Use the new identity.flask

Author: rayluo

.env.sample

@@ -0,0 +1,31 @@
+# This sample can be configured to work with Azure AD B2C.
+#
+# If you are using an Azure AD B2C tenant,
+# configure the B2C_TENANT_NAME variable with your tenant name, such as "contoso".
+B2C_TENANT_NAME=<your tenant name>
+
+# You will also need to configure the following variables with your B2C policies.
+SIGNUPSIGNIN_USER_FLOW=B2C_1_signinpolicy
+
+# Optionally, you may configure the following variables with your B2C policies.
+EDITPROFILE_USER_FLOW=B2C_1_ProfileEditPolicy
+RESETPASSWORD_USER_FLOW=B2C_1_Password_Reset_Policy
+
+# The following variables are required for the app to run.
+CLIENT_ID=<client id>
+CLIENT_SECRET=<client secret>
+
+# Your project's redirect URI that you registered in Azure Portal.
+# For example: http://localhost:5000/redirect
+REDIRECT_URI=<your redirect uri>
+
+# The following variables are required if the app needs to call an API.
+#
+# Multiple scopes can be added into the same line, separated by a space.
+# Here we use a Microsoft Graph API as an example
+# You may need to use your own API's scope.
+#SCOPE=User.Read
+#
+# The sample app will acquire a token to call this API
+#ENDPOINT=https://graph.microsoft.com/v1.0/me
+

.env.sample.b2c

@@ -0,0 +1,28 @@
+# This sample can be configured to work with Microsoft Entra ID.
+#
+# If you are using a Microsoft Entra ID tenant,
+# configure the AUTHORITY variable as
+# "https://login.microsoftonline.com/TENANT_GUID"
+# or "https://login.microsoftonline.com/contoso.onmicrosoft.com".
+#
+# Alternatively, use "https://login.microsoftonline.com/common" for multi-tenant app.
+AUTHORITY=<authority url>
+
+# The following variables are required for the app to run.
+CLIENT_ID=<client id>
+CLIENT_SECRET=<client secret>
+
+# Your project's redirect URI that you registered in Azure Portal.
+# For example: http://localhost:5000/redirect
+REDIRECT_URI=<your redirect uri>
+
+# The following variables are required if the app needs to call an API.
+#
+# Multiple scopes can be added into the same line, separated by a space.
+# Here we use a Microsoft Graph API as an example
+# You may need to use your own API's scope.
+#SCOPE=User.Read
+#
+# The sample app will acquire a token to call this API
+#ENDPOINT=https://graph.microsoft.com/v1.0/me
+

.env.sample.entra-id

@@ -0,0 +1,24 @@
+# This sample can be configured to work with Microsoft External ID.
+#
+# If you are using a Microsoft Entra External ID for customers (CIAM) tenant,
+# configure AUTHORITY as https://contoso.ciamlogin.com/contoso.onmicrosoft.com
+AUTHORITY=<authority url>
+
+# The following variables are required for the app to run.
+CLIENT_ID=<client id>
+CLIENT_SECRET=<client secret>
+
+# Your project's redirect URI that you registered in Azure Portal.
+# For example: http://localhost:5000/redirect
+REDIRECT_URI=<your redirect uri>
+
+# The following variables are required if the app needs to call an API.
+#
+# Multiple scopes can be added into the same line, separated by a space.
+# Here we use a Microsoft Graph API as an example
+# You may need to use your own API's scope.
+#SCOPE=User.Read
+#
+# The sample app will acquire a token to call this API
+#ENDPOINT=https://graph.microsoft.com/v1.0/me
+

.env.sample.external-id

@@ -0,0 +1,25 @@
+# This sample can be configured to work with Microsoft External ID with custom domain.
+#
+# If you are using a Microsoft External ID tenant with custom domain,
+# configure the OIDC_AUTHORITY variable as
+# "https://www.contoso.com/TENANT_GUID/v2.0"
+OIDC_AUTHORITY=<authority url>
+
+# The following variables are required for the app to run.
+CLIENT_ID=<client id>
+CLIENT_SECRET=<client secret>
+
+# Your project's redirect URI that you registered in Azure Portal.
+# For example: http://localhost:5000/redirect
+REDIRECT_URI=<your redirect uri>
+
+# The following variables are required if the app needs to call an API.
+#
+# Multiple scopes can be added into the same line, separated by a space.
+# Here we use a Microsoft Graph API as an example
+# You may need to use your own API's scope.
+#SCOPE=User.Read
+#
+# The sample app will acquire a token to call this API
+#ENDPOINT=https://graph.microsoft.com/v1.0/me
+

