search

Azure-Samples / ms-identity-docs-code-python

Source for the Python code snippets in the Microsoft identity platform documentation found on https://docs.microsoft.com.
https://docs.microsoft.com/azure/active-directory/develop
MIT License
26 stars 24 forks source link

Initial import of "Protect an API in Azure Functions - Python - With EasyAuth" #10

Closed ckittel closed 2 years ago

ckittel commented 2 years ago

This is for #DOCS-CODE-006

Simple HTTP Trigger written in Python 3 that demonstrates how Easy Auth in Azure Functions takes on the responsibility of basic authentication and your code then is responsible for all remaining authorization.

skabou commented 2 years ago

I was in the midst of reviewing when I got the notification 😆 LGTM 🚀

ckittel commented 2 years ago

I was in the midst of reviewing when I got the notification 😆 LGTM 🚀

@skabou - Can you mark your open comments resolved if they are resolved? Thanks!

ckittel commented 2 years ago

Thanks all. @mmacy, this is ready for your review. This is the FIRST Azure Function-based scenario, so please pay extra attention to the flow/configuration sections so that we can replicate on the .net and node ones that will be coming soon as well.

ckittel commented 2 years ago

This one might actually be a little too minimal. Hope you don't hate me for this, but this is something I thought of on the last API I reviewed but forgot to mention:

Every API should have at least two endpoints, and possibly three:

Happy to discuss further.

@mmacy - Just a heads up that basically all of our basic/focused "protect an API" scenarios that we did so far have been this minimal (single method, scope protected). If you would like us to go back to them all and extend them to include more sub scenarios, I'd request that it gets added to the backlog so that change request doesn't get lost and the specific requirements are documented.

I've cataloged the request on our Teams channel.

For this specific example, fundamentally the only change would be 

scopes: str = jwt.decode(
          access_token, options={"verify_signature": False, "require": ["scp"]}
      )["scp"]

# TO

roles: str = jwt.decode(
          access_token, options={"verify_signature": False, "require": ["roles"]}
      )["roles"]

Then change the "Greeting.Read" check to "GreetingReaderRole" or something. The switch from using one JWT claim to another JWT claim for authorization could be pretty easily mentioned in the tutorial, I'd imagine.