Home > Blockchain >  How to secure my Flask app using a certificate and MSAL?
How to secure my Flask app using a certificate and MSAL?

Time:09-28

I have a python-Flask website I've created for an employee self-service portal. I've registered it in my companies Azure AD tenant. I'm going to deploy it to a single node (its a low-traffic site) and I want to secure it with a certificate since it will be pulling our AD credentials and Single Sign On session information.

I downloaded the sample code here: https://github.com/Azure-Samples/ms-identity-python-webapp

After a little work I managed to re-write my site using that as a guide and I can now authenticate with SSO on my laptop!

To try and deploy it to a server, I followed the guide at DigitalOcean: https://www.digitalocean.com/community/tutorials/how-to-serve-flask-applications-with-uswgi-and-nginx-on-ubuntu-18-04

Now's the problem: How do I deploy this to a server? I need to register the new url in the authentication tab in Azure: Done. I'm using https:// and https://<myservername/getAtoken. I need a certificate: I generated a self-signed cert and uploaded it to my Azure application.

Now the problem is: how do I get Azure to recognize my app when its on the server? If I try to login I just get an error that: "AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: ".

EDIT: I found something. In the URL when I query Azure the return URI being sent is: https://login.microsoftonline.com//oauth2/v2.0/authorize?client_id=&response_type=code&redirect_uri=http:///getAtoken&scope=User.ReadBasic.All offline_access openid profile&state=SpOcEwhzdGBXxMsv&code_challenge=<information I'm not sure is wise to sure.

It's sending the URL as http, not https!

CodePudding user response:

To deploy to the server you need to add the certificate identity a client and give the client access to web services calls in your application. Read more about the certificate here. To get Azure to recognize your app when it’s on the server you need to first register your application in Azure AD.

The error AADSTS50011 is referring too when trying to sign into a SAML-based single sign-on (SSO) configured app that has been integrated with Azure Active Directory (Azure AD). You received the error AADSTS50011 when trying to sign into an application that has been setup to use Azure AD for identity management using SAML-based SSO. Learn more here.

CodePudding user response:

I found my problem. In the nginx.conf file I needed to add:

proxy_set_header X-Forwarded-Proto $scheme;
  • Related