User Authenticaction

giannismo · May 29, 2025, 3:44pm

I have configured my Streamlit application for user authentication with MS Entra using the following documentation: Use Microsoft Entra to authenticate users - Streamlit Docs

However, when the login button is clicked and the user logs in, the user is redirected again for log in. It seems that the session is not persisted.

The application is hosted on AKS and I am using the following versions:

streamlit==1.45.1
authlib==1.5.2

Thank you in advance for any help

mathcatsand · May 29, 2025, 3:54pm

When a user logs in, a new session is indeed created by design. The reading of the authentication token only happens at the beginning of a session, so logging in creates the cookie, then starts a new session (where the user’s info is read from that cookie and made available in st.user).

Can you verify that your configuration accepts the kind of account you’re using to log in? The example was for personal Microsoft accounts, so you’d need to change the server meta data if you are using a different kind of account, for example. Are there any messages displayed during the login flow about app permissions?

mathcatsand · May 29, 2025, 3:55pm

PS. I changed the category of the post. streamlit-authenticator is a custom component, but the tutorial is for the built-in authentication feature.

giannismo · May 30, 2025, 6:31am

This is the code snippet of my simple Streamlit application:

import streamlit as st

if not st.user.is_logged_in:
    if st.button("Log in with Microsoft"):
        st.login("microsoft")
    st.stop()

if st.button("Log out"):
    st.logout()
st.markdown(f"Welcome! {st.user.name} - {st.user.email}")

I have adjusted the server_metadata_url to https://login.microsoftonline.com/{TENANT_ID}/v2.0/.well-known/openid-configuration, so as to accept users from the specific Microsoft Entra tenant. I have not changed the scope, which by default is scope="openid profile email". In the login page, the user is asked for the following:

View your basic profile
Maintain access to data you have given it access to

However, when the user grants permission and is redirected to the Streamlit app, the st.user.is_logged_in is again false, since only the login button is visible.

giannismo · June 2, 2025, 9:51am

Hello @mathcatsand ,

Hope all good – any recommendation on debugging the above?

mathcatsand · June 2, 2025, 3:30pm

I don’t know if this will help at all, but things that I would try to look at:

Verify in your identity provider logs that it thinks it is accepting and forwarding the authenticated user.
Verify if this behavior is the same on other browsers and other devices.
Double check the redirect URL in both your authentication configuration and identity provider (that you have the /oauth2callback path in both).

giannismo · June 6, 2025, 9:55am

hello @mathcatsand – sharing an update on the above issue:

by running the Streamlit app on localhost , the authentication works as expected. Since it runs on 2 AKS Pods in Production, do you have any idea on what could be the case?

We have already confirmed the following:

the user is successfully logged in in the MS Entra logs
the problematic behavior is the same across users and browsers (Chrome and Edge tested) – i.e. the user is redirected again to log in
the redirect URI is consistent on both the auth config and MS Entra registration

Many thanks in advance

mathcatsand · June 6, 2025, 8:19pm

Can you take a read through this GitHub issue and see if any of the diagnostic questions and thoughts shed some light? (Whether or not you have the same root cause, the same questions apply.)

github.com/streamlit/streamlit

Microsoft SSO User Authentication failing for some users with no errors.

