#Flask app builder overwrite views code#
Recommended call pattern for public client applicationsĪpplication code should first try to get a token silently from the cache. It's also capable of refreshing a token when it's getting close to expiration (as the token cache also contains a refresh token). In many cases, attempting to silently get a token will acquire another token with more scopes based on a token in the cache. MSAL maintains a token cache (or two caches for confidential client applications) and caches a token after it's been acquired. Acquiring tokens silently (from the cache) For example, by requesting the and scopes. Later, you can give them the ability to view their calendar by requesting the calendar scope in the acquire token method and obtaining the user's consent to do so. Such dynamic scopes allow your users to provide incremental consent to scopes.įor example, you might sign in the user but initially deny them access to any resources. Request dynamic scopes for incremental consentĪs the features provided by your application or its requirements change, you can request additional permissions as needed by using the scope parameter. If the downstream resource is not under your control, you might need to try different scope value formats (for example with/without scheme and host) if you receive 401 or other errors when passing the access token to the resource. Other APIs might require that no scheme or host is included in the scope value, and expect only the app ID (a GUID) and the scope name, for example:ġ1111111-1111-1111-1111-111111111111/api.read In this case, pass the scope as, including the double forward slash ('//'). The format of the scope value varies depending on the resource (the API) receiving the access token and the aud claim values it accepts.įor Microsoft Graph only, the user.read scope maps to, and both scope formats can be used interchangeably.Ĭertain web APIs such as the Azure Resource Manager API ( ) expect a trailing forward slash ('/') in the audience claim ( aud) of the access token. Some example scope values for different resources: When your application needs to request an access token with specific permissions for a resource API, pass the scopes containing the app ID URI of the API in the format /.
For more information, see Scopes for a v1.0 application. It's also possible in MSAL to access v1.0 resources. Well-known scopes are the Microsoft Graph permissions. The scopes parameter is a list of strings that declare the desired permissions and the resources requested. Several of MSAL's token acquisition methods require a scopes parameter. Based on the web API's configuration of the token version it accepts, the v2.0 endpoint returns the access token to MSAL. For more information, read v1.0 and v2.0 comparison. v2.0 protocol uses scopes instead of resource in the requests. MSAL allows you to get tokens to access Azure AD for developers (v1.0) and the Microsoft identity platform APIs. Client applications request the user's consent for these scopes when making authentication requests to get tokens to access the web APIs. Scopes are the permissions that a web API exposes that client applications can request access to. This doesn't remove the session cookie that's in the browser, however. You can also clear the token cache, which is achieved by removing the accounts from the cache. Your application code should first try to get a token silently from the cache before attempting to acquire a token by other means.
MSAL caches a token after it's been acquired. In general, the method used for acquiring a token depends on whether the application is a public client application like desktop or mobile app, or a confidential client application like web app, web API, or daemon application. Some require user interaction through a web browser, while others don't require user interaction. There are several ways to acquire a token by using the Microsoft Authentication Library (MSAL). Access tokens enable clients to securely call web APIs protected by Azure.
0 kommentar(er)
