azure-samples / ms-identity-python-flask-webapp-authentication Goto Github PK

This issue is for a: (mark with an x)

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

1. install the dependent packages in a virtual environment

   cd <project-root-directory> # the folder into which you cloned the code
   python3 -m venv venv # only required if you don't have a venv already
   source venv/bin/activate
   pip install -r requirements.txt

2. run the app on Linux

   . .\run.flask.dev.ps1

Any log messages given by the failure

Traceback (most recent call last):
  File "/prac-msgraph/ms-identity-python-flask-webapp-authentication/venv/bin/flask", line 5, in <module>
    from flask.cli import main
  File "/prac-msgraph/ms-identity-python-flask-webapp-authentication/venv/lib/python3.8/site-packages/flask/__init__.py", line 14, in <module>
    from jinja2 import escape
  File "/prac-msgraph/ms-identity-python-flask-webapp-authentication/venv/lib/python3.8/site-packages/jinja2/__init__.py", line 12, in <module>
    from .environment import Environment
  File "/prac-msgraph/ms-identity-python-flask-webapp-authentication/venv/lib/python3.8/site-packages/jinja2/environment.py", line 25, in <module>
    from .defaults import BLOCK_END_STRING
  File "/prac-msgraph/ms-identity-python-flask-webapp-authentication/venv/lib/python3.8/site-packages/jinja2/defaults.py", line 3, in <module>
    from .filters import FILTERS as DEFAULT_FILTERS  # noqa: F401
  File "/prac-msgraph/ms-identity-python-flask-webapp-authentication/venv/lib/python3.8/site-packages/jinja2/filters.py", line 13, in <module>
    from markupsafe import soft_unicode
ImportError: cannot import name 'soft_unicode' from 'markupsafe' (/prac-msgraph/ms-identity-python-flask-webapp-authentication/venv/lib/python3.8/site-packages/markupsafe/__init__.py)

Expected/desired behavior

The app could start succeessfully

OS and Version

Ubuntu Linux 20.04

Mention any other details that might be useful

I found the MarkupSafe package installed is of version 2.1.1. After downgrading it to version 2.0.1 and restart the app, it works!

This issue is for a: (mark with an x)

- [x] bug report -> please search issues before submitting

when session is expired, I can copy another session=... value from an authentificated cookie which is not expired and from another used, paste it in my cookie and refresh, which then leads to a successful login.

Minimal steps to reproduce

implementation of this example with an app registration and other pre-requisites.

Expected/desired behavior

this should not work, or session authentification / authorization should not have been used as an exmaple.
I would like to use flask and msal with users from the same tenant, same roles etc, without this being possible.

OS and Version?

azure app service (linux with gunicorn startup command) and locally with python flask run on windows machine. Happens in all kinds of browsers tried: firefox, edge, chrome

Versions

Mention any other details that might be useful

---

Thanks! We'll be in touch soon.

Please provide us with the following information:

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [x ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Log in microsoft account, close browser and reconnect

Any log messages given by the failure

N/A

Expected/desired behavior

Is there a method to verify whether a user is still logged in, via a request with their token details? If a user logs in with their microsoft account, closes the browser and then reconnects to the flask app, I can't find a method to verify if they're still logged in. Such that, they will be in a different state if they choose to 'stay logged in' or not. Whereas, the flask app's g.identity_context_data variable still sees them as logged in, regardless. So i was hoping to find a way to send a request to verify whether the user's token details are still valid / check if they're still logged in.

OS and Version?

N/A

Versions

N/A

Mention any other details that might be useful

---

Thanks! We'll be in touch soon.

Please provide us with the following information:

This issue is for a: (mark with an x)

- [ x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

I went through the tutorial, line by line. When I got to the step of running the code, I got the expected splash screen in my browser, with a green button in the top left to Sign In. When I click on that button, I get an error noted below. I get the same error with both options "Yes" or "No" from the Azure portal configuration "Allow public client flows".

Any log messages given by the failure

ms_identity_web.errors.TokenExchangeError: _process_result: auth failed: token request resulted in error
invalid_client: AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented.
Trace ID: 594bc797-111f-440f-a6f5-319836c00201
Correlation ID: a5e8bdb2-f6c8-43e8-8b70-168facbe19a5
Timestamp: 2023-05-09 23:58:04Z

Expected/desired behavior

I would expect to be able to log in

OS and Version?

Windows10

Versions

Mention any other details that might be useful

---

Thanks! We'll be in touch soon.

Please provide us with the following information:

This issue is for a: (mark with an x)

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

When leave the web open on browser after an hour, or open the browser; the web sometimes does GET //auth/redirect? and it shows an Internal Server Error.

