Switch to new MSAL auth_code_flow API #55
Conversation
idg-sam
left a comment
idg-sam
left a comment
There was a problem hiding this comment.
I haven't run it yet, but upon a quick review of the code it looks great. Only suggestion is to add a state arg to the build_auth_code_flow (have added the code suggestion)
👍 👍 👍
| session["user"] = result.get("id_token_claims") | ||
| _save_cache(cache) | ||
| except ValueError: # Usually caused by CSRF | ||
| pass # Simply ignore them |
There was a problem hiding this comment.
Hi @rayluo could you explain why this is ok to ignore, and would upgrading the ms-identity-python-samples-common repo to the new scheme help mitigate my issue Azure-Samples/ms-identity-python-samples-common#4 ?
There was a problem hiding this comment.
In this particular implementation, ignoring the ValueError here would let the next line run, which is to go back to the index page at a not-yet-signed-in state, rather than an error page. The current approach is our desirable user experience to handle the state mismatch.
This PR simplifies the current web app sample based on a new higher-level
acquire_token_by_auth_code_flow()API, which will be available in MSAL 1.7.0 (coming soon).On surface, this PR shrinks the 100+ lines code base by just 6 lines. The real difference is the reduction of cognitive load in the major function
authorized(), while providing more functionality (the PKCE protection), AUTOMATICALLY. The table below is a comparison.ifstatementsOther than that, the functionality of this sample remains versatile: it supports authentication, web API call, B2C authentication, B2C web API call, B2C edit profile, B2C reset password, and it will automatically pick up the PKCE feature provided by MSAL 1.7.
PR reviews are welcome, although this PR will not currently work, until MSAL 1.7 being released.