Hi team, thanks for this sample!
question: is there any work on setting this up for proper protection of routes in flask ?
ex like authlib decorators?

@app.route('/user')
@require_oauth()
def user_profile():
    ...

Also seeing this, how does this compares?
https://github.com/antarctica/flask-azure-oauth

other solutions?

thanks!

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [X ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

The client secret (CLIENT_SECRET) information managed in config.py is handled in an insecure manner. It's way too easy to leak credentials through version control, and should be externalized into an environment variable. At the very least, config.py should be put in the default .gitignore to prevent accidental pushes w/ keys to cloned forks.

Minimal steps to reproduce

Follow the documentation and configure the config.py with the values in your application registration.

Any log messages given by the failure

None.

Expected/desired behavior

Secret information should be managed and consumed via environment variable or through a secrety store like Azure Key Vault.

OS and Version?

ALL

Versions

n/a

Mention any other details that might be useful

---

Thanks! We'll be in touch soon.

This issue is for a: (mark with an x)

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Follow instructions in README. (Create app registration, insert data into config.py, call localhost:5000 in browser)

Any log messages given by the failure

werkzeug.exceptions.BadRequestKeyError
werkzeug.exceptions.HTTPException.wrap.<locals>.newcls: 400 Bad Request: The browser (or proxy) sent a request that this server could not understand.

Traceback (most recent call last)
File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 2328, in __call__
return self.wsgi_app(environ, start_response)
File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 2314, in wsgi_app
response = self.handle_exception(e)
File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 1760, in handle_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python3.7/site-packages/flask/_compat.py", line 36, in reraise
raise value
File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 2311, in wsgi_app
response = self.full_dispatch_request()
File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 1834, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 1737, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python3.7/site-packages/flask/_compat.py", line 36, in reraise
raise value
File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 1832, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 1818, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/Users/thfalgou/git/Azure-Samples/active-directory-python-webapp-graphapi/app.py", line 44, in main_logic
code = flask.request.args['code']
File "/usr/local/lib/python3.7/site-packages/werkzeug/datastructures.py", line 442, in __getitem__
raise exceptions.BadRequestKeyError(key)
werkzeug.exceptions.HTTPException.wrap.<locals>.newcls: 400 Bad Request: The browser (or proxy) sent a request that this server could not understand.

Expected/desired behavior

Expected not to receive 400 error

OS and Version?

OSX

Versions

OSX 10.12

Mention any other details that might be useful

I'm using the microsoft.onmicrosoft.com tenant (as an blue-badge employee)

Needs instructions installing adal.

pip install adal

Inside config.py, there is a SCOPES variable that is never used in the sample.

I have this simple search function in Flask to lookup groups names but it always ends up in a result saying badly formed request and a status: 400.

@APP.route('/search')
def search(top=10):
params = request.args.to_dict()
term = params.get('term')
queryMembers = "groups?$filter=startswith(displayName, 'AA')"
print("AAA", queryMembers)
result = MSGRAPH.get(queryMembers, headers=request_headers()).data
return flask.render_template('query_2.html', result=result)

need help on figuring out what wrong I am doing.

There is a serious security issue with this sample. The /graphcall doesn't do any auth validation. The session object at https://github.com/Azure-Samples/active-directory-python-webapp-graphapi/blob/master/app.py#L13 is global and it will be used for any /graphcall call. So once someone authenticates, any subsequent calls to /graphcall use the same auth token.

This issue is for a: (mark with an x)

- [x ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

• access https://host.name/ and complete the login flow
• access https://host.name/graphcall for another browser/curl and you see the data of the first user.