Any log messages given by the failure

| [2022-09-12 18:35:48,924] ERROR in init: process_auth_redirect: security violation ('Failed to match request state with session state',)
backend | [2022-09-12 18:35:48,925] ERROR in app: Exception on /auth/redirect [GET]
backend | Traceback (most recent call last):
backend | File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 2525, in wsgi_app
backend | response = self.full_dispatch_request()
backend | File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1822, in full_dispatch_request
backend | rv = self.handle_user_exception(e)
backend | File "/usr/local/lib/python3.8/site-packages/flask_cors/extension.py", line 165, in wrapped_function
backend | return cors_after_request(app.make_response(f(*args, **kwargs)))
backend | File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1820, in full_dispatch_request
backend | rv = self.dispatch_request()
backend | File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1796, in dispatch_request
backend | return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
backend | File "/usr/local/lib/python3.8/site-packages/ms_identity_web/flask_blueprint/init.py", line 44, in aad_redirect
backend | return id_web.process_auth_redirect(redirect_uri=url_for('.aad_redirect',_external=True),
backend | File "/usr/local/lib/python3.8/site-packages/ms_identity_web/init.py", line 40, in assert_adapter
backend | return f(self, *args, **kwargs)
backend | File "/usr/local/lib/python3.8/site-packages/ms_identity_web/init.py", line 127, in process_auth_redirect
backend | raise ase
backend | File "/usr/local/lib/python3.8/site-packages/ms_identity_web/init.py", line 105, in process_auth_redirect
backend | self._verify_state(req_params)
backend | File "/usr/local/lib/python3.8/site-packages/ms_identity_web/init.py", line 40, in assert_adapter
backend | return f(self, *args, **kwargs)
backend | File "/usr/local/lib/python3.8/site-packages/ms_identity_web/init.py", line 259, in _verify_state
backend | raise AuthSecurityError("Failed to match request state with session state")
backend | ms_identity_web.errors.AuthSecurityError: Failed to match request state with session state
backend | 150.172.230.173 - - [12/Sep/2022 18:35:48] "GET //auth/redirect?

Expected/desired behavior

Use the session cokies.

OS and Version?

Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)

Versions

Mention any other details that might be useful

---

Thanks! We'll be in touch soon.

I enabled the require user assignment and restricted access to some users, works well with authorized users.
Not authorized users receive the "internal server error" page

this is the server log:
[2021-01-20 07:59:23,051] ERROR in app: Exception on /auth/redirect [GET]
Traceback (most recent call last):
File "C:\Program Files (x86)\Python37-32\lib\site-packages\flask\app.py", line 2292, in wsgi_app
response = self.full_dispatch_request()
File "C:\Program Files (x86)\Python37-32\lib\site-packages\flask\app.py", line 1815, in full_dispatch_request
rv = self.handle_user_exception(e)
File "C:\Program Files (x86)\Python37-32\lib\site-packages\flask\app.py", line 1718, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "C:\Program Files (x86)\Python37-32\lib\site-packages\flask_compat.py", line 35, in reraise
raise value
File "C:\Program Files (x86)\Python37-32\lib\site-packages\flask\app.py", line 1813, in full_dispatch_request
rv = self.dispatch_request()
File "C:\Program Files (x86)\Python37-32\lib\site-packages\flask\app.py", line 1799, in dispatch_request
return self.view_functionsrule.endpoint
File "C:\Program Files (x86)\Python37-32\lib\site-packages\ms_identity_web\flask_blueprint_init_.py", line 45, in aad_redirect
afterwards_go_to_url=post_sign_in_url)
File "C:\Program Files (x86)\Python37-32\lib\site-packages\ms_identity_web_init_.py", line 40, in assert_adapter
return f(self, *args, **kwargs)
File "C:\Program Files (x86)\Python37-32\lib\site-packages\ms_identity_web_init_.py", line 131, in process_auth_redirect
raise oae
File "C:\Program Files (x86)\Python37-32\lib\site-packages\ms_identity_web_init_.py", line 108, in process_auth_redirect
self.parse_redirect_errors(req_params)
File "C:\Program Files (x86)\Python37-32\lib\site-packages\ms_identity_web_init.py", line 213, in _parse_redirect_errors
raise OtherAuthError("Unknown error while parsing redirect")
ms_identity_web.errors.OtherAuthError: Unknown error while parsing redirect

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [X ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

On Azure application properties Enable "User assignment required"

Expected/desired behavior

Page like "you don't have access to the application"

OS and Version?

Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)
W10

Versions

python 3.7