Provides a way to put Azure AD bearer token authentication in front of flask and falcon APIs.

Find the "Directory (tenant) ID" and "Application ID URI" for your Azure AD app registration, highlighted in red below:

Set up an OIDCConfig object with those details as follows:

from azure_oidc import OIDCConfig

tenant_id = ""  # Directory (tenant) ID goes here
config = OIDCConfig(
    base_url=f"https://login.microsoftonline.com/{tenant_id}/v2.0",
    issuer=f"https://sts.windows.net/{tenant_id}/",
    audience=""  # Application ID URI goes here
)

To add authentication to Falcon resources, azure-oidc provides a middleware class.

The following example implements a simple echo endpoint with OIDC authentication. A client will only be able to call this endpoint if they provide a valid bearer token with the scope example_scope.

import falcon
from azure_oidc.integrations.falcon_middleware import FalconOIDCAuthMiddleware

class Echo:
    auth_scopes = "example_scope"

    def on_post(self, req: falcon.Request, resp: falcon.Response):
        resp.media = req.media

api = falcon.API(middleware=[FalconOIDCAuthMiddleware(config)])
api.add_route("/echo", Echo())

Any authentication errors will be raised as falcon.HTTPUnauthorized exceptions with useful descriptions.

The Falcon authentication is implemented as an opt-out system. If you wish to exclude an endpoint from OIDC authentication, you can specify auth_disable = True on the resource. For example:

class EchoNoAuth:
    auth_disable = True

    def on_post(self, req: falcon.Request, resp: falcon.Response):
        resp.media = req.media

For flask endpoint functions, azure-oidc provides a view decorator.

The following example implements a simple echo endpoint with OIDC authentication. A client will only be able to call this endpoint if they provide a valid bearer token with the scope example_scope.

from flask import Flask, request
from azure_oidc.integrations.flask_decorator import FlaskOIDCAuthDecorator

requires_auth = FlaskOIDCAuthDecorator(config)

api = Flask(__name__)

@api.route("/echo", methods=["POST"])
@requires_auth(auth_scopes="example_scope")
def echo():
    return request.json

Since the Flask implementation in opt-in, to disable authentication on an endpoint simply do not use the requires_auth decorator on the relevant view function(s).

To handle authentication errors, you may wish to register a Flask error handler such as the following:

from azure_oidc.integrations.flask_decorator import HTTPUnauthorized

@api.errorhandler(HTTPUnauthorized)
def handle_unauthorized(error: HTTPUnauthorized):
    return {"title": "401 Unauthorized", "description": error.description}, 401