Integrate Flask Web Apps with Microsoft 365 Login

Integrate Flask Web Apps with Microsoft 365 Login
Integrate Flask Web Apps with Microsoft 365 Login
Gerald Girard
Thursday, May 9, 2024 at 7:28:53 AM

Setting Up Microsoft 365 Authentication

Integrating institutional resources like Microsoft 365 email can improve user experience and expedite login procedures when creating web applications for educational purposes. When apps must comply with university IT standards, which may limit the establishment of applications using university credentials, this integration is especially helpful.

In this case, setting up the application with a personal Microsoft Azure account makes sense. But difficulties can occur, including problems accessing the tenant portal using a university email address. This calls for a method to manage user accounts between tenants without jeopardizing the security or operation of the program.

Command Description
oauth.remote_app() Enables the handling of communication with OAuth providers by initializing a new remote application instance for OAuth.
flask_oauthlib.client.OAuth An addon for Flask that integrates OAuth service providers and facilitates OAuth protocol authentication.
authorized_response() This method, which is a part of Flask-OAuthlib, gets the callback function's authorized OAuth answer.
session['oauth_token'] Essential for maintaining user sessions and authentication status, this is used to save the OAuth token in the session for future access.
microsoft.authorize() A mechanism that sends users to the authorization URL of the OAuth provider so they can approve the application.
url_for() A Flask utility method that produces an endpoint for a specified view function. It comes in handy when creating URLs for redirection.

An explanation of the Microsoft 365 Authentication Integration using Flask

The integration of Microsoft 365 login into a Flask web application is made easier by the combined efforts of the frontend and backend scripts. A straightforward HTML website with a button on the front end directs the user to the back end for authentication by way of a JavaScript function. The loginWithMicrosoft() function, which modifies the window location to the Flask-managed backend route, initiates this process. Flask and Flask-OAuthlib are used by the backend script to control the OAuth flow with Microsoft's identity platform.

Using application credentials, the oauth.remote_app() command establishes a connection with Microsoft's OAuth endpoints on the backend. By sending the user to Microsoft's authorization page, the microsoft.authorize() function starts the authentication procedure. The OAuth provider uses the callback URL mentioned in url_for('authorized') to redirect the user back to the application after they log in and give the required permissions. This callback is handled by the authorized_response() method, which obtains the access token required to validate authentication and preserve the user's session.

Microsoft 365 Authentication Interface Frontend

Frontend uses JavaScript and HTML

<html>
<head>
<title>Login with Microsoft</title>
</head>
<body>
<button onclick="loginWithMicrosoft()">Sign In with Microsoft</button>
<script>
function loginWithMicrosoft() {
    window.location.href = '/auth/microsoft';
}
</script>
</body>
</html>

Microsoft 365 Backend Authentication Flow

Flask and Python are utilized for backend

from flask import Flask, redirect, url_for, session
from flask_oauthlib.client import OAuth
import os

app = Flask(__name__)
app.secret_key = 'development'
oauth = OAuth(app)

microsoft = oauth.remote_app(
    'microsoft',
    consumer_key='YOUR_APP_ID',
    consumer_secret='YOUR_APP_SECRET',
    request_token_params={'scope': 'User.Read'}
    base_url='https://graph.microsoft.com/v1.0/',
    request_token_url=None,
    access_token_method='POST',
    access_token_url='https://login.microsoftonline.com/common/oauth2/v2.0/token',
    authorize_url='https://login.microsoftonline.com/common/oauth2/v2.0/authorize'
)

@app.route('/')
def index():
    return '<h1>Welcome to the Flask App</h1>' + '<a href="/login">Login with Microsoft</a>'

@app.route('/login')
def login():
    return microsoft.authorize(callback=url_for('authorized', _external=True))

@app.route('/login/authorized')
def authorized():
    response = microsoft.authorized_response()
    if response is None or response.get('access_token') is None:
        return 'Access denied: reason={0} error={1}'.format(
            request.args['error'], request.args['error_description'])
    session['oauth_token'] = (response['access_token'], '')
    return 'Logged in as id={0}'.format(session['oauth_token'])

@microsoft.tokengetter
def get_microsoft_oauth_token():
    return session.get('oauth_token')

if __name__ == '__main__':
    app.run(debug=True)

Advanced Configuration in Flask for Microsoft 365 Authentication

It's crucial to comprehend the idea of multi-tenant applications in Azure in order to solve the problem of integrating Microsoft 365 login without utilizing a university-managed email. A multi-tenant application is perfect for educational settings where students may have different domain emails since it enables users from numerous Azure AD tenants to access the app. Setting the'signInAudience' in the application manifest to 'AzureADMultipleOrgs' allows the Azure application to be configured to accept sign-ins from any Azure AD tenant.

Even if the application was first created using a personal email, students can now utilize their university emails thanks to this configuration adjustment. Since the developer does not have to add each user to the tenancy separately, it also streamlines management. This strategy makes use of Azure's flexible identity management capabilities to guarantee increased accessibility and smooth interaction with educational apps.

Frequent Questions Regarding Flask Apps' Integration with Microsoft 365

  1. What is multi-tenant authentication for Azure AD?
  2. Applications can serve users from more than one Azure AD tenant—not just the one where they were registered—thanks to Azure AD multi-tenant authentication.
  3. How should my Flask application be set up for Azure multi-tenant?
  4. To enable sign-ins from any Azure AD tenancy, you must change the application registration in Azure by adjusting the'signInAudience' in the manifest.
  5. What advantages does Flask offer when utilizing oauth.remote_app()?
  6. This function controls the OAuth flow, including the retrieval and storage of tokens, making connections to OAuth providers easier.
  7. Why could a user receive an error message claiming that the tenant does not have their account?
  8. This typically happens when the user is not registered as an external user in the tenancy or when the application is not configured for multi-tenant access.
  9. How can I deal with issues that arise in Flask during the authentication process?
  10. Incorporate error handling into the authorized_response() function to detect and address issues like token missing or access denied.

Final Thoughts on the Integration of Microsoft 365 Authentication

In conclusion, creating an Azure application using personal credentials and configuring it for multi-tenant access are the steps involved in integrating Microsoft 365 login into Flask applications without utilizing a university email. This method not only gets around any limitations that colleges may have on the use of official emails for the creation of applications, but it also makes it easier for users to log in from multiple apartments. Through adherence to OAuth best practices and efficient error handling, developers may offer a seamless and safe user experience.