Skip to content

A Python sample of a browserless app using the device code flow to get tokens to call Microsoft Graph API

License

Notifications You must be signed in to change notification settings

russd2357/ms-identity-python-devicecodeflow

 
 

Repository files navigation

topic languages products description
sample
python
azurepowershell
azure-active-directory
office-ms-graph
Python device code flow using MSAL Python to get an access token and call Microsoft Graph.

A simple Python device code flow application calling Microsoft Graph

About this sample

Overview

This sample application shows how to use the Microsoft identity platform endpoint to access the data of Microsoft customers. The device code flow can be used to authenticate a user and then call to a web api, in this case, the Microsoft Graph.

The app can run as a Python Console Application. It gets the list of users in an Azure AD tenant by using Microsoft Authentication Library (MSAL) for Python to acquire a token.

Scenario

The application obtains tokens through a two steps process especially designed for devices and operating systems that cannot display any UX. Examples of such applications are applications running on iOT, or Command-Line tools (CLI). The idea is that:

Topology

  1. Whenever a user authentication is required, the command-line app provides a code and asks the user to use another device (such as an internet-connected smartphone) to navigate to https://microsoft.com/devicelogin, where the user will be prompted to enter the code. That done, the web page will lead the user through a normal authentication experience, including consent prompts and multi factor authentication if necessary.

Enter code in browser

  1. Upon successful authentication, the command-line app will receive the required tokens through a back channel and will use it to perform the web API calls it needs. In this case, the sample displays information about the user who signed-in and their manager.

How to run this sample

To run this sample, you'll need:

Step 1: Clone or download this repository

From your shell or command line:

git clone https://github.com/Azure-Samples/ms-identity-python-devicecodeflow.git

Step 2: Register the sample with your Azure Active Directory tenant

Some registration is required for Microsoft to act as an authority for your application.

Choose the Azure AD tenant where you want to create your applications

  1. Sign in to the Azure portal.

If your account is present in more than one Azure AD tenant, select Directory + Subscription, which is an icon of a notebook with a filter next to the alert icon, and switch your portal session to the desired Azure AD tenant.

  1. Select Azure Active Directory from the left nav.
  2. Select App registrations from the new nav blade.

Register the client app

  1. In App registrations page, select New registration.

  2. When the Register an application page appears, enter your application's registration information:

    • In the Name section, enter a meaningful application name that will be displayed to users of the app, for example device-code-sample.
    • In the Supported account types section, select the last option Accounts in any organizational directory and personal Microsoft accounts.
    • Device Code Flow disables the need for a redirect URI. Leave it blank.
  3. Select Register to create the application.

  4. On the app Overview page, find the Application (client) ID value and copy it to your parameters.json file's client_id entry.

  5. In *Authentication select the recommended Redirect URIs for public clients.

  6. Then set the Default Client Type to Yes and Save.

  7. In the list of pages for the app, select API permissions

    • Click the Add a permission button and then,
    • Ensure that the Microsoft APIs tab is selected
    • In the Commonly used Microsoft APIs section, click on Microsoft Graph
    • In the Delegated permissions section, ensure that the right permissions are checked: User.Read. Use the search box if necessary.
    • Select the Add permissions button

Step 3: Run the sample

You'll need to install the dependencies using pip as follows:

pip install msal requests

Start the application, follow the instructions and use a browser to authenticate. The profile for the user you log in with will display in the console.

python device_flow_sample.py parameters.json

If the sample fails to run or is outdated, you can try installing the version specific dependencies from requirements.txt.

pip install -r requirements.txt

If that doesn't fix the issue, ensure that your parameters.json is correct and saved.

About the code

The relevant code for this sample is in the device_code_sample.py file. The steps are:

  1. Create the MSAL Device Code flow application.

    app = msal.PublicClientApplication(
      config["client_id"], authority=config["authority"],
    )
  2. The scopes are defined in the parameters.json file.

    In the default parameters.json file you have:

    "scope": ["User.Read"]
  3. Acquire the token

    result = None
    # Firstly, looks up a token from cache
    # If that fails, attempt the device code flow
    accounts = app.get_accounts()
    # Skipping account iteration and cache lookup
    flow = app.initiate_device_flow(scopes=config["scope"])
    # Skipping error condition
    result = app.acquire_token_by_device_flow(flow)
  4. Call the API

    In that case calling "https://graph.microsoft.com/v1.0/me" with the access token as a bearer token.

    if "access_token" in result:
        # Calling graph using the access token
        graph_data = requests.get(  # Use token to call downstream service
        config["endpoint"],
        headers={'Authorization': 'Bearer ' + result['access_token']}, ).json()
    print("Users from graph: " + str(graph_data))
    else:
        print(result.get("error"))
        print(result.get("error_description"))
        print(result.get("correlation_id"))  # You may need this when reporting a bug

Troubleshooting

Community Help and Support

Use Stack Overflow to get support from the community. Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before. Make sure that your questions or comments are tagged with [msal python].

If you find a bug in the sample, please raise the issue on GitHub Issues.

If you find a bug in Msal Python, please raise the issue on MSAL Python GitHub Issues.

To provide a recommendation, visit the following User Voice page.

Contributing

If you'd like to contribute to this sample, see CONTRIBUTING.MD.

This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

More information

For more information, see MSAL Python's conceptual documentation:

For more information about the underlying protocol:

About

A Python sample of a browserless app using the device code flow to get tokens to call Microsoft Graph API

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • PowerShell 76.8%
  • Python 23.2%