Remove global MSAL app instance, adjust structure.

7 files changed, 139 insertions(+), 178 deletions(-)
rewrite app.py (94%)
rewrite app_config.py (83%)
delete mode 100644 config.py
create mode 100644 requirements.txt
rewrite templates/display.html (87%)
delete mode 100644 templates/index.html

Author: rayluo

README.md

@@ -18,7 +18,7 @@ endpoint: Microsoft Identity platform (formerly Azure AD v2.0)
 
 ### Overview
 
-This sample demonstrates a Python web application that signs-in users with the Microsoft identity platform and calls the Microsoft Graph 
+This sample demonstrates a Python web application that signs-in users with the Microsoft identity platform and calls the Microsoft Graph.
 
 1. The python web application uses the Microsoft Authentication Library (MSAL) to obtain a JWT access token from the Microsoft identity platform (formerly Azure AD v2.0):
 2. The access token is used as a bearer token to authenticate the user when calling the Microsoft Graph.
@@ -27,16 +27,18 @@ This sample demonstrates a Python web application that signs-in users with the M
 
 ### Scenario
 
-This sample shows how to build a Python web app that uses OAuth2 to get access to Microsoft Graph using MSAL Python. For more information about how th eprotocols work in this scenario and other scenarios, see [Authentication Scenarios for Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios).
+This sample shows how to build a Python web app using Flask and MSAL Python,
+that signs in a user, and get access to Microsoft Graph.
+For more information about how the protocols work in this scenario and other scenarios,
+see [Authentication Scenarios for Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios).
 
 ## How to run this sample
 
 To run this sample, you'll need:
 
-> To run this sample you will need: 
 > - [Python 2.7+](https://www.python.org/downloads/release/python-2713/) or [Python 3+](https://www.python.org/downloads/release/python-364/)
 > - [Flask](http://flask.pocoo.org/), [Flask-Session](https://pythonhosted.org/Flask-Session/), [requests](https://2.python-requests.org/en/master/)
-> - [MSAL Python](https://github.com/AzureAD/microsoft-authentication-library-for-python) 
+> - [MSAL Python](https://github.com/AzureAD/microsoft-authentication-library-for-python)
 > - An Azure Active Directory (Azure AD) tenant. For more information on how to get an Azure AD tenant, see [how to get an Azure AD tenant.](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
 
 
@@ -50,7 +52,7 @@ git clone https://github.com/Azure-Samples/ms-identity-python-webapp.git
 
 or download and extract the repository .zip file.
 
-> Given that the name of the sample is quiet long, you might want to clone it in a folder close to the root of your hard drive, to avoid file size limitations on Windows.
+> Given that the name of the sample is quite long, you might want to clone it in a folder close to the root of your hard drive, to avoid file name lenghth limitations when running on Windows.
 
 ### Step 2:  Register the sample application with your Azure Active Directory tenant
 
@@ -122,22 +124,20 @@ In the steps below, "ClientID" is the same as "Application ID" or "AppId".
 
 #### Configure the pythonwebapp project
 
-> Note: if you used the setup scripts, the changes below will have been applied for you
+> Note: if you used the setup scripts, the changes below may have been applied for you
 
 1. Open the `app_config.py` file
 1. Find the app key `Enter_the_Tenant_Name_Here` and replace the existing value with your Azure AD tenant name.
-1. Find the app key `Enter_the_Client_Secret_Here` and replace the existing value with the key you saved during the creation of the `python-webapp` app, in the Azure portal.
+1. You could find the app key `Enter_the_Client_Secret_Here` and replace the existing value with the key you saved during the creation of the `python-webapp` app, in the Azure portal.
+   But we recommend you to store the secret in environment variable, rather than in file.
 1. Find the app key `Enter_the_Application_Id_here` and replace the existing value with the application ID (clientId) of the `python-webapp` application copied from the Azure portal.
 
 
 ### Step 4: Run the sample
 
-- You will need to install MSAL Python library, Flask framework, Flask-Sessions for server side session management and requests using pip as follows:
+- You will need to install dependencies using pip as follows:
 ```Shell
-$ pip install msal
-$ pip install flask
-$ pip install Flask-Session
-$ pip install requests
+$ pip install -r requirements.txt
 ```
 - If the environment variable for Flask is already set:
 

app.py

@@ -1,113 +1,93 @@
 import uuid
-import flask
 import requests
-from flask import Flask, render_template, session, request
-from flask_session import Session
+from flask import Flask, render_template, session, request, redirect, url_for
+from flask_session import Session  # https://pythonhosted.org/Flask-Session
 import msal
 import app_config
 
