other scenarios, see [Authentication Scenarios for Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios).
+This sample shows how to build a Python web app using Flask and MSAL Python,
+that signs in a user, and get access to Microsoft Graph.
+For more information about how the protocols work in this scenario and other scenarios,
+see [Authentication Scenarios for Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios).
 
 ## How to run this sample
 
 To run this sample, you'll need:
 
-> To run this sample you will need: 
 > - [Python 2.7+](https://www.python.org/downloads/release/python-2713/) or [Python 3+](https://www.python.org/downloads/release/python-364/)
-> - [Flask](http://flask.pocoo.org/), [Flask-Session](https://pythonhosted.org/Flask-Session/), [requests](https://2.python-requests.org/en/master/)
-> - [MSAL Python](https://github.com/AzureAD/microsoft-authentication-library-for-python) 
 > - An Azure Active Directory (Azure AD) tenant. For more information on how to get an Azure AD tenant, see [how to get an Azure AD tenant.](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
 
 
@@ -50,7 +49,7 @@ git clone https://github.com/Azure-Samples/ms-identity-python-webapp.git
 
 or download and extract the repository .zip file.
 
-> Given that the name of the sample is quiet long, you might want to clone it in a folder close to the root of your hard drive, to avoid file size limitations on Windows.
+> Given that the name of the sample is quite long, you might want to clone it in a folder close to the root of your hard drive, to avoid file name length limitations when running on Windows.
 
 ### Step 2:  Register the sample application with your Azure Active Directory tenant
 
@@ -122,37 +121,27 @@ In the steps below, "ClientID" is the same as "Application ID" or "AppId".
 
 #### Configure the pythonwebapp project
 
-> Note: if you used the setup scripts, the changes below will have been applied for you
+> Note: if you used the setup scripts, the changes below may have been applied for you
 
 1. Open the `app_config.py` file
 1. Find the app key `Enter_the_Tenant_Name_Here` and replace the existing value with your Azure AD tenant name.
-1. Find the app key `Enter_the_Client_Secret_Here` and replace the existing value with the key you saved during the creation of the `python-webapp` app, in the Azure portal.
+1. You saved your application secret during the creation of the `python-webapp` app in the Azure portal.
+   Now you can set the secret in environment variable `CLIENT_SECRET`,
+   and then adjust `app_config.py` to pick it up.
 1. Find the app key `Enter_the_Application_Id_here` and replace the existing value with the application ID (clientId) of the `python-webapp` application copied from the Azure portal.
 
 
 ### Step 4: Run the sample
 
-- You will need to install MSAL Python library, Flask framework, Flask-Sessions for server side session management and requests using pip as follows:
+- You will need to install dependencies using pip as follows:
 ```Shell
-$ pip install msal
-$ pip install flask
-$ pip install Flask-Session
-$ pip install requests
+$ pip install -r requirements.txt
 ```
-- If the environment variable for Flask is already set:
 
 Run app.py from shell or command line:
 ```Shell
 $ python app.py
 ```
-- If the environment variable for Flask is not set:
-
-Type the following commands on shell or command line by navigating to the project directory:
-```Shell
-$ export FLASK_APP=app.py
-$ export FLASK_DEBUG=1
-$ flask run
-```
 
 ## Community Help and Support
 

app.py

@@ -1,113 +1,92 @@
 import uuid
-import flask
 import requests
-from flask import Flask, render_template, session, request
-from flask_session import Session
+from flask import Flask, render_template, session, request, redirect, url_for
+from flask_session import Session  # https://pythonhosted.org/Flask-Session
 import msal
 import app_config
 
-sess = Session()
-app = Flask(__name__)
-app.config.from_object('config.Config')
-sess.init_app(app)
-cache = msal.SerializableTokenCache()
-application = msal.ConfidentialClientApplication(
-    app_config.CLIENT_ID, authority=app_config.AUTHORITY,
-    client_credential=app_config.CLIENT_SECRET,
-    token_cache=cache)
-
-
-def set_cache():
-    if cache.has_state_changed:
-        session[request.cookies.get("session")] = cache.serialize()
-
-
-def check_cache():
-    # Checking token cache for accounts
-    result = None
-    accounts = application.get_accounts()
 
