This example shows:
- how to configure an API to require access tokens issued by Azure Active Directory
- how to obtain access tokens for a confidential client (meaning an application that is able to handle secrets), running as a background worker or daemon, without user interaction
server.py contains the server definition that requires and validates access tokens.
client_using_secret.py contains a client definition that, using MSAL for Python, obtains access
tokens using the client credentials flow with a secret, and calls the server.
client_using_certificate.py contains a client definition that, using MSAL for Python, obtains access
tokens using the client credentials flow with a certificate, and calls the server.
Refer to the information under certs folder to have a reference on how to generate valid
certificates for Azure Active Directory.
client_http_example.py shows an example using the client credentials flow
with secret with an HTTP POST request to the token endpoint, without using MSAL for Python.
The following scheme describes the flow of this example.
- Client is the application running as daemon, connecting to the API
- AAD is Azure Active Directory
- API is the web application exposing an API and requiring access tokens
To run the example using the secret:
- configure app registrations in a Azure Active Directory tenant
- create a
.envfile with appropriate values, like in the example below, or in alternative, configure the environmental variables as in the same example - create a Python virtual environment, install the dependencies in
requirements.txt - activate the virtual environment in two terminals, then:
- run the server in one terminal
python server.py - run the client file in another terminal
python client_using_secret.py
The client file should display that an access token is obtained successfully from Azure Active Directory and a call to the running server was successful.
http_example.py shows an example of how the client credentials flow with secret can be
used with HTTP, without using MSAL for Python.
To configure application settings to run these examples, create an .env file
with contents like in the following block:
# Server configuration
API_ISSUER="https://sts.windows.net/<YOUR_TENANT_ID>/"
API_AUDIENCE="<YOUR_API_AUDIENCE_OR_CLIENT_ID>"
# Client configuration
AAD_AUTHORITY="https://login.microsoftonline.com/<YOUR_TENANT_ID>/"
APP_CLIENT_ID="<YOUR_CLIENT_APP_CLIENT_ID>"
APP_CLIENT_SECRET="<YOUR_CLIENT_APP_SECRET>"
APP_CLIENT_SCOPE="<YOUR_API_APP_CLIENT_ID>/.default"
# For the example using a certificate:
APP_CLIENT_CERT_THUMBPRINT="<YOUR_CERT_THUMBPRINT>"The .env file is read using python-dotenv when the examples are run.