webapp redirects to login page in GCP App Engine

Azure-Samples / ms-identity-python-webapp

A Python web application calling Microsoft graph that is secured using the Microsoft identity platform

MIT License

284 stars 135 forks source link

webapp redirects to login page in GCP App Engine #42

Closed chiokejjones closed 3 years ago

chiokejjones commented 3 years ago

After testing it locally, I've deployed the sample app to GCP App Engine Standard. I'm running into an issue where the application seems to authenticate back to AAD, but it redirects back to the login page.

I haven't made any changes to the most recent code or requirements. My app.yaml file only contains the runtime configuration.

Browser console shows the redirect that grabs the token, redirect back to the app:

Has anyone experienced this issue before?

rayluo commented 3 years ago

Hmm, I haven't tried deploying this sample app into GCP App Engine. But based on my GAE experience many years before, GAE does not support local file system. Is it still the case? This sample app currently uses a server-side session which would be persisted on server-side file system. If that file system does not work, it might cause such issue. (That being said, if a file system were not available, it should error out much earlier.)

chiokejjones commented 3 years ago

Thanks for the information. GAE does allow writing out to Cloud Storage https://cloud.google.com/appengine/docs/standard/python3/storage-options or using the temporary storage https://cloud.google.com/appengine/docs/standard/python3/using-temp-files.

rayluo commented 3 years ago

Nope, neither the Google Cloud Storage nor its temporary storage is a regular local file system. This Q&A in Stackoverflow explains why, and it also suggests you to consider a VM with local storage. That indeed seems to be the only option, for now.

chiokejjones commented 3 years ago

Thanks for the explanation. Is the server-side session a requirement of the library?

rayluo commented 3 years ago

Is the server-side session a requirement of the library?

You are commenting in a web app sample which is powered by MSAL (MicroSoft Authentication Library).

Server-side session is NOT a requirement of MSAL, but it is currently the approach this web app sample is built. Your options are:

either uses this sample i.e. follows its server-side session design decision, and then you choose a VM infrastructure to host your app
or you can implement a different web app, based on client-side session protected by encryption

chiokejjones commented 3 years ago

Thanks for your patience Ray.