OAuth Authentication using Python, REST and Azure AD

  • Article

Azure Active Directory (Azure AD) uses OAuth 2.0 to enable you to authorize access to web applications and web APIs in your Azure AD tenant. (ref: https://msdn.microsoft.com/en-us/library/azure/dn645545.aspx)

This post is paired with the full Django/Python-based code sample posted on github: https://github.com/sebastus/azure-python-authenticate.  By using a non-Microsoft stack, I show the general applicability of Azure AD to serve your authentication needs.  For what it’s worth, I’m not a Python developer.  I learned the bare minimum necessary to demonstrate these techniques.  Feel free to submit pull requests to improve the code.

The Problem

You are an application author needing to allow companies to easily sign up their users to use your application services.  Your company maintains an Azure AD tenant and you want other companies with Azure AD tenants (each having multiple users, and of which there are many thousands) to be able to access your app with a minimal amount of effort.  You may offer web services and want other companies to be able to authenticate their applications’ access to those services.  Your application and/or services is not necessarily on the Microsoft stack.  It may or not be running on Microsoft Azure.

But it goes beyond just doing the OAuth dance.  Another reason this is an interesting problem is not all that obvious: your customer may be authenticating into other Azure AD-authenticated applications.  And in the case of authenticating with their Microsoft Account (which may be a member of multiple Azure AD tenants), how do you know which Azure AD tenant they intend to use?  There’s not necessarily a one-to-one relationship between the user’s credentials and the apps/services they want to connect to.  Vittorio Bertocci’s blog sets out these concerns very nicely.

The Solution

OAuth 2.0 is the industry standard approach to solving this problem.  RESTful APIs inherent to OAuth 2.0 grant the broadest possible applicability.  This together with the configuration options in the Azure AD portal (part of the Microsoft Azure portal) allows you to combine your REST code with the metadata necessary to complete the solution.  The source code in the paired github library demonstrates this.

Two pathways are demonstrated:
1. Your customers’ users authenticate using their Azure AD credentials.
2. Your customers’ users authenticate using the Microsoft Account (aka Live ID, Passport ID)

The code sample contains documentation for each step of the process.  I stop the process at each step so intermediate results can be examined easily. 

Cheers!