.env.sample.external-id-custom-domain

@@ -7,42 +7,169 @@ products:
 description: "This sample demonstrates a Python web application calling a Microsoft Graph that is secured using Azure Active Directory."
 urlFragment: ms-identity-python-webapp
 ---
-# Integrating Microsoft Identity Platform with a Python web application
+# Integrating Microsoft Entra ID with a Python web application written in Flask
 
-This is a Python web application that uses the Flask framework and the Microsoft identity platform to sign in users and make authenticated calls to the Microsoft Graph API.
+This is a multi-purpose [Flask](https://flask.palletsprojects.com/en/3.0.x/) web app sample.
+Write your app like this once, and the same implementation will support 4x2=8 scenarios.
 
-# Configuration
+|                | Microsoft Entra ID | External ID | External ID with Custom Domain | Azure AD B2C |
+|----------------|--------------------|-------------|--------------------------------|--------------|
+| Web App Sign-In & Sign-Out |   ✓    |      ✓      |                ✓               |       ✓      |
+| Web App Calls a web API |     ✓     |      ✓      |                ✓               |       ✓      |
 
-## If you are configuring your Microsoft Entra ID app or Microsoft Entra External ID app
+![Topology](https://raw.githubusercontent.com/Azure-Samples/ms-identity-python-webapp-django/main/static/topology.png)
 
-To get started with this sample, you have two options:
+## Getting Started
 
-* Use the Azure portal to create the Azure AD applications and related objects. Follow the steps in
-  [Quickstart: Add sign-in with Microsoft to a Python web app](https://docs.microsoft.com/azure/active-directory/develop/web-app-quickstart?pivots=devlang-python).
-* Use PowerShell scripts that automatically create the Azure AD applications and related objects (passwords, permissions, dependencies) for you, and then modify the configuration files. Follow the steps in the [App Creation Scripts README](./AppCreationScripts/AppCreationScripts.md).
+### Prerequisites
 
-## If you are configuring your B2C app
+1. Have [Python](https://python.org) 3.8+ installed
+1. Clone from
+   [its repo](https://github.com/Azure-Samples/ms-identity-python-webapp)
+   or download its zip package, and then start using it or build on top of it.
+1. `cd project_name`
+1. Run `pip install -r requirements.txt` to install dependencies
+1.  Run `flask run -h localhost` and then browse to http://localhost:5000
+   You may need to change to a different port to match your redirect_uri setup.
 
-This sample can also work as a B2C app. If you are using a B2C tenant, follow
-[Configure authentication in a sample Python web app by using Azure AD B2C](https://learn.microsoft.com/azure/active-directory-b2c/configure-authentication-sample-python-web-app).
 
+### How to configure and use this sample
 
-# Deployment
+<table border=1>
+  <tr>
+    <th></th>
+    <th>Microsoft Entra ID</th>
+    <th>Microsoft Entra External ID</th>
+    <th>Microsoft Entra External ID with Custom Domain</th>
+    <th>Azure AD B2C</th>
+  </tr>
 
-Once you finish testing this web app locally, you can deploy it to your production.
-You may choose any web app hosting services you want.
-Here we will describe how to deploy it to
-[Azure App Service](https://azure.microsoft.com/en-us/products/app-service).
+  <tr>
+    <th>App Registration</th>
+    <td><!-- See https://github.com/github/cmark-gfm/issues/12 -->
 
