How to Flask web app with AD Auth

[nagen1]

Hi Team,
I have Flask app deployed in Azure and my org has AD Auth/Windows Authentication (Azure on premises) wondering where should I get started and where can I get right documentation to incorporate those into my Flask web app!?

Appreciate it.

[rayluo]

You can probably find some inspiration from this website sample

[nagen1]

Thanks, Rayluo will try this sample

[patchie]

@nagen1: Did you figure out how to do this?

[nagen1]

@patchie, No man didn't find and aftet than i moved on with different project.

[patchie]

but @rayluo still am so eager to close the issue before the problem is actually resolved.

@rayluo: Why are you so eager to not let others help? Please don't close cases that isn't resolved.

The problem @nagen1, me and many more people are having is that you don't have any tutorials for this lib.

Is this lib only for Microsoft employees, or also for normal programmers?

Thanks in advance.

[rayluo]

Sorry to hear that. When we closed this issue, we was hoping that standard sample would be helpful; and as usual, we will respond to any follow-up new questions/issues.

[darth-veitcher]

I’d re-iterate previous comments. Would be great to have an example Flask application to work through and understand.

[rayluo]

We now have a "code sample" link in the newly constructed project wiki sidebar. It is using Flask. Will that help?

@patchie , last time we reopen this question, it remains silent for 9 months without any follow-up questions. Now that we have a new sample. Will that also help your case too?

[eelstork]

I have given the sample a spin; just to be super clear, you are referring to this sample, yes?

So, @rayluo although your sample was easy to setup and test, it still took me 3~4 hours to figure exactly how I would integrate this with my app. Maybe I should point out that I did not have much prior experience with authentication, let alone 'as a service'.

• As far as I could see, the flask session is imported, but that is not used. To the developer who only need secure authentication (no graph API calls), would it make sense to demonstrate that they only need to set a logged_in flag in their flask session upon successful AD login? The high level doc seems to be pointing in this direction, but not clear in the code sample.
• The high level doc also suggested that responses should include claims such as the user's real name, their AD username and so forth... but to me it wasn't immediately obvious that token_response is the place to look for these; what confused me is that the /graphcall response duplicates a lot of this information.
• I got to this sample through the "web browser to (multi-page) web application" scenario. From this perspective I feel that focus on how to realize a clean integration for multi-page web app is lacking, and the focus of the sample is on accessing the graph API. A more focused sample in my opinion would demonstrate how to make a 2 page website with AD authentication, no graph API call and login state stored in Flask session.

With the above in mind, this sample is pretty good so, in my opinion it would be reasonable to close the issue.

[rayluo]

@eelstork Thanks for your valuable feedback! Please let us know the exact link to the "high level doc" you were referring to, so that we would figure out how to improve it. And for your last comment on the "how to make a 2 page website with AD authentication, no graph API call and login state stored in Flask session" is also a legit request. We will consider working on this direction.

CC: @navyasric @abhidnya13

[eelstork]

@rayluo you are welcome. The high level doc I was looking at is here:
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios
However, to clarify: the doc wasn't confusing to me here, the sample code was (again, because of duplicate information in token vs graphcall responses, better explained in my previous post)
Right now I'm trying to put together a logout request (possibly some info on SO but didn't find anything 'official' yet)
Also, with a Flask blueprint for AD auth, this could be made completely modular (however, may not be appropriate for an explanatory sample).

[jmprieur]

This is coming to https://github.com/Azure-Samples/ms-identity-python-webapp.
(See the associated PR

[rayluo]

Thanks @jmprieur for reviving this conversation. The 3 bullet points in the comment above from @eelstork is still relevant. There is some refactoring work to do for our current sample effort.

[rayluo]

@eelstork @armedgorillas @darth-veitcher @olekang @patchie @nagen1

Thank you all for driving us to become better. This issue was originally created in this ADAL Python repo. Since then we've been working on the ADAL Python's successor, the MSAL Python library. And now we also have a Flask Web App with AD Auth, built on top of MSAL Python. This sample addresses the 3 valuable comments by @eelstork. Also, this is how you migrate from ADAL Python to MSAL Python.

@patchie I believe we can close this issue now. If you folks have further questions about MSAL Python or that new web sample, please open an issue in their own repo.

[bgopalakr]

Ok if you are deploying your flask app in Azure WebApp, you dont need any code for AD authentication purpose. Just enable Ad integration for Azure WebApp.
https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization

Anyone know how to get the token / user details from Azure WebApp inside Flask App? I want to check the group of user to allow or deny screen of my Flask App