快速入门:向 Python Web 应用添加 Microsoft 登录功能Quickstart: Add sign-in with Microsoft to a Python web app

本快速入门介绍如何将 Python Web 应用程序与 Microsoft 标识平台集成。In this quickstart, you'll learn how to integrate a Python web application with the Microsoft identity platform. 应用会将用户登录,获取用于调用 Microsoft Graph API 的访问令牌,并针对 Microsoft Graph API 发出请求。Your app will sign in a user, get an access token to call the Microsoft Graph API, and make a request to the Microsoft Graph API.

完成本指南后,该应用程序将接受任何公司或组织中使用 Azure Active Directory 的工作或学校帐户进行登录。When you've completed the guide, your application will accept sign-ins of work or school accounts from any company or organization that uses Azure Active Directory. (有关说明,请参阅示例工作原理。)(See How the sample works for an illustration.)

先决条件Prerequisites

若要运行此示例,需要:To run this sample, you will need:

注册并下载快速入门应用Register and download your quickstart app

可以使用两个选项来启动快速入门应用程序:“快速”(选项 1)和“手动”(选项 2)You have two options to start your quickstart application: express (Option 1), and manual (Option 2)

选项 1:注册并自动配置应用,然后下载代码示例Option 1: Register and auto configure your app and then download your code sample

  1. 访问 Azure 门户 - 应用注册Go to the Azure portal - App registrations.
  2. 选择“新注册”。 Select New registration.
  3. 输入应用程序的名称并选择“注册” 。Enter a name for your application and select Register.
  4. 遵照说明下载内容,系统会自动配置新应用程序。Follow the instructions to download and automatically configure your new application.

选项 2:注册并手动配置应用程序和代码示例Option 2: Register and manually configure your application and code sample

步骤 1:注册应用程序Step 1: Register your application

若要手动注册应用程序并将应用的注册信息添加到解决方案,请执行以下步骤:To register your application and add the app's registration information to your solution manually, follow these steps:

  1. 使用工作或学校帐户登录到 Azure 门户Sign in to the Azure portal using a work or school account.

  2. 如果你的帐户有权访问多个租户,请在右上角选择该帐户,并将门户会话设置为所需的 Azure AD 租户。If your account gives you access to more than one tenant, select your account in the top right corner, and set your portal session to the desired Azure AD tenant.

  3. 导航到面向开发人员的 Microsoft 标识平台的应用注册页。Navigate to the Microsoft identity platform for developers App registrations page.

  4. 选择“新注册”。 Select New registration.

  5. “注册应用程序”页出现后,请输入应用程序的注册信息: When the Register an application page appears, enter your application's registration information:

    • 在“名称” 部分输入一个会显示给应用用户的有意义的应用程序名称,例如 python-webappIn the Name section, enter a meaningful application name that will be displayed to users of the app, for example python-webapp.
    • 在“支持的帐户类型”下,选择“任何组织目录中的帐户”。 Under Supported account types, select Accounts in any organizational directory.
    • 在“重定向 URI”部分的下拉列表中,选择“Web”平台,然后将值设置为 http://localhost:5000/getATokenUnder the Redirect URI section, in the drop-down list, select the Web platform, and then set the value to http://localhost:5000/getAToken.
    • 选择“注册” 。Select Register. 在应用的“概述”页上,记下“应用程序(客户端) ID”值,供稍后使用 。On the app Overview page, note the Application (client) ID value for later use.
  6. 在左侧菜单中选择“证书和机密”,然后在“客户端机密”部分单击“新建客户端机密”: On the left hand menu, choose Certificates & secrets and click on New client secret in the Client Secrets section:

    • 键入(实例应用机密)的密钥说明。Type a key description (of instance app secret).
    • 选择密钥持续时间“1 年”。 Select a key duration of In 1 year.
    • 单击“添加”时,将显示密钥值。 When you click on Add, the key value will be displayed.
    • 复制密钥的值。Copy the value of the key. 稍后需要用到此值。You will need it later.
  7. 选择“API 权限”部分 Select the API permissions section

    • 单击“添加权限” 按钮,然后Click the Add a permission button and then,
    • 确保已选中“Microsoft API”选项卡 Ensure that the Microsoft APIs tab is selected
    • 在“常用 Microsoft API”部分中,单击“Microsoft Graph” In the Commonly used Microsoft APIs section, click on Microsoft Graph
    • 在“委托的权限”部分中,确保已勾选正确的权限 :User.ReadBasic.AllIn the Delegated permissions section, ensure that the right permissions are checked: User.ReadBasic.All. 如有必要,请使用搜索框。Use the search box if necessary.
    • 选择“添加权限”按钮 Select the Add permissions button

步骤 1:在 Azure 门户中配置应用程序Step 1: Configure your application in Azure portal

若要正常运行本快速入门中的代码示例,需要:For the code sample for this quickstart to work, you need to:

  1. 将答复 URL 添加为 http://localhost:5000/getATokenAdd a reply URL as http://localhost:5000/getAToken.
  2. 创建客户端机密。Create a Client Secret.
  3. 添加 Microsoft Graph API 的 User.ReadBasic.All 委托的权限。Add Microsoft Graph API's User.ReadBasic.All delegated permission.

已配置 应用程序已使用此属性进行配置Already configured Your application is configured with this attribute

步骤 2:下载项目Step 2: Download your project

下载项目并将 zip 文件解压缩到更靠近根文件夹的本地文件夹(例如,C:\Azure-SamplesDownload the project and extract the zip file to a local folder closer to the root folder - for example, C:\Azure-Samples

步骤 3:配置应用程序Step 3: Configure the Application

  1. 将 zip 文件提取到更靠近根文件夹的本地文件夹(例如,C:\Azure-SamplesExtract the zip file to a local folder closer to the root folder - for example, C:\Azure-Samples
  2. 如果使用集成开发环境,请在偏好的 IDE 中打开示例(可选)。If you use an integrated development environment, open the sample in your favorite IDE (optional).
  3. 打开 app_config.py 文件,该文件可以在根文件夹中找到,并替换为以下代码片段:Open the app_config.py file, which can be found in the root folder and replace with the following code snippet:
CLIENT_ID = "Enter_the_Application_Id_here"
CLIENT_SECRET = "Enter_the_Client_Secret_Here"
AUTHORITY = "https://login.partner.microsoftonline.cn/Enter_the_Tenant_Name_Here"

其中:Where:

  • Enter_the_Application_Id_here - 是已注册应用程序的应用程序 ID。Enter_the_Application_Id_here - is the Application Id for the application you registered.
  • Enter_the_Client_Secret_Here - 是你在“证书和机密” 中为注册的应用程序创建的客户端密码Enter_the_Client_Secret_Here - is the Client Secret you created in Certificates & Secrets for the application you registered.
  • Enter_the_Tenant_Name_Here - 是注册的应用程序的目录(租户)ID 值 。Enter_the_Tenant_Name_Here - is the Directory (tenant) ID value of the application you registered.

步骤 3:运行代码示例Step 3: Run the code sample

步骤 4:运行代码示例Step 4: Run the code sample

  1. 需要安装 MSAL Python 库、Flask 框架、Flask-Sessions,以便使用 pip 进行服务器端会话管理和请求,如下所示:You will need to install MSAL Python library, Flask framework, Flask-Sessions for server-side session management and requests using pip as follows:

    pip install -r requirements.txt
    
  2. 从 shell 或命令行运行 app.py:Run app.py from shell or command line:

    python app.py
    

    重要

    本快速入门应用程序使用客户端机密将自己标识为机密客户端。This quickstart application uses a client secret to identify itself as confidential client. 由于客户端机密是以纯文本形式添加到项目文件的,因此为了安全起见,建议在考虑将应用程序用作生产应用程序之前,使用证书来代替客户端机密。Because the client secret is added as a plain-text to your project files, for security reasons, it is recommended that you use a certificate instead of a client secret before considering the application as production application. 若要详细了解如何使用证书,请参阅这些说明For more information on how to use a certificate, see these instructions.

详细信息More information

示例工作原理How the sample works

显示本快速入门生成的示例应用的工作原理

获取 MSALGetting MSAL

MSAL 是一个库,用于登录用户和请求令牌,此类令牌用于访问受 Microsoft 标识平台保护的 API。MSAL is the library used to sign in users and request tokens used to access an API protected by the Microsoft identity Platform. 可以使用 Pip 将 MSAL Python 添加到应用程序。You can add MSAL Python to your application using Pip.

pip install msal

MSAL 初始化MSAL initialization

可以通过将以下代码添加到要使用 MSAL 的文件的顶部,来添加对 MSAL Python 的引用:You can add the reference to MSAL Python by adding the following code to the top of the file where you will be using MSAL:

import msal

后续步骤Next steps

详细了解登录用户然后调用 Web API 的 Web 应用:Learn more about web apps that sign in users, and then that calls web APIs:

帮助和支持Help and support

如果需要帮助、需要报告问题,或者需要详细了解支持选项,请参阅以下文章:If you need help, want to report an issue, or want to learn more about your support options, see the following article: