Azure Python flask App - AD 身份验证问题
Azure Python flask App - AD authentication issue
这可能解释起来有点复杂,所以我会尽力而为。
当前解
我有一个 python flask 应用程序,它将部署到 Azure 中的应用程序服务。我希望用户通过 Azure AD 身份验证登录到应用程序服务。为此,我正在使用 ADAL 库,因为我发现了一些可以执行此操作的代码。
我已经在 Azure AD 上注册了应用程序以获取 App ID 和 App Secret。为此,我使用了本教程:https://docs.microsoft.com/en-gb/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-redirect-uris-to-your-application
app.py
import os
import urllib.parse
import uuid
import adal
import flask
import requests
import config
import logging
os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1' # enable non-HTTPS for testing
APP = flask.Flask(__name__, template_folder='static/templates')
APP.debug = True
APP.secret_key = 'development'
logger = logging.getLogger(__name__)
logger.setLevel(logging.INFO)
SESSION = requests.Session()
@APP.route('/')
def homepage():
"""Render the home page."""
logging.info('test')
logger.debug("test1")
return flask.render_template('homepage.html', sample='ADAL')
@APP.route('/login')
def login():
"""Prompt user to authenticate."""
auth_state = str(uuid.uuid4())
SESSION.auth_state = auth_state
# For this sample, the user selects an account to authenticate. Change
# this value to 'none' for "silent SSO" behavior, and if the user is
# already authenticated they won't need to re-authenticate.
prompt_behavior = 'select_account'
params = urllib.parse.urlencode({'response_type': 'code',
'client_id': config.CLIENT_ID,
'redirect_uri': config.REDIRECT_URI,
'state': auth_state,
'resource': config.RESOURCE,
'prompt': prompt_behavior})
return flask.redirect(config.AUTHORITY_URL + '/oauth2/authorize?' + params)
@APP.route('/login/authorized')
def authorized():
"""Handler for the application's Redirect Uri."""
code = flask.request.args['code']
auth_state = flask.request.args['state']
if auth_state != SESSION.auth_state:
raise Exception('state returned to redirect URL does not match!')
auth_context = adal.AuthenticationContext(config.AUTHORITY_URL, api_version=None)
token_response = auth_context.acquire_token_with_authorization_code(
code, config.REDIRECT_URI, config.RESOURCE, config.CLIENT_ID, config.CLIENT_SECRET)
SESSION.headers.update({'Authorization': f"Bearer {token_response['accessToken']}",
'User-Agent': 'adal-sample',
'Accept': 'application/json',
'Content-Type': 'application/json',
'SdkVersion': 'sample-python-adal',
'return-client-request-id': 'true'})
return flask.redirect('/graphcall')
@APP.route('/graphcall')
def graphcall():
"""Confirm user authentication by calling Graph and displaying some data."""
endpoint = config.RESOURCE + config.API_VERSION + '/me'
http_headers = {'client-request-id': str(uuid.uuid4())}
graphdata = SESSION.get(endpoint, headers=http_headers, stream=False).json()
return flask.render_template('graphcall.html',
graphdata=graphdata,
endpoint=endpoint,
sample='ADAL')
if __name__ == '__main__':
APP.run(debug=True)
APP.run()
config.py
CLIENT_ID = 'd****************************'
CLIENT_SECRET = 'D******************************'
REDIRECT_URI = 'http://localhost:5000/login/authorized'
# AUTHORITY_URL ending determines type of account that can be authenticated:
# /organizations = organizational accounts only
# /consumers = MSAs only (Microsoft Accounts - Live.com, Hotmail.com, etc.)
# /common = allow both types of accounts
AUTHORITY_URL = 'https://login.microsoftonline.com/common'
AUTH_ENDPOINT = '/oauth2/v2.0/authorize'
TOKEN_ENDPOINT = '/oauth2/v2.0/token'
RESOURCE = 'https://graph.microsoft.com/'
API_VERSION = 'v1.0'
SCOPES = ['User.Read'] # Add other scopes/permissions as needed.
# This code can be removed after configuring CLIENT_ID and CLIENT_SECRET above.
if 'ENTER_YOUR' in CLIENT_ID or 'ENTER_YOUR' in CLIENT_SECRET:
print('ERROR: config.py does not contain valid CLIENT_ID and CLIENT_SECRET')
import sys
sys.exit(1)
目前,当我登录到该应用程序时,会看到我可以登录的登录屏幕,我认为它已传递到我的组织密码屏幕以供登录。之后,应用程序无法获取不记名令牌。然后将应用程序重定向回主页。
问题
- 有没有一种方法可以让我不必为应用程序服务使用 Azure AD 授权,我可以在没有它的情况下使用 Azure AD 进行授权。
- 执行此操作的更好方法是什么。
或者我可以在不使用 ADAL 库的情况下使用 Azure AD 进行身份验证,并在登录我的 Flask 应用程序服务时使用内置的 Azure AD 授权。
我知道这可能解释得不是很好,所以有任何问题或更多信息,请告诉我
提前致谢。
如果我对你的问题的理解正确,你宁愿使用内置的 Azure AD 身份验证也不愿使用 ADAL 库。
如果您只是想使用登录功能,使用内置的Azure AD 身份验证非常方便,您无需修改代码。但是如果你想得到access token,你需要自己去领取。
如何获取访问令牌?
从您的服务器代码中,provider-specific 令牌被注入 request header,因此您可以轻松访问它们。
App Service provides a built-in token store, which is a
repository of tokens that are associated with the users of your web
apps, but you must write code to collect, store, and refresh these
tokens in your application.
