Merge branch 'b2c-fix'

Author: rayluo

.env.sample

@@ -1,16 +1,32 @@
 # Note: If you are using Azure App Service, go to your app's Configuration,
 # and then set the following values into your app's "Application settings".
 
+# The following variables are required for the app to run.
 CLIENT_ID=<client id>
 CLIENT_SECRET=<client secret>
 
-# The AUTHORITY variable expects a full authority URL.
+# This sample can be configured as a Microsoft Entra ID app,
+# a Microsoft Entra External ID app, or a B2C app.
+
+# 1. If you are using a Microsoft Entra ID tenent,
+#    configure the AUTHORITY variable as
+#    "https://login.microsoftonline.com/TENANT_GUID"
+#    or "https://login.microsoftonline.com/subdomain.onmicrosoft.com".
 #
-# If you are using an AAD tenent, configure it as
-# "https://login.microsoftonline.com/TENANT_GUID"
-# or "https://login.microsoftonline.com/subdomain.onmicrosoft.com".
+#    Alternatively, leave it undefined if you are building a multi-tenant AAD app
+#    in world-wide cloud
+#AUTHORITY=<authority url>
 #
-# If you are using a CIAM tenant, configure it as "https://subdomain.ciamlogin.com"
 #
-# Alternatively, leave it undefined if you are building a multi-tenant app in world-wide cloud
+# 2. If you are using a Microsoft Entra External ID for customers (CIAM) tenant,
+#    configure AUTHORITY as "https://subdomain.ciamlogin.com"
 #AUTHORITY=<authority url>
+#
+#
+# 3. If you are using a B2C tenant, configure the following variables:
+#    Note the B2C_TENANT_NAME shall be the display name such as "contoso"
+#
+#B2C_TENANT_NAME=<tenant name>
+SIGNUPSIGNIN_USER_FLOW=B2C_1_signupsignin1
+EDITPROFILE_USER_FLOW=B2C_1_profile_editing
+RESETPASSWORD_USER_FLOW=B2C_1_reset_password

.env.sample.b2c

@@ -11,12 +11,22 @@ urlFragment: ms-identity-python-webapp
 
 This is a Python web application that uses the Flask framework and the Microsoft identity platform to sign in users and make authenticated calls to the Microsoft Graph API.
 
+# Configuration
+
+## If you are configuring your Microsoft Entra ID app or Microsoft Entra External ID app
+
 To get started with this sample, you have two options:
 
 * Use the Azure portal to create the Azure AD applications and related objects. Follow the steps in
   [Quickstart: Add sign-in with Microsoft to a Python web app](https://docs.microsoft.com/azure/active-directory/develop/web-app-quickstart?pivots=devlang-python).
 * Use PowerShell scripts that automatically create the Azure AD applications and related objects (passwords, permissions, dependencies) for you, and then modify the configuration files. Follow the steps in the [App Creation Scripts README](./AppCreationScripts/AppCreationScripts.md).
 
+## If you are configuring your B2C app
+
+This sample can also work as a B2C app. If you are using a B2C tenant, follow
+[Configure authentication in a sample Python web app by using Azure AD B2C](https://learn.microsoft.com/azure/active-directory-b2c/configure-authentication-sample-python-web-app).
+
+
 # Deployment
 
 Once you finish testing this web app locally, you can deploy it to your production.

README.md

@@ -19,6 +19,7 @@
 from werkzeug.middleware.proxy_fix import ProxyFix
 app.wsgi_app = ProxyFix(app.wsgi_app, x_proto=1, x_host=1)
 
+app.jinja_env.globals.update(Auth=identity.web.Auth)  # Useful in template for B2C
 auth = identity.web.Auth(
     session=session,
     authority=app.config["AUTHORITY"],

README_B2C.md

@@ -1,14 +1,33 @@
 import os
 
+
+if (os.getenv('B2C_TENANT_NAME')
+    and os.getenv('SIGNUPSIGNIN_USER_FLOW') and os.getenv('EDITPROFILE_USER_FLOW')):
+    # This branch is for B2C. You can delete this branch if you are not using B2C.
+    b2c_tenant = os.getenv('B2C_TENANT_NAME')
+    authority_template = "https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{user_flow}"
+    AUTHORITY = authority_template.format(
+        tenant=b2c_tenant,
+        user_flow=os.getenv('SIGNUPSIGNIN_USER_FLOW'))
+    B2C_PROFILE_AUTHORITY = authority_template.format(
+        tenant=b2c_tenant,
+        user_flow=os.getenv('EDITPROFILE_USER_FLOW'))
+    B2C_RESET_PASSWORD_AUTHORITY = authority_template.format(
+        # If you are using the new "Recommended user flow"
+        # (https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-versions),
+        # you can remove the B2C_RESET_PASSWORD_AUTHORITY settings from this file.
+        tenant=b2c_tenant,
+        user_flow=os.getenv('RESETPASSWORD_USER_FLOW'))
+else:  # This branch is for AAD or CIAM
+    # You can configure your authority via environment variable
+    # Defaults to a multi-tenant app in world-wide cloud
+    AUTHORITY = os.getenv("AUTHORITY") or "https://login.microsoftonline.com/common"
+
 # Application (client) ID of app registration
 CLIENT_ID = os.getenv("CLIENT_ID")
 # Application's generated client secret: never check this into source control!
 CLIENT_SECRET = os.getenv("CLIENT_SECRET")
 
-# You can configure your authority via environment variable
-# Defaults to a multi-tenant app in world-wide cloud
-AUTHORITY = os.getenv("AUTHORITY", "https://login.microsoftonline.com/common")
-
 REDIRECT_PATH = "/getAToken"  # Used for forming an absolute URL to your redirect URI.
 # The absolute URL must match the redirect URI you set
 # in the app's registration in the Azure portal.

app.py

@@ -14,7 +14,7 @@ <h2>Welcome {{ user.get("name") }}!</h2>
     {% endif %}
 
     {% if config.get("B2C_PROFILE_AUTHORITY") %}
-      <li><a href='{{config.get("B2C_PROFILE_AUTHORITY")}}?client_id={{config.get("CLIENT_ID")}}'>Edit Profile</a></li>
+      <li><a href='{{Auth(session={}, authority=config["B2C_PROFILE_AUTHORITY"], client_id=config["CLIENT_ID"]).log_in(redirect_uri=url_for("auth_response", _external=True))["auth_uri"]}}'>Edit Profile</a></li>
     {% endif %}
 
     <li><a href="/logout">Logout</a></li>

app_config.py

@@ -20,7 +20,7 @@ <h1>Microsoft Identity Python Web App</h1>
     {% endif %}
 
     {% if config.get("B2C_RESET_PASSWORD_AUTHORITY") %}
-    <a href="{{config.get('B2C_RESET_PASSWORD_AUTHORITY')}}?client_id={{config.get('CLIENT_ID')}}">Reset Password</a>
+    <a href='{{Auth(session={}, authority=config["B2C_RESET_PASSWORD_AUTHORITY"], client_id=config["CLIENT_ID"]).log_in(redirect_uri=url_for("auth_response", _external=True))["auth_uri"]}}'>Reset Password</a>
     {% endif %}
 
     <hr>