opened 02:36PM - 23 Apr 25 UTC

closed 12:34PM - 06 May 25 UTC

ruskgo

type:bug status:awaiting-user-response feature:authentication

### Checklist - [x] I have searched the [existing issues](https://github.com/st…reamlit/streamlit/issues) for similar issues. - [x] I added a very descriptive title to this issue. - [x] I have provided sufficient information below to help reproduce this issue. ### Summary Following the [documentation](https://docs.streamlit.io/develop/concepts/connections/authentication) on and the [tutorial](https://docs.streamlit.io/develop/tutorials/authentication/microsoft) I am trying to log users into the app using Microsoft SSO. It works fine for most users, just fails for some with no apparent reason. I cannot debug it for the life of me. When I try to log in the user he is always returned back to login, because the st.experimiental_user.is_logged_in is set to `False`. This happens without any errors from streamlit. Below is the test code I have created to try to debug it. But nothing provides me with a clue. It seems that all the HTTP call are being returned with 200 status code and even the bytes sizes are similar for replicated calls with request library I have simulated. ### Reproducible Code Example ```Python import streamlit as st import requests import logging import jwt from urllib.parse import urlencode logging.basicConfig( level=logging.DEBUG, ) logger = logging.getLogger("python") def get_discovery_keys(token_response): tenant = st.secrets["auth"]["microsoft"]["tenant"] url = f"https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys" try: logger.info("Getting discovery keys...") response = requests.get(url=url) response.raise_for_status() disc_keys = response.json() logger.info(f"Discovery keys: {disc_keys}") if "id_token" in token_response: token = token_response["id_token"] decoded_payload = jwt.decode(token, options={"verify_signature": False}) decoded_header = jwt.get_unverified_header(token) logger.info(f"ID Token Header:{str(decoded_header)}") logger.info(f"ID Token Payload:{str(decoded_payload)}") else: logger.error("No ID Token in the token_response.") st.write("Logged with manual set up.") logger.info("Manual Log in logs end.") st.query_params.clear() except requests.exceptions.RequestException as error: logger.error(f"Error on gettin the discovery keys: {str(error)}") st.stop() def get_token_from_code(auth_code): tenant = st.secrets["auth"]["microsoft"]["tenant"] client_id = st.secrets["auth"]["microsoft"]["client_id"] client_secret = st.secrets["auth"]["microsoft"]["client_secret"] redirect_uri = st.secrets["auth"]["microsoft"]["redirect_uri"] token_url = f"https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token" headers = { 'Content-Type': 'application/x-www-form-urlencoded' } body = { 'grant_type': 'authorization_code', 'response_type': 'id_token', 'code': auth_code, 'redirect_uri': redirect_uri, 'client_id': client_id, 'client_secret': client_secret, 'scope': 'openid profile email' } try: logger.info("Manual Log in logs start...") response = requests.post(token_url, headers=headers, data=body) response.raise_for_status() token_response = response.json() logger.info(f"Response token: {token_response}") logger.info(f"Context Headers: {st.context.headers.to_dict()}") logger.info(f"Context Cookes: {st.context.cookies.to_dict()}") logger.info(f"Experimental user: {st.experimental_user.to_dict()}") logger.info(f"Manual parameters: {st.query_params.to_dict()}") get_discovery_keys(token_response) except requests.exceptions.RequestException as error: logger.error(f"Error on gettin the token from code: {str(error)}") def manual_login(): tenant = st.secrets["auth"]["microsoft"]["tenant"] params = { "client_id": st.secrets["auth"]["microsoft"]["client_id"], "response_type": "code", "scope": "openid profile email", "state": "12345", "nonce": "678910", 'redirect_uri': st.secrets["auth"]["microsoft"]["redirect_uri"], "prompt": "select_account", } url = f"https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?{urlencode(params)}" url_link = st.button("Manual Login",type="secondary") if url_link: st.markdown( f'<meta http-equiv="refresh" content="0; url={url}">', unsafe_allow_html=True ) if "code" in st.query_params: code = st.query_params["code"] logger.info("Getting token from code...") get_token_from_code(code) elif "error" in st.query_params: logger.error(f'Failed to get authorization code: {st.query_params.get("error")}') def streamlit_login(): if st.button("Streamlit Login"): tenant = st.secrets["auth"]["microsoft"]["tenant"] url = f"https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys" try: logger.info("Warming discovery keys...") response = requests.get(url=url) response.raise_for_status() except requests.exceptions.RequestException as error: logger.error(f"Error on warming the discovery keys: {str(error)}") st.login("microsoft") logger.info("Streamltit Log in logs without 'is_logged_in' start...") logger.info(f"Context Headers: {st.context.headers.to_dict()}") logger.info(f"Context Cookes: {st.context.cookies.to_dict()}") logger.info(f"Experimental user: {st.experimental_user.to_dict()}") logger.info(f"Streamlit parameters: {st.query_params.to_dict()}") logger.info("Streamltit Log in logs without 'is_logged_in' end.") if st.experimental_user.is_logged_in: st.write("Logged in with Streamlit Log In.") logger.info("Streamltit Log in logs with 'is_logged_in' start...") logger.info(f"Context Headers: {st.context.headers.to_dict()}") logger.info(f"Context Cookes: {st.context.cookies.to_dict()}") logger.info(f"Experimental user: {st.experimental_user.to_dict()}") logger.info(f"Streamlit parameters: {st.query_params.to_dict()}") logger.info("Streamltit Log in logs with 'is_logged_in' end.") if st.button("clear cookies"): st.logout() st.stop() def main(): pg = st.navigation( {"Home":[ st.Page( streamlit_login, title="Streamlit Login", ), st.Page( manual_login, title="Manual Authorization Setup" ) ] } ) pg.run() ``` ### Steps To Reproduce 1. Log In with `Streamlit Login` 2. Check the logs. ### Expected Behavior I expect the st.experimental_user.is_logged_in being set to `True` with all the user's details inside the JSON. ### Current Behavