4

I went through the Flask OAuth api, and its pretty clear how to do authentication for a web app. The web app gets redirected to the authentication provider login page, where access is granted, and returns back to the web app with a token.

However, for web api scenarios, where a client is pre authorized to call the web api, the request will have a Bearer token along with the call. Is there any example on how to validate this token? I see apis like validate_access_token() in the OAuth2 library, but I cant see any examples where people use it for web apis.

I use Azure AD for authentication, and have created an AAD application, and am able to get a token from it through the adal package on the client side (with the clientId and clientKey from AAD). But I havent been able to authorize it yet on the web api side, because it seems most scenarios look at web app authentication and not web api scenarios. Any ideas on how to authenticate on server side?

sargeMonkey
  • 606
  • 1
  • 7
  • 23
  • [This document](http://flask-oauthlib.readthedocs.io/en/latest/oauth2.html#protect-resource) talks about protecting a resource in an API using the `require_oauth` decorator. There is a [sample](https://github.com/lepture/flask-oauthlib/blob/master/tests/oauth2/server.py#L298) as well. You can probably set Azure AD as the OAuth provider and use this pattern. – Navya Canumalla Sep 01 '17 at 23:54
  • thanks, this sample is implementing the OAuth on the server side, but not authenticating with any OAuth server like AAD. Did I understand wrong? For example, this is the client code for getting a token from AAD using the adal library: `import adal` `token_response = adal.acquire_token_with_client_credentials( "login.microsoftonline.com/…;, # Authority "ABCDEFGH-1234-1234-1234-ABCDEFGHIJKL", # Client ID "a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a=" # Client Secret )` How do verify that this is a valid token on the server side? – sargeMonkey Sep 03 '17 at 06:02
  • I'm trying to look for information regarding this as well. However, from what I can gather, it seems that validation of the token is done by each of the service under the assumption that they all have access to where the information is stored. See [this](http://flask-oauthlib.readthedocs.io/en/latest/oauth2.html#token-getter-and-setter) This means that they'd at least need to implement the getters. This is all theory though. I have to try this one out myself. – Rey Pader Sep 14 '17 at 08:13
  • Looks like the only solution is calling the AAD Rest apis directly – sargeMonkey Feb 25 '18 at 23:30

0 Answers0