-    # Trying to acquire token silently
-    if accounts:
-        result = application.acquire_token_silent(app_config.SCOPE, account=accounts[0])
-    return result
-
-
-def get_graph_info(result):
-    if 'access_token' not in result:
-        return flask.redirect(flask.url_for('index'))
-    endpoint = 'https://graph.microsoft.com/v1.0/me/'
-    http_headers = {'Authorization': 'Bearer ' + result['access_token'],
-                    'User-Agent': 'msal-python-sample',
-                    'Accept': 'application/json',
-                    'Content-Type': 'application/json',
-                    'client-request-id': str(uuid.uuid4())}
-    graph_data = requests.get(endpoint, headers=http_headers, stream=False).json()
-    return graph_data
+app = Flask(__name__)
+app.config.from_object(app_config)
+Session(app)
 
 
-@app.route('/')
+@app.route("/")
 def index():
-    return render_template("index.html")
-
-
-@app.route('/processing')
-def processing():
-    # Initializing
-    is_session = session.get(request.cookies.get("session"))
-    if is_session is None:
-        session[request.cookies.get("session")] = ''
-    cache.deserialize(session.get(request.cookies.get("session")))
-    return flask.redirect(flask.url_for('my_info'))
-
-
-@app.route('/my_info')
-def my_info():
-    result = check_cache()
-    if result:
-        graph_result = get_graph_info(result)
-        return flask.render_template('display.html', auth_result=graph_result, cond="logout")
-    else:
-        return flask.render_template('display.html', auth_result="You are not signed in", cond="")
-
-
-@app.route('/authenticate')
-def authenticate():
-    # Call to the authorize endpoint
-    auth_state = str(uuid.uuid4())
-    session[(request.cookies.get("session")+'state')] = auth_state
-    authorization_url = application.get_authorization_request_url(app_config.SCOPE, state=auth_state,
-                                                                  redirect_uri=app_config.REDIRECT_URI)
-    resp = flask.Response(status=307)
-    resp.headers['location'] = authorization_url
-    return resp
-
-
-@app.route("/getAToken")
-def main_logic():
-    code = flask.request.args['code']
-    state = flask.request.args['state']
-    # Raising error if state does not match
-    if state != session[(request.cookies.get("session")+'state')]:
-        raise ValueError("State does not match")
-    result = application.acquire_token_by_authorization_code(code, scopes=app_config.SCOPE,
-                                                             redirect_uri=app_config.REDIRECT_URI)
-    # Updating cache
-    set_cache()
-
-    # Using access token from result to call Microsoft Graph
-    graph_data = get_graph_info(result)
-    return flask.render_template('display.html', auth_result=graph_data, cond="logout")
-
+    if not session.get("user"):
+        return redirect(url_for("login"))
+    return render_template('index.html', user=session["user"])
+
+@app.route("/login")
+def login():
+    session["state"] = str(uuid.uuid4())
+    auth_url = _build_msal_app().get_authorization_request_url(
+        app_config.SCOPE,  # Technically we can use empty list [] to just sign in,
+                           # here we choose to also collect end user consent upfront
+        state=session["state"],
+        redirect_uri=url_for("authorized", _external=True))
+    return "<a href='%s'>Login with Microsoft Identity</a>" % auth_url
+
+@app.route("/getAToken")  # Its absolute URL must match your app's redirect_uri set in AAD
+def authorized():
+    if request.args['state'] != session.get("state"):
+        return redirect(url_for("login"))
+    cache = _load_cache()
+    result = _build_msal_app(cache).acquire_token_by_authorization_code(
+        request.args['code'],
+        scopes=app_config.SCOPE,  # Misspelled scope would cause an HTTP 400 error here
+        redirect_uri=url_for("authorized", _external=True))
+    if "error" in result:
+        return "Login failure: %s, %s" % (
+            result["error"], result.get("error_description"))
+    session["user"] = result.get("id_token_claims")
+    _save_cache(cache)
+    return redirect(url_for("index"))
 