-* Follow the ["Quickstart: Deploy a Python (Django or Flask) web app to Azure App Service"](https://learn.microsoft.com/en-us/azure/app-service/quickstart-python),
-  but replace its sample app (which does not do user sign-in) with this web app.
+Following only the step 1, 2 and 3  of this
+[Quickstart: Add sign-in with Microsoft to a Python web app](https://learn.microsoft.com/entra/identity-platform/quickstart-web-app-python-sign-in?tabs=windows)
+
+</td>
+    <td>
+
+Follow only the page 1 of this [Tutorial: Prepare your customer tenant ...](https://learn.microsoft.com/entra/external-id/customers/tutorial-web-app-python-flask-prepare-tenant)
+
+</td>
+    <td>
+
+Coming soon.
+
+</td>
+    <td>
+
+Following only the step 1 and 2 (including 2.1 and 2.2) of this
+[Configure authentication in a sample Python web app by using Azure AD B2C](https://learn.microsoft.com/azure/active-directory-b2c/configure-authentication-sample-python-web-app?tabs=linux)
+
+</td>
+  </tr>
+
+  <tr>
+    <th rowspan=2>Configuration</th>
+    <td><!-- See https://github.com/github/cmark-gfm/issues/12 -->
+
+Copy this [Entra ID template](.env.sample.entra-id)
+as `.env` and then modify `.env` with your app's settings.
+
+</td>
+    <td>
+
+Copy this [External ID template](.env.sample.external-id)
+as `.env` and then modify `.env` with your app's settings.
+
+</td>
+    <td>
+
+Copy this [External ID with Custom Domain template](.env.sample.external-id-custom-domain)
+as `.env` and then modify `.env` with your app's settings.
+
+</td>
+    <td>
+
+Copy this [Azure AD B2C template](.env.sample.b2c)
+as `.env` and then modify `.env` with your app's settings.
+
+</td>
+  </tr>
+
+  <tr>
+    <td colspan=4>
+
+Do not reverse the order of the configuration steps above.
+If you put your app credentials into the template and then copy it into `.env`,
+you risk accidentally committing your templates with credentials into Version Control System.
 
-* [Configure your app's settings](https://learn.microsoft.com/en-us/azure/app-service/configure-common?tabs=portal#configure-app-settings) to define [these environment variables](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/main/.env.sample).
+</td>
+  </tr>
 
+  <tr>
+    <th>Web App Sign In & Sign Out</th>
+    <td colspan=4>
+
+With the basic configuration above,
+you can now browse to the index page of this sample to try the sign-in/sign-out experience.
+
+</td>
+  </tr>
+
+  <tr>
+    <th>Web App Calls a web API</th>
+    <td colspan=4>
+
+Add the web API's *endpoint* into your `.env` file.
+Also add the *scopes* it needs, separated by space.
+The following example is the settings needed to call the Microsoft Graph API.
+You may need to replace the their values with your own API endpoint and its scope..
+
+```ini
+ENDPOINT=https://graph.microsoft.com/v1.0/me
+SCOPE=User.Read
+```
+
+Now restart this sample and try its "Call API" experience.
+
+</td>
+  </tr>
+
+  <tr>
+    <th>
+
+Deploy to
+[Azure App Service](https://azure.microsoft.com/en-us/products/app-service)
+
+</th>
+    <td colspan=4>
+
+* Follow the ["Quickstart: Deploy a Python (Django or Flask) web app to Azure App Service"](https://learn.microsoft.com/en-us/azure/app-service/quickstart-python),
+  but replace its sample app (which does not do user sign-in) with this web app.
+* [Configure your app's settings](https://learn.microsoft.com/en-us/azure/app-service/configure-common?tabs=portal#configure-app-settings)
+  to define environment variables mentioned in the **Configuration** row of this table.
 * If your `app_config.py` contains `SESSION_TYPE = "filesystem"`,
   you shall turn on "session affinity" (a.k.a. "ARR affinity") in your
   [App Service Web App's Configuration](https://learn.microsoft.com/en-us/azure/app-service/configure-common?tabs=portal#configure-general-settings)
 
+</td>
+  </tr>
+
+</table>
+
+
+## How to build this sample (or a new web project) from scratch
+
+You can follow the
+[instructions for Flask, from the underlying library](https://identity-library.readthedocs.io/en/latest/flask.html).
+
+You can refer to the
+[source code of this full sample here](https://github.com/Azure-Samples/ms-identity-python-webapp)
+to pick up other minor details, such as how to modify `app.py` accordingly,
+and how to add templates for the new view (and for the existing `index()` view).
+
 
 ## Contributing