Source from repo

Azure Prepare

Prepare applications for Azure deployment by generating infrastructure code, Dockerfiles, and config files.

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page

Files

164

Skill

n/a

Size

546.9 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

references/services/app-service/templates/recipes/auth/source/python.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown80 linesFree

references/services/app-service/templates/recipes/auth/source/python.md

1# Auth Recipe — Python (FastAPI) — REFERENCE ONLY
2 
3## JWT Validation with PyJWT
4 
5### Requirements
6 
7Add to `requirements.txt`:
8 
9```
10PyJWT[crypto]>=2.8
11cryptography
12fastapi
13uvicorn
14```
15 
16### Token Validation Middleware
17 
18Add `auth.py`:
19 
20```python
21import os
22from fastapi import Depends, HTTPException
23from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
24import jwt
25from jwt import PyJWKClient
26 
27security = HTTPBearer()
28TENANT_ID = os.environ["AZURE_TENANT_ID"]
29CLIENT_ID = os.environ["AZURE_CLIENT_ID"]
30# Use APP_ID_URI if set (e.g., "api://<client-id>"); fall back to CLIENT_ID
31AUDIENCE = os.environ.get("AZURE_APP_ID_URI", CLIENT_ID)
32JWKS_URL = f"https://login.microsoftonline.com/{TENANT_ID}/discovery/v2.0/keys"
33 
34jwks_client = PyJWKClient(JWKS_URL)
35 
36async def validate_token(creds: HTTPAuthorizationCredentials = Depends(security)):
37    try:
38        signing_key = jwks_client.get_signing_key_from_jwt(creds.credentials)
39        payload = jwt.decode(
40            creds.credentials,
41            signing_key.key,
42            algorithms=["RS256"],
43            audience=AUDIENCE,
44            issuer=f"https://login.microsoftonline.com/{TENANT_ID}/v2.0",
45        )
46        return payload
47    except jwt.InvalidTokenError:
48        raise HTTPException(status_code=401, detail="Invalid token")
49```
50 
51> ⚠️ The `aud` claim in Entra ID tokens is often the Application ID URI (`api://<client-id>`), not the raw client ID. Set `AZURE_APP_ID_URI` in app settings to match your app registration's exposed API URI.
52 
53### Protected Endpoint
54 
55Add to `main.py`:
56 
57```python
58from auth import validate_token
59 
60@app.get("/api/me")
61async def me(user=Depends(validate_token)):
62    return {"name": user.get("name"), "oid": user.get("oid")}
63```
64 
65## App Settings Required
66 
67| Setting | Value |
68|---------|-------|
69| `AZURE_TENANT_ID` | Entra tenant ID |
70| `AZURE_CLIENT_ID` | App registration client ID |
71| `AZURE_APP_ID_URI` | Application ID URI (e.g., `api://<client-id>`) — optional, defaults to CLIENT_ID |
72 
73## Files to Modify
74 
75| File | Action |
76|------|--------|
77| `auth.py` | Create — JWT validation middleware |
78| `main.py` | Modify — add protected endpoints |
79| `requirements.txt` | Modify — add PyJWT, cryptography |
80

Azure Prepare

references/services/app-service/templates/recipes/auth/source/python.md

Preparing the source view

Azure Prepare

references/services/app-service/templates/recipes/auth/source/python.md