 @app.route("/logout")
 def logout():
-    # Logout
-    accounts = application.get_accounts()
-    application.remove_account(accounts[0])
-    set_cache()
-    return flask.redirect(flask.url_for('index'))
-
+    session["user"] = None  # Log out from this app from its session
+    # session.clear()  # If you prefer, this would nuke the user's token cache too
+    return redirect(  # Also need to logout from Microsoft Identity platform
+        "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
+        "?post_logout_redirect_uri=" + url_for("index", _external=True))
+
+@app.route("/graphcall")
+def graphcall():
+    token = _get_token_from_cache(app_config.SCOPE)
+    if not token:
+        return redirect(url_for("login"))
+    graph_data = requests.get(  # Use token to call downstream service
+        app_config.ENDPOINT,
+        headers={'Authorization': 'Bearer ' + token['access_token']},
+        ).json()
+    return render_template('display.html', result=graph_data)
+
+
+def _load_cache():
+    cache = msal.SerializableTokenCache()
+    if session.get("token_cache"):
+        cache.deserialize(session["token_cache"])
+    return cache
+
+def _save_cache(cache):
+    if cache.has_state_changed:
+        session["token_cache"] = cache.serialize()
+
+def _build_msal_app(cache=None):
+    return msal.ConfidentialClientApplication(
+        app_config.CLIENT_ID, authority=app_config.AUTHORITY,
+        client_credential=app_config.CLIENT_SECRET, token_cache=cache)
+
+def _get_token_from_cache(scope=None):
+    cache = _load_cache()  # This web app maintains one cache per session
+    cca = _build_msal_app(cache)
+    accounts = cca.get_accounts()
+    if accounts:  # So all account(s) belong to the current signed-in user
+        result = cca.acquire_token_silent(scope, account=accounts[0])
+        _save_cache(cache)
+        return result
 
 if __name__ == "__main__":
     app.run()
+

app_config.py

@@ -1,5 +1,25 @@
-AUTHORITY = "https://login.microsoftonline.com/Enter_the_Tenant_Name_Here"
+import os
+
+CLIENT_SECRET = "Enter_the_Client_Secret_Here" # Our Quickstart uses this placeholder
+# In your production app, we recommend you to use other ways to store your secret,
+# such as KeyVault, or environment variable as described in Flask's documentation here
+# https://flask.palletsprojects.com/en/1.1.x/config/#configuring-from-environment-variables
+# CLIENT_SECRET = os.getenv("CLIENT_SECRET")
+# if not CLIENT_SECRET:
+#     raise ValueError("Need to define CLIENT_SECRET environment variable")
+
+AUTHORITY = "https://login.microsoftonline.com/common"  # For multi-tenant app
+# AUTHORITY = "https://login.microsoftonline.com/Enter_the_Tenant_Name_Here"
+
 CLIENT_ID = "Enter_the_Application_Id_here"
-CLIENT_SECRET = "Enter_the_Client_Secret_Here"
-SCOPE = ["https://graph.microsoft.com/User.Read"]
-REDIRECT_URI = "http://localhost:5000/getAToken"
+
+# You can find more Microsoft Graph API endpoints from Graph Explorer
+# https://developer.microsoft.com/en-us/graph/graph-explorer
+ENDPOINT = 'https://graph.microsoft.com/v1.0/users'  # This resource requires no admin consent
+
+# You can find the proper permission names from this document
+# https://docs.microsoft.com/en-us/graph/permissions-reference
+SCOPE = ["User.ReadBasic.All"]
+
+SESSION_TYPE = "filesystem"  # So token cache will be stored in server-side session
+

config.py

@@ -0,0 +1,5 @@
+Flask>=1,<2
+Flask-Session>=0,<1
+requests>=2,<3
+msal>=0,<2
+

requirements.txt

@@ -2,27 +2,11 @@
 <html lang="en">
 <head>
     <meta charset="UTF-8">
-    <title>Acquire Token Result </title>
 </head>
 <body>
-    {% if cond  %}
-        <p1><b>Your information</b> </p1>
-        <table>
-        {% for key, value in auth_result.items() %}
-           <tr>
-                <th> {{ key }} </th>
-                <td> {{ value }} </td>
-           </tr>
-        {% endfor %}
-        </table>
-        <form action="/logout" >
-            <input type="submit" value=" Logout"/>
-        </form>
-    {% else %}
-        <p1><b> {{auth_result}} </b> </p1>
-        <form action="/authenticate" >
-            <input type="submit" value=" Sign-in"/>
-        </form>
-    {% endif %}
+    <h1>Graph API Call Result</h1>
+    <pre>{{ result |tojson(indent=4) }}</pre> <!-- Just a generic json viewer -->
+    <a href="javascript:window.history.go(-1)">Back</a>
 </body>
-</html>
+</html>
+

templates/display.html

@@ -2,11 +2,12 @@
 <html lang="en">
 <head>
     <meta charset="UTF-8">
-    <title>Title</title>
 </head>
 <body>
-<form action="/processing" >
-    <input type="submit" value="Get my information from graph"/>
-</form>
+    <h1>Microsoft Identity Python Web App</h1>
+    Welcome {{ user.get("name") }}!
+    <li><a href='/graphcall'>Call Microsoft Graph API</a></li>
+    <li><a href="/logout">Logout</a></li>
 </body>
-</html>
+</html>
+