page_type | languages | products | description | urlFragment | ||
---|---|---|---|---|---|---|
sample |
|
|
This sample demonstrates a Python web application calling the PAT lifecycle management API that is secured using Azure Active Directory. Users can download the sample and fill in their own credentials in 'app_config.py' to try the API themselves. |
ms-identity-python-webapp |
This sample demonstrates a Python web application that signs-in users with the Microsoft identity platform and calls the API.
- The python web application uses the Microsoft Authentication Library (MSAL) to obtain a JWT access token from the Microsoft identity platform (formerly Azure AD v2.0):
- The access token is used as a bearer token to authenticate the user when calling the API.
This sample shows how to build a Python web app using Flask and MSAL Python, that signs in a user, and get access to the API. For more information about how the protocols work in this scenario and other scenarios, see Authentication Scenarios for Azure AD.
To run this sample, you'll need:
- Python 2.7+ or Python 3+
- An Azure Active Directory (Azure AD) tenant. For more information on how to get an Azure AD tenant, see how to get an Azure AD tenant.
From your shell or command line:
git clone https://github.com/microsoft/azure-devops-auth-samples.git
or download and extract the repository .zip file. Make sure you're working in the PersonalAccessTokenApiAppSample directory.
Given that the name of the sample is quite long, you might want to clone it in a folder close to the root of your hard drive, to avoid file name length limitations when running on Windows.
As a first step you'll need to:
- Sign in to the Azure portal using either a work or school account or a personal Microsoft account.
- If your account is present in more than one Azure AD tenant, select your profile at the top right corner in the menu on top of the page, and then switch directory. Change your portal session to the desired Azure AD tenant.
-
Navigate to the Microsoft identity platform for developers App registrations page.
-
Select New registration.
-
When the Register an application page appears, enter your application's registration information:
- In the Name section, enter a meaningful application name that will be displayed to users of the app, for example
python-webapp
. - Change Supported account types to Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com).
- In the Redirect URI (optional) section, select Web in the combo-box and enter the following redirect URIs:
http://localhost:5000/getAToken
.
- In the Name section, enter a meaningful application name that will be displayed to users of the app, for example
-
Select Register to create the application.
-
On the app Overview page, find the Application (client) ID value and record it for later. You'll need it to configure the Visual Studio configuration file for this project.
-
Select Save.
-
From the Certificates & secrets page, in the Client secrets section, choose New client secret:
- Type a key description (of instance
app secret
), - Select a key duration of either In 1 year, In 2 years, or Never Expires.
- When you press the Add button, the key value will be displayed, copy, and save the value in a safe location.
- You'll need this key later to configure the project in Visual Studio. This key value will not be displayed again, nor retrievable by any other means, so record it as soon as it is visible from the Azure portal.
- Type a key description (of instance
-
Select the API permissions section
- Click the Add a permission button and then,
- Ensure that the Microsoft APIs tab is selected
- In the Commonly used Microsoft APIs section, click on Azure DevOps
- In the Delegated permissions section, ensure that the right permissions are checked: user_impersonation. Use the search box if necessary.
- Select the Add permissions button
In the steps below, "ClientID" is the same as "Application ID" or "AppId".
Note: if you used the setup scripts, the changes below may have been applied for you
- Open the
app_config.py
file - For a multi-tenant app, find the app key
Enter_the_Tenant_ID_Here
and replace the existing value with your Azure AD tenant ID. For a single tenant app, use the alternate value for the AUTHORITY variable, adding the specific tenant name inEnter_the_Tenant_Name_Here
. - You saved your application secret during the creation of the
python-webapp
app in the Azure portal. Now you can set the secret in environment variableCLIENT_SECRET
, and then adjustapp_config.py
to pick it up. - Find the app key
Enter_the_Application_Id_here
and replace the existing value with the application ID (clientId) of thepython-webapp
application copied from the Azure portal. - Find the ENDPOINT variable and replace
Enter_the_Collection_Name_Here
with the name of your Azure DevOps collection.
- You will need to install dependencies using pip as follows:
$ pip install -r requirements.txt
Run app.py from shell or command line. Note that the host and port values need to match what you've set up in your redirect_uri:
$ flask run --host localhost --port 5000
or
$ python -m flask run
Use Stack Overflow to get support from the community.
Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before.
Make sure that your questions or comments are tagged with [azure-active-directory
adal
msal
python
].
If you find a bug in the sample, please raise the issue on GitHub Issues.
To provide a recommendation, visit the following User Voice page.
If you'd like to contribute to this sample, see CONTRIBUTING.MD.
This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
For more information, see MSAL.Python's conceptual documentation:
For more information about web apps scenarios on the Microsoft identity platform see Scenario: Web app that calls web APIs
For more information about how OAuth 2.0 protocols work in this scenario and other scenarios, see Authentication Scenarios for Azure AD.