-sess = Session()
-app = Flask(__name__)
-app.config.from_object('config.Config')
-sess.init_app(app)
-cache = msal.SerializableTokenCache()
-application = msal.ConfidentialClientApplication(
-    app_config.CLIENT_ID, authority=app_config.AUTHORITY,
-    client_credential=app_config.CLIENT_SECRET,
-    token_cache=cache)
-
-
-def set_cache():
-    if cache.has_state_changed:
-        session[request.cookies.get("session")] = cache.serialize()
-
-
-def check_cache():
-    # Checking token cache for accounts
-    result = None
-    accounts = application.get_accounts()
 
-    # Trying to acquire token silently
-    if accounts:
-        result = application.acquire_token_silent(app_config.SCOPE, account=accounts[0])
-    return result
-
-
-def get_graph_info(result):
-    if 'access_token' not in result:
-        return flask.redirect(flask.url_for('index'))
-    endpoint = 'https://graph.microsoft.com/v1.0/me/'
-    http_headers = {'Authorization': 'Bearer ' + result['access_token'],
-                    'User-Agent': 'msal-python-sample',
-                    'Accept': 'application/json',
-                    'Content-Type': 'application/json',
-                    'client-request-id': str(uuid.uuid4())}
-    graph_data = requests.get(endpoint, headers=http_headers, stream=False).json()
-    return graph_data
+app = Flask(__name__)
+app.config["SESSION_TYPE"] = "filesystem"  # We choose to store tokens in server-side session
+Session(app)
 
 
-@app.route('/')
+@app.route("/")
 def index():
-    return render_template("index.html")
-
-
-@app.route('/processing')
-def processing():
-    # Initializing
-    is_session = session.get(request.cookies.get("session"))
-    if is_session is None:
-        session[request.cookies.get("session")] = ''
-    cache.deserialize(session.get(request.cookies.get("session")))
-    return flask.redirect(flask.url_for('my_info'))
-
-
-@app.route('/my_info')
-def my_info():
-    result = check_cache()
-    if result:
-        graph_result = get_graph_info(result)
-        return flask.render_template('display.html', auth_result=graph_result, cond="logout")
-    else:
-        return flask.render_template('display.html', auth_result="You are not signed in", cond="")
-
-
-@app.route('/authenticate')
-def authenticate():
-    # Call to the authorize endpoint
-    auth_state = str(uuid.uuid4())
-    session[(request.cookies.get("session")+'state')] = auth_state
-    authorization_url = application.get_authorization_request_url(app_config.SCOPE, state=auth_state,
-                                                                  redirect_uri=app_config.REDIRECT_URI)
-    resp = flask.Response(status=307)
-    resp.headers['location'] = authorization_url
-    return resp
-
-
-@app.route("/getAToken")
-def main_logic():
-    code = flask.request.args['code']
-    state = flask.request.args['state']
-    # Raising error if state does not match
-    if state != session[(request.cookies.get("session")+'state')]:
-        raise ValueError("State does not match")
-    result = application.acquire_token_by_authorization_code(code, scopes=app_config.SCOPE,
-                                                             redirect_uri=app_config.REDIRECT_URI)
-    # Updating cache
-    set_cache()
-
-    # Using access token from result to call Microsoft Graph
-    graph_data = get_graph_info(result)
-    return flask.render_template('display.html', auth_result=graph_data, cond="logout")
-
+    if not session.get("user"):
+        return redirect(url_for("login"))
+    return """Welcome, %s.
+        <li><a href='/graphcall'>Call Microsoft Graph API</a></li>
+        <li><a href="/logout">Logout</a></li>
+        """ % session["user"].get("name")
+
+@app.route("/login")
+def login():
+    session["state"] = str(uuid.uuid4())
+    auth_url = _build_msal_app().get_authorization_request_url(
+        app_config.SCOPE,  # Technically we can use empty list [] to just sign in,
+                           # here we choose to also collect end user consent upfront
+        state=session["state"],
+        redirect_uri=url_for("authorized", _external=True))
+    return "<a href='%s'>Login with Microsoft Identity</a>" % auth_url
+
+@app.route("/getAToken")  # Its absolute URL must match your app's redirect_uri set in AAD
+def authorized():
+    if request.args['state'] != session.get("state"):
+        return redirect(url_for("login"))
+    cache = _load_cache()
+    result = _build_msal_app(cache).acquire_token_by_authorization_code(
+        request.args['code'],
+        scopes=app_config.SCOPE,  # Misspelled scope would cause an HTTP 400 error here
+        redirect_uri=url_for("authorized", _external=True))
+    if "error" in result:
+        return "Login failure: %s, %s" % (
+            result["error"], result.get("error_description"))
+    session["user"] = result.get("id_token_claims")
+    _save_cache(cache)
+    return redirect(url_for("index"))
 
