Question posted in
The official documentation can be found here.

Handling MSAL Auth URIs in a Docker container

I’m trying to Dockerize a Python webapp that uses MSAL to handle authentication. I am acquiring the access token by using:

auth_response = public_app.acquire_token_interactive(scopes=user_scopes, port=5000)

token = auth_response['access_token']

The authentication runs smoothly whenever I test it locally. However, when I try to run my code in a Docker container, I get this error message:

Found no browser in current environment. If this program is being run
inside a container which either (1) has access to host network (i.e.
started by docker run --net=host -it ...), or (2) published port
5000 to host network (i.e. started by docker run -p 127.0.0.1:5000:5000 -it ...), you can use browser on host to visit the following link. Otherwise, this auth attempt would either timeout
(current timeout setting is None) or be aborted by CTRL+C. Auth
URI:…

`

When I click on the auth uri generated in the log, I am able to login as normal, and the Docker-ized application runs perfectly. How can I redirect to the generated Auth URI? MSAL uses webbrowser.get() to normally redirect.

Tags:

2

Answers


  1. 0

    Somewhat randomly, we just had this same need arise in our environment–using msal-node rather than python, but the same interactive browser flow.

    To accomplish it, I wrote this utility: https://github.com/sam-mfb/oauth2-forwarder

    More details are on the project, but basically it uses a client-server tcp connection to forward the client/container’s browser request out to the host and then send the response back into the container.

    You might find it useful for your situation. If you need help feel free to raise an issue on the repo.

    Login or Signup to reply.
  2. 0

    For the acquire_token_interactive I was also searching for a solution. According to this github thread this is the official way to go:

    For posterity, the original feature request was achieved by these
    building > > blocks:

    MSAL Python 1.25+ being capable to detect its running inside docker
    and automatically switched to listening on 0.0.0.0 instead of
    localhost. When a browser is unavailable inside the container, MSAL
    (and Azure CLI) shall display the login URL inside the container. That
    URL is typically clickable when it is running inside a modern
    terminal, so, a browser on host will be triggered by just one click.
    However, the app developer does need a setup to somehow relay the
    incoming http request back to the container. The most convenient way
    is to use docker run … –net=host, providing that your docker host
    is on Linux. Otherwise, your app would have to specify a port
    beforehand by acquire_token_interactive(…, port=1234) and then setup
    the port forwarding when you start your container docker run … -p
    1234:1234 ….

    Source: https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/422

    However I solved the issue with the device code flow instead as described here:
    https://learn.microsoft.com/en-us/entra/msal/python/getting-started/acquiring-tokens

    I just show the the usercode and the link from the response:

    "usercode": "AKJDMME"
"verification_uri":"https://microsoft.com/devicelogin"

    So the user can click on the link and just type in the code. Additionally I show a QR code that contains the URL if anyone feels more comfortable typing that on the phone.

    Hope that helps.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search