diff --git a/app.py b/app.py
index de88695..747991e 100644
--- a/app.py
+++ b/app.py
@@ -25,28 +25,23 @@ def index():
@app.route("/login")
def login():
- session["state"] = str(uuid.uuid4())
# Technically we could use empty list [] as scopes to do just sign in,
# here we choose to also collect end user consent upfront
- auth_url = _build_auth_url(scopes=app_config.SCOPE, state=session["state"])
- return render_template("login.html", auth_url=auth_url, version=msal.__version__)
+ session["flow"] = _build_auth_code_flow(scopes=app_config.SCOPE)
+ return render_template("login.html", auth_url=session["flow"]["auth_uri"], version=msal.__version__)
@app.route(app_config.REDIRECT_PATH) # Its absolute URL must match your app's redirect_uri set in AAD
def authorized():
- if request.args.get('state') != session.get("state"):
- return redirect(url_for("index")) # No-OP. Goes back to Index page
- if "error" in request.args: # Authentication/Authorization failure
- return render_template("auth_error.html", result=request.args)
- if request.args.get('code'):
+ try:
cache = _load_cache()
- result = _build_msal_app(cache=cache).acquire_token_by_authorization_code(
- request.args['code'],
- scopes=app_config.SCOPE, # Misspelled scope would cause an HTTP 400 error here
- redirect_uri=url_for("authorized", _external=True))
+ result = _build_msal_app(cache=cache).acquire_token_by_auth_code_flow(
+ session.get("flow", {}), request.args)
if "error" in result:
- return render_template("auth_error.html", result=result)
+ return render_template("error.html", result)
session["user"] = result.get("id_token_claims")
_save_cache(cache)
+ except ValueError: # Usually caused by CSRF
+ pass # Simply ignore them
return redirect(url_for("index"))
@app.route("/logout")
@@ -83,10 +78,9 @@ def _build_msal_app(cache=None, authority=None):
app_config.CLIENT_ID, authority=authority or app_config.AUTHORITY,
client_credential=app_config.CLIENT_SECRET, token_cache=cache)
-def _build_auth_url(authority=None, scopes=None, state=None):
- return _build_msal_app(authority=authority).get_authorization_request_url(
+def _build_auth_code_flow(authority=None, scopes=None):
+ return _build_msal_app(authority=authority).initiate_auth_code_flow(
scopes or [],
- state=state or str(uuid.uuid4()),
redirect_uri=url_for("authorized", _external=True))
def _get_token_from_cache(scope=None):
@@ -98,7 +92,7 @@ def _get_token_from_cache(scope=None):
_save_cache(cache)
return result
-app.jinja_env.globals.update(_build_auth_url=_build_auth_url) # Used in template
+app.jinja_env.globals.update(_build_auth_code_flow=_build_auth_code_flow) # Used in template
if __name__ == "__main__":
app.run()
diff --git a/requirements.txt b/requirements.txt
index c2c3994..5c7d8e9 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,7 +2,7 @@ Flask>=1,<2
werkzeug>=1,<2
flask-session~=0.3.2
requests>=2,<3
-msal>=0.6.1,<2
+msal>=1.7,<2
# cachelib==0.1 # Only need this if you are running Python 2
# Note: This sample does NOT directly depend on cachelib.
diff --git a/templates/auth_error.html b/templates/auth_error.html
index 2207965..ee6e6d1 100644
--- a/templates/auth_error.html
+++ b/templates/auth_error.html
@@ -5,7 +5,7 @@
{% if config.get("B2C_RESET_PASSWORD_AUTHORITY") and "AADB2C90118" in result.get("error_description") %}
-
+
{% endif %}
diff --git a/templates/index.html b/templates/index.html
index 1211594..911c834 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -12,7 +12,7 @@ Welcome {{ user.get("name") }}!
{% endif %}
{% if config.get("B2C_PROFILE_AUTHORITY") %}
- Edit Profile
+ Edit Profile
{% endif %}
Logout
diff --git a/templates/login.html b/templates/login.html
index b3647a7..5da4745 100644
--- a/templates/login.html
+++ b/templates/login.html
@@ -9,7 +9,7 @@ Microsoft Identity Python Web App
Sign In
{% if config.get("B2C_RESET_PASSWORD_AUTHORITY") %}
- Reset Password
+ Reset Password
{% endif %}