 @app.route("/logout")
 def logout():
-    # Logout
-    accounts = application.get_accounts()
-    application.remove_account(accounts[0])
-    set_cache()
-    return flask.redirect(flask.url_for('index'))
-
+    session["user"] = None  # Mark current session as not-logged-in
+    # session.clear()  # If you prefer, this would nuke the user's token cache too
+    return redirect(url_for("index"))
+
+@app.route("/graphcall")
+def graphcall():
+    token = _get_token_from_cache(app_config.SCOPE)
+    if not token:
+        return redirect(url_for("login"))
+    graph_data = requests.get(  # Use token to call downstream service
+        app_config.ENDPOINT,
+        headers={'Authorization': 'Bearer ' + token['access_token']},
+        ).json()
+    return render_template('display.html', result=graph_data)
+
+
+def _load_cache():
+    cache = msal.SerializableTokenCache()
+    if session.get("token_cache"):
+        cache.deserialize(session["token_cache"])
+    return cache
+
+def _save_cache(cache):
+    if cache.has_state_changed:
+        session["token_cache"] = cache.serialize()
+
+def _build_msal_app(cache=None):
+    return msal.ConfidentialClientApplication(
+        app_config.CLIENT_ID, authority=app_config.AUTHORITY,
+        client_credential=app_config.CLIENT_SECRET, token_cache=cache)
+
+def _get_token_from_cache(scope=None):
+    cache = _load_cache()  # This web app maintains one cache per session
+    cca = _build_msal_app(cache)
+    accounts = cca.get_accounts()
+    if accounts:  # So all account(s) belong to the current signed-in user
+        result = cca.acquire_token_silent(scope, account=accounts[0])
+        _save_cache(cache)
+        return result
 
 if __name__ == "__main__":
     app.run()
+

app_config.py

@@ -1,5 +1,21 @@
-AUTHORITY = "https://login.microsoftonline.com/Enter_the_Tenant_Name_Here"
+import os
+
+# This pattern is defined in Flask's documentation here
+# https://flask.palletsprojects.com/en/1.1.x/config/#configuring-from-environment-variables
+CLIENT_SECRET = os.getenv("CLIENT_SECRET")
+if not CLIENT_SECRET:
+    raise ValueError("Need to define CLIENT_SECRET environment variable")
+
+AUTHORITY = "https://login.microsoftonline.com/common"  # For multi-tenant app
+# AUTHORITY = "https://login.microsoftonline.com/Enter_the_Tenant_Name_Here"
+
 CLIENT_ID = "Enter_the_Application_Id_here"
-CLIENT_SECRET = "Enter_the_Client_Secret_Here"
-SCOPE = ["https://graph.microsoft.com/User.Read"]
-REDIRECT_URI = "http://localhost:5000/getAToken"
+
+# You can find more Microsoft Graph API endpoints from Graph Explorer
+# https://developer.microsoft.com/en-us/graph/graph-explorer
+ENDPOINT = 'https://graph.microsoft.com/v1.0/me/calendars'
+
+# You can find the proper permission names from this document to form a scope
+# https://docs.microsoft.com/en-us/graph/permissions-reference
+SCOPE = ["https://graph.microsoft.com/Calendars.Read"]
+

config.py

@@ -0,0 +1,5 @@
+Flask>=1,<2
+Flask-Session>=0,<1
+requests>=2,<3
+msal>=0,<2
+

requirements.txt

@@ -2,27 +2,11 @@
 <html lang="en">
 <head>
     <meta charset="UTF-8">
-    <title>Acquire Token Result </title>
 </head>
 <body>
-    {% if cond  %}
-        <p1><b>Your information</b> </p1>
-        <table>
-        {% for key, value in auth_result.items() %}
-           <tr>
-                <th> {{ key }} </th>
-                <td> {{ value }} </td>
-           </tr>
-        {% endfor %}
-        </table>
-        <form action="/logout" >
-            <input type="submit" value=" Logout"/>
-        </form>
-    {% else %}
-        <p1><b> {{auth_result}} </b> </p1>
-        <form action="/authenticate" >
-            <input type="submit" value=" Sign-in"/>
-        </form>
-    {% endif %}
+    <h1>Graph API Call Result</h1>
+    <pre>{{ result |tojson(indent=4) }}</pre> <!-- Just a generic json viewer -->
+    <a href="javascript:window.history.go(-1)">Back</a>
 </body>
-</html>
+</html>
+