Auth breaking Azure Python WebSites

Jan 2, 2015 at 1:40 PM

Go create a new Azure AD if you don't already have one.

Create new Python website in Azure (Bottle, Flask, Django).Once it's ready take a look at it.
Then go back to Azure management/config and click the green "Configure"-button under authentication / authorization . Choose Your AD in the dialog and choose "Add new App".

This will configure Your website so that it can't be reached unless the user has logged in to AD.
... so go take a look at Your site. Now Your site throws errors instead of redirecting to AD login !!!

This same setting works fine for Aspx and Node.js sites ,,, but not for Python sites.
Why ?

Jan 2, 2015 at 5:37 PM
Thanks for the note. I suspect there's some changes necessary to a Python site to make it work (since we allow you a choice of framework we can't automatically apply it) but I don't know exactly what those are. I'll spend some time today figuring it out and let you know.
Jan 2, 2015 at 6:03 PM
So here are the steps I followed to enable authentication on a bottle site (though the framework doesn't actually seem to matter):
  1. Enabled AAD on a site as you suggest
  2. Saw the error due to multiple rewrites of "handler.fcgi" into the path
  3. Modified my web.config to look like this:
<?xml version="1.0"?>
    <add key="WSGI_ALT_VIRTUALENV_HANDLER" value="app.wsgi_app()" />
    <add key="WSGI_ALT_VIRTUALENV_ACTIVATE_THIS" value="%ROOTDIR%\env\Scripts\python.exe" />
    <add key="WSGI_HANDLER" value="ptvs_virtualenv_proxy.get_venv_handler()" />
    <add key="PYTHONPATH" value="%ROOTDIR%" />
    <compilation debug="true" targetFramework="4.0" />
    <!--You get better error messages with this uncommented <customErrors mode="Off" />-->
    <modules runAllManagedModulesForAllRequests="true" />
      <add name="Static Files" path="static/*" verb="GET" modules="StaticFileModule" resourceType="File" requireAccess="Read" />
      <add name="Python FastCGI" path="*" verb="*" modules="FastCgiModule" scriptProcessor="%INTERPRETERPATH%|%WFASTCGIPATH%" resourceType="Unspecified" requireAccess="Script" />
You'll notice that I removed the rewrite entirely and used two handlers. (Why don't we generate the web.config like this in the first place? No idea. We probably should.)
  1. Passed os.getenv('WEBSITE_AUTH_LOGOUT_PATH') into my main page and added a 'Sign Out' link.
  2. Opened my site in InPrivate mode (I was getting auth prompts from IE instead of the redirect without doing this - not sure why) and logged in with an account in my AAD directory (both my Azure login and one that I created)
  3. Site worked fine.
I think the web.config changes are what you need. It's important to remove the comment from the top of the file and add it to your project or else we will regenerate the contents each time you publish.

Hope that helps.
Jan 2, 2015 at 6:06 PM
I think my login troubles were because I'm on the Microsoft employees network and it tries to redirect automatically. If you don't have an organisational network like that then you'll probably be fine.
Jan 3, 2015 at 5:51 AM
Edited Jan 3, 2015 at 10:13 AM
Thank You very much sir.
Will try this later today (we have a time difference, it's 07.50 saturday morning now)


So I tried. Copied Your contents to my web.config and sure enough the site started to redirect me to sign in.
Once signed in I caught a glimpse of wsfederation page submit and then we were back in the original application url.
But this time the app said: "The page cannot be displayed because an internal server error has occurred."

I created another empty python app just to see if I had somehow screwed it up, but with same results.

Jan 23, 2015 at 4:55 PM
Sorry I missed your reply - there are no email notifications for edits.

Does your app work okay with authentication disabled? As I understand it, once you're through the authentication it should just be like a normal site. However, it's possible that the deployment has broken in some other way - typically missing dependencies.

If you've already managed to get this working then I'd be interested in what you had to do. We really need to make this easier, so the more information we have about what could go wrong the better.
Jan 28, 2015 at 12:37 PM
No probs zooba.
For some reason this just doesn't work when authentication is enabled. auth disabled same site works fine.
This happens on any type python site.

But when I do the same thing manually (configure application in ad) things work fine.
I even added redirect to "" and extraction of Access codes and things work nicely for the purposes of LOB applications I'm building.