快速入门:向 Python Web 应用添加 Microsoft 登录功能Quickstart: Add sign-in with Microsoft to a Python web app

在本快速入门中,你将下载并运行一个代码示例,该示例演示 Python Web 应用程序如何让用户登录并获取访问令牌来调用 Microsoft Graph API。In this quickstart, you download and run a code sample that demonstrates how a Python web application can sign in users and get an access token to call the Microsoft Graph API. 拥有任何 Azure Active Directory (Azure AD) 组织中的帐户的用户都能登录到该应用程序。Users with an account in any Azure Active Directory (Azure AD) organization can sign into the application.

有关说明,请参阅示例工作原理See How the sample works for an illustration.

先决条件Prerequisites

注册并下载快速入门应用Register and download your quickstart app

可以使用两个选项来启动快速入门应用程序:“快速”(选项 1)和“手动”(选项 2)You have two options to start your quickstart application: express (Option 1), and manual (Option 2)

选项 1:注册并自动配置应用,然后下载代码示例Option 1: Register and auto configure your app and then download your code sample

  1. 转到 Azure 门户 - 应用注册快速入门体验。Go to the Azure portal - App registrations quickstart experience.
  2. 输入应用程序的名称并选择“注册”。Enter a name for your application and select Register.
  3. 遵照说明下载内容,系统会自动配置新应用程序。Follow the instructions to download and automatically configure your new application.

选项 2:注册并手动配置应用程序和代码示例Option 2: Register and manually configure your application and code sample

步骤 1:注册应用程序Step 1: Register your application

若要手动注册应用程序并将应用的注册信息添加到解决方案,请执行以下步骤:To register your application and add the app's registration information to your solution manually, follow these steps:

  1. 登录 Azure 门户Sign in to the Azure portal.
  2. 如果有权访问多个租户,请使用顶部菜单中的“目录 + 订阅”筛选器 ,选择要在其中注册应用程序的租户。
  3. 在“管理”下,选择“应用注册” > “新建注册” 。Under Manage, select App registrations > New registration.
  4. 输入应用程序的名称(例如 python-webapp)。Enter a Name for your application, for example python-webapp . 应用的用户可能会看到此名称,你稍后可对其进行更改。Users of your app might see this name, and you can change it later.
  5. 在“支持的帐户类型”下,选择“任何组织目录中的帐户”。 Under Supported account types, select Accounts in any organizational directory.
  6. 选择“注册” 。Select Register.
  7. 在应用的“概述”页上,记下“应用程序(客户端) ID”值,供稍后使用 。On the app Overview page, note the Application (client) ID value for later use.
  8. 在“管理”下,选择“身份验证”。 Under Manage, select Authentication.
  9. 选择“添加平台” > “Web” 。Select Add a platform > Web.
  10. 添加 http://localhost:5000/getAToken 作为“重定向 URI”。Add http://localhost:5000/getAToken as Redirect URIs.
  11. 选择“配置” 。Select Configure.
  12. 在“管理”下,选择“证书和机密”,然后在“客户端机密”部分,选择“新建客户端机密” 。Under Manage, select the Certificates & secrets and from the Client secrets section, select New client secret.
  13. 键入密钥说明(例如应用机密),保留默认的到期日期,然后选择“添加”。Type a key description (for instance app secret), leave the default expiration, and select Add.
  14. 记下“客户端密码”的值以供稍后使用 。Note the Value of the Client Secret for later use.
  15. 在“管理”下,选择“API 权限” > “添加权限” 。Under Manage, select API permissions > Add a permission.
  16. 确保已选择“Microsoft API”选项卡。Ensure that the Microsoft APIs tab is selected.
  17. 在“常用 Microsoft API”部分,选择“Microsoft Graph”。From the Commonly used Microsoft APIs section, select Microsoft Graph.
  18. 在“委托的权限”部分中,确保已勾选正确的权限:User.ReadBasic.AllFrom the Delegated permissions section, ensure that the right permissions are checked: User.ReadBasic.All. 如有必要,请使用搜索框。Use the search box if necessary.
  19. 选择“添加权限”按钮。Select the Add permissions button.