更新:
这可能解释起来有点复杂,所以我会尽力而为。
当前解
我有一个 python flask 应用程序,它将部署到 Azure 中的应用程序服务。我希望用户通过 Azure AD 身份验证登录到应用程序服务。为此,我正在使用 ADAL 库,因为我发现了一些可以执行此操作的代码。
我已经在 Azure AD 上注册了应用程序以获取 App ID 和 App Secret。为此,我使用了本教程:https://docs.microsoft.com/en-gb/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-redirect-uris-to-your-application
app.py
import os
import urllib.parse
import uuid
import adal
import flask
import requests
import config
import logging
os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1' # enable non-HTTPS for testing
APP = flask.Flask(__name__, template_folder='static/templates')
APP.debug = True
APP.secret_key = 'development'
logger = logging.getLogger(__name__)
logger.setLevel(logging.INFO)
SESSION = requests.Session()
@APP.route('/')
def homepage():
"""Render the home page."""
logging.info('test')
logger.debug("test1")
return flask.render_template('homepage.html', sample='ADAL')
@APP.route('/login')
def login():
"""Prompt user to authenticate."""
auth_state = str(uuid.uuid4())
SESSION.auth_state = auth_state
# For this sample, the user selects an account to authenticate. Change
# this value to 'none' for "silent SSO" behavior, and if the user is
# already authenticated they won't need to re-authenticate.
prompt_behavior = 'select_account'
params = urllib.parse.urlencode({'response_type': 'code',
'client_id': config.CLIENT_ID,
'redirect_uri': config.REDIRECT_URI,
'state': auth_state,
'resource': config.RESOURCE,
'prompt': prompt_behavior})
return flask.redirect(config.AUTHORITY_URL + '/oauth2/authorize?' + params)
@APP.route('/login/authorized')
def authorized():
"""Handler for the application's Redirect Uri."""
code = flask.request.args['code']
auth_state = flask.request.args['state']
if auth_state != SESSION.auth_state:
raise Exception('state returned to redirect URL does not match!')
auth_context = adal.AuthenticationContext(config.AUTHORITY_URL, api_version=None)
token_response = auth_context.acquire_token_with_authorization_code(
code, config.REDIRECT_URI, config.RESOURCE, config.CLIENT_ID, config.CLIENT_SECRET)
SESSION.headers.update({'Authorization': f"Bearer {token_response['accessToken']}",
'User-Agent': 'adal-sample',
'Accept': 'application/json',
'Content-Type': 'application/json',
'SdkVersion': 'sample-python-adal',
'return-client-request-id': 'true'})
return flask.redirect('/graphcall')
@APP.route('/graphcall')
def graphcall():
"""Confirm user authentication by calling Graph and displaying some data."""
endpoint = config.RESOURCE + config.API_VERSION + '/me'
http_headers = {'client-request-id': str(uuid.uuid4())}
graphdata = SESSION.get(endpoint, headers=http_headers, stream=False).json()
return flask.render_template('graphcall.html',
graphdata=graphdata,
endpoint=endpoint,
sample='ADAL')
if __name__ == '__main__':
APP.run(debug=True)
APP.run()
config.py
CLIENT_ID = 'd****************************'
CLIENT_SECRET = 'D******************************'
REDIRECT_URI = 'http://localhost:5000/login/authorized'
# AUTHORITY_URL ending determines type of account that can be authenticated:
# /organizations = organizational accounts only
# /consumers = MSAs only (Microsoft Accounts - Live.com, Hotmail.com, etc.)
# /common = allow both types of accounts
AUTHORITY_URL = 'https://login.microsoftonline.com/common'
AUTH_ENDPOINT = '/oauth2/v2.0/authorize'
TOKEN_ENDPOINT = '/oauth2/v2.0/token'
RESOURCE = 'https://graph.microsoft.com/'
API_VERSION = 'v1.0'
SCOPES = ['User.Read'] # Add other scopes/permissions as needed.
# This code can be removed after configuring CLIENT_ID and CLIENT_SECRET above.
if 'ENTER_YOUR' in CLIENT_ID or 'ENTER_YOUR' in CLIENT_SECRET:
print('ERROR: config.py does not contain valid CLIENT_ID and CLIENT_SECRET')
import sys
sys.exit(1)
目前,当我登录到该应用程序时,会看到我可以登录的登录屏幕,我认为它已传递到我的组织密码屏幕以供登录。之后,应用程序无法获取不记名令牌。然后将应用程序重定向回主页。
问题
- 有没有一种方法可以让我不必为应用程序服务使用 Azure AD 授权,我可以在没有它的情况下使用 Azure AD 进行授权。
- 执行此操作的更好方法是什么。
或者我可以在不使用 ADAL 库的情况下使用 Azure AD 进行身份验证,并在登录我的 Flask 应用程序服务时使用内置的 Azure AD 授权。
我知道这可能解释得不是很好,所以有任何问题或更多信息,请告诉我
提前致谢。
如果我对你的问题的理解正确,你宁愿使用内置的 Azure AD 身份验证也不愿使用 ADAL 库。
如果您只是想使用登录功能,使用内置的Azure AD 身份验证非常方便,您无需修改代码。但是如果你想得到access token,你需要自己去领取。
如何获取访问令牌?
从您的服务器代码中,provider-specific 令牌被注入 request header,因此您可以轻松访问它们。
App Service provides a built-in token store, which is a repository of tokens that are associated with the users of your web apps, but you must write code to collect, store, and refresh these tokens in your application.
更新: