Switch to new MSAL auth_code_flow API

rayluo · rayluo · commit dc8d5ba6834d · 2020-11-13T22:06:35.000-08:00
diff --git a/app.py b/app.py
@@ -25,25 +25,18 @@ def index():
 
 @app.route("/login")
 def login():
-    session["state"] = str(uuid.uuid4())
     # Technically we could use empty list [] as scopes to do just sign in,
     # here we choose to also collect end user consent upfront
-    auth_url = _build_auth_url(scopes=app_config.SCOPE, state=session["state"])
-    return render_template("login.html", auth_url=auth_url, version=msal.__version__)
+    session["flow"] = _build_auth_code_flow(scopes=app_config.SCOPE)
+    return render_template("login.html", auth_url=session["flow"]["auth_uri"], version=msal.__version__)
 
 @app.route(app_config.REDIRECT_PATH)  # Its absolute URL must match your app's redirect_uri set in AAD
 def authorized():
-    if request.args.get('state') != session.get("state"):
-        return redirect(url_for("index"))  # No-OP. Goes back to Index page
-    if "error" in request.args:  # Authentication/Authorization failure
-        return render_template("auth_error.html", result=request.args)
-    if request.args.get('code'):
+    if ("flow" in session and ("code" in request.args or "error" in request.args)
+            and request.args.get('state') == session["flow"].get("state")):
         cache = _load_cache()
-        result = _build_msal_app(cache=cache).acquire_token_by_authorization_code(
-            request.args['code'],
-            scopes=app_config.SCOPE,  # Misspelled scope would cause an HTTP 400 error here
-            redirect_uri=url_for("authorized", _external=True))
-        if "error" in result:
+        result = _build_msal_app(cache=cache).acquire_token_by_auth_code_flow(session["flow"], request.args)
+        if "error" in result:  # Authentication/Authorization failure
             return render_template("auth_error.html", result=result)
         session["user"] = result.get("id_token_claims")
         _save_cache(cache)
@@ -83,10 +76,9 @@ def _build_msal_app(cache=None, authority=None):
         app_config.CLIENT_ID, authority=authority or app_config.AUTHORITY,
         client_credential=app_config.CLIENT_SECRET, token_cache=cache)
 
-def _build_auth_url(authority=None, scopes=None, state=None):
-    return _build_msal_app(authority=authority).get_authorization_request_url(
+def _build_auth_code_flow(authority=None, scopes=None):
+    return _build_msal_app(authority=authority).initiate_auth_code_flow(
         scopes or [],
-        state=state or str(uuid.uuid4()),
         redirect_uri=url_for("authorized", _external=True))
 
 def _get_token_from_cache(scope=None):
@@ -98,7 +90,7 @@ def _get_token_from_cache(scope=None):
         _save_cache(cache)
         return result
 
-app.jinja_env.globals.update(_build_auth_url=_build_auth_url)  # Used in template
+app.jinja_env.globals.update(_build_auth_code_flow=_build_auth_code_flow)  # Used in template
 
 if __name__ == "__main__":
     app.run()
diff --git a/requirements.txt b/requirements.txt
@@ -2,7 +2,7 @@ Flask>=1,<2
 werkzeug>=1,<2
 flask-session~=0.3.2
 requests>=2,<3
-msal>=0.6.1,<2
+msal>=1.7,<2
 
 # cachelib==0.1  # Only need this if you are running Python 2
 # Note: This sample does NOT directly depend on cachelib.
diff --git a/templates/auth_error.html b/templates/auth_error.html
@@ -5,7 +5,7 @@
 
     {% if config.get("B2C_RESET_PASSWORD_AUTHORITY") and "AADB2C90118" in result.get("error_description") %}
       <!-- See also https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-policies#linking-user-flows -->
-      <meta http-equiv="refresh" content='0;{{_build_auth_url(authority=config["B2C_RESET_PASSWORD_AUTHORITY"])}}'>
+      <meta http-equiv="refresh" content='0;{{_build_auth_code_flow(authority=config["B2C_RESET_PASSWORD_AUTHORITY"])["auth_uri"]}}'>
     {% endif %}
 </head>
 <body>
diff --git a/templates/index.html b/templates/index.html
@@ -12,7 +12,7 @@ <h2>Welcome {{ user.get("name") }}!</h2>
     {% endif %}
 
     {% if config.get("B2C_PROFILE_AUTHORITY") %}
-      <li><a href='{{_build_auth_url(authority=config["B2C_PROFILE_AUTHORITY"])}}'>Edit Profile</a></li>
+      <li><a href='{{_build_auth_code_flow(authority=config["B2C_PROFILE_AUTHORITY"])["auth_uri"]}}'>Edit Profile</a></li>
     {% endif %}
 
     <li><a href="/logout">Logout</a></li>
diff --git a/templates/login.html b/templates/login.html
@@ -9,7 +9,7 @@ <h1>Microsoft Identity Python Web App</h1>
     <li><a href='{{ auth_url }}'>Sign In</a></li>
 
     {% if config.get("B2C_RESET_PASSWORD_AUTHORITY") %}
-    <li><a href='{{_build_auth_url(authority=config["B2C_RESET_PASSWORD_AUTHORITY"])}}'>Reset Password</a></li>
+    <li><a href='{{_build_auth_code_flow(authority=config["B2C_RESET_PASSWORD_AUTHORITY"])["auth_uri"]}}'>Reset Password</a></li>
     {% endif %}
 
     <hr>