步骤 1:在 Azure 门户中配置应用程序Step 1: Configure your application in Azure portal

为使此快速入门中的代码示例正常运行:For the code sample in this quickstart to work:

  1. 将答复 URL 添加为 http://localhost:5000/getATokenAdd a reply URL as http://localhost:5000/getAToken.
  2. 创建客户端机密。Create a Client Secret.
  3. 添加 Microsoft Graph API 的 User.ReadBasic.All 委托的权限。Add Microsoft Graph API's User.ReadBasic.All delegated permission.

已配置 应用程序已使用此属性进行配置Already configured Your application is configured with this attribute

步骤 2:下载项目Step 2: Download your project

下载项目并将 zip 文件解压缩到更靠近根文件夹的本地文件夹(例如,C:\Azure-SamplesDownload the project and extract the zip file to a local folder closer to the root folder - for example, C:\Azure-Samples

备注

Enter_the_Supported_Account_Info_Here

步骤 3:配置应用程序Step 3: Configure the Application

  1. 将 zip 文件提取到更靠近根文件夹的本地文件夹(例如,C:\Azure-SamplesExtract the zip file to a local folder closer to the root folder - for example, C:\Azure-Samples
  2. 如果使用集成开发环境,请在偏好的 IDE 中打开示例(可选)。If you use an integrated development environment, open the sample in your favorite IDE (optional).
  3. 打开 app_config.py 文件,该文件可以在根文件夹中找到,并替换为以下代码片段:Open the app_config.py file, which can be found in the root folder and replace with the following code snippet:
CLIENT_ID = "Enter_the_Application_Id_here"
CLIENT_SECRET = "Enter_the_Client_Secret_Here"
AUTHORITY = "https://login.partner.microsoftonline.cn/Enter_the_Tenant_Name_Here"

其中:Where:

  • Enter_the_Application_Id_here - 是已注册应用程序的应用程序 ID。Enter_the_Application_Id_here - is the Application Id for the application you registered.
  • Enter_the_Client_Secret_Here - 是你在“证书和机密”中为注册的应用程序创建的 客户端密码Enter_the_Client_Secret_Here - is the Client Secret you created in Certificates & Secrets for the application you registered.
  • Enter_the_Tenant_Name_Here - 是注册的应用程序的目录(租户)ID 值。Enter_the_Tenant_Name_Here - is the Directory (tenant) ID value of the application you registered.

步骤 3:运行代码示例Step 3: Run the code sample

步骤 4:运行代码示例Step 4: Run the code sample

  1. 需要安装 MSAL Python 库、Flask 框架、Flask-Sessions,以便使用 pip 进行服务器端会话管理和请求,如下所示:You will need to install MSAL Python library, Flask framework, Flask-Sessions for server-side session management and requests using pip as follows:

    pip install -r requirements.txt
    
  2. 从 shell 或命令行运行 app.py:Run app.py from shell or command line:

    python app.py
    

    重要

    本快速入门应用程序使用客户端机密将自己标识为机密客户端。This quickstart application uses a client secret to identify itself as confidential client. 由于客户端机密是以纯文本形式添加到项目文件的,因此为了安全起见,建议在考虑将应用程序用作生产应用程序之前,使用证书来代替客户端机密。Because the client secret is added as a plain-text to your project files, for security reasons, it is recommended that you use a certificate instead of a client secret before considering the application as production application. 若要详细了解如何使用证书,请参阅这些说明For more information on how to use a certificate, see these instructions.

详细信息More information

示例工作原理How the sample works

显示本快速入门生成的示例应用的工作原理

获取 MSALGetting MSAL

MSAL 是一个库,用于登录用户和请求令牌,此类令牌用于访问受 Microsoft 标识平台保护的 API。MSAL is the library used to sign in users and request tokens used to access an API protected by the Microsoft identity Platform. 可以使用 Pip 将 MSAL Python 添加到应用程序。You can add MSAL Python to your application using Pip.

pip install msal

MSAL 初始化MSAL initialization

可以通过将以下代码添加到要使用 MSAL 的文件的顶部,来添加对 MSAL Python 的引用:You can add the reference to MSAL Python by adding the following code to the top of the file where you will be using MSAL:

import msal

帮助和支持Help and support

如果需要帮助、需要报告问题,或者需要详细了解支持选项,请参阅面向开发人员的帮助和支持If you need help, want to report an issue, or want to learn about your support options, see Help and support for developers.

后续步骤Next steps

有关可将用户登录的 Web 应用的详细信息,请参阅我们的多部分方案系列。Learn more about web apps that sign in users in our multi-part scenario series.