search

AzureAD / microsoft-authentication-library-for-python

Microsoft Authentication Library (MSAL) for Python makes it easy to authenticate to Microsoft Entra ID. General docs are available here https://learn.microsoft.com/entra/msal/python/ Stable APIs are documented here https://msal-python.readthedocs.io. Questions can be asked on www.stackoverflow.com with tag "msal" + "python".
https://stackoverflow.com/questions/tagged/azure-ad-msal+python
Other
770 stars 192 forks source link

Update to quickstart SSO w/ python & MSAL for anyone using FastAPI instead of Flask #448

Open AndrewJHart opened 2 years ago

AndrewJHart commented 2 years ago

New way to use another framework to Add sign-in with Microsoft to a Python web app.

Note: This is a very simple demo - to keep it easy to understand for anyone getting started.

Reason i posted this is that a good friend was having some issues following the getting started with Azure SSO & Flask since the example is in flask only. Thus, I borrowed the flask demo referenced from the quick start guide here. The repo handles redirect to SSO, azure auth, and redirect back to the callback url which eventually gets the JWT(s), and allows you to make calls to the graph api. There are some subtle nuances and conversion is not as easy as one would think, so i wanted to post this in case anyone is looking or a super simple reference repository for doing the same thing from the original guide, but with a really awesome concurrent python library. You get checkout FastAPI here.

The repository demo can be found at https://github.com/AndrewJHart/Azure-FastAPI-Auth-Example

The link to the original guide is below. You will need to follow the guide to get started and create your web app. The only difference in the setup steps is that the repo i'm sharing runs on port 9000 and the cb url is /oauth instead of port 5000 and cb being getAToken (all of which is configurable). The project layouts are almost identical as well.

This will work in a multi-tenant situation as well. I hope this is helpful. Thanks!

Perhaps it would behoove Azure to use this or a similar example to demonstrate how to do something similar without requiring Flask or Django.

Thanks very much,

pamelafox commented 1 year ago

Thank you for sharing, @AndrewJHart ! Some devs in the issue tracker for https://github.com/Azure-Samples/ms-identity-python-webapp/ were also looking for FastAPI samples. By the way, there's now an identity package that is more higher-level than msal. The ms-identity-python-webapp sample was recently updated to use it. You could try that out in your sample to see if it simplifies the code (or if it's even compatible with FastAPI).

AndrewJHart commented 1 year ago

Excellent! I have a much better implementation in a real env, that I obviously can't share, however I'll check out the new wrapper around your SSO functionality and go from there.. possibly build a v2 of the example app with FastAPI.

Thanks! 👍

JonasKs commented 1 month ago

I talked with some MSAL employees at Microsoft Build last week, where I told them I am willing to give ownership of fastapi-azure-auth (and https://github.com/snok/django-auth-adfs) (or deprecate them!), if Microsoft made MSAL integrate nicely with FastAPI(e.g. authentication button in the /docs site and integrate with Security() in FastAPI) and Django.

Safe to say they didn't really care. It's a shame that the two biggest web frameworks in Python relies on me for good documentation and integration.

rayluo commented 1 month ago

I feel sorry to hear about your experience, Jonas. It is possible that the representative you met does not work in this area thus not fully understood the context. The best way to engage people behind an open-source SDK is via github issues.

With regard to sample coverage, we started with a Flask sample, and subsequently expanded to a Django sample (which covers much more than ADFS). Again, you can engage us in the respective repositories for topics about their targeted web framework. See you in our Django sample repo to hear your thoughts on whether there are any features inside https://github.com/snok/django-auth-adfs that we shall be aware of.

JonasKs commented 1 month ago

Hi @rayluo , thanks for the quick feedback. I've only read the code on my phone, but unfortunately that library seem to suffer from the same as the rest of the MSAL examples - no real integration with the framework. Django developers want a middleware to create their users for them, in order for the authorization models built in to Django to work - not custom decorators on each view.

There's nothing I want more than MSAL to be a top notch library for those creating sites/APIs in the most popular frameworks, but even though I don't want to build my own packages to get framework integration, I feel like I have to.

As I've stated, I'd be happy to both deprecate or give ownership of my packages if Microsoft commits to this.

JonasKs commented 1 month ago

As a side note - I do love MSAL(!) and use it in every project to fetch tokens for other apps, I just don't use it for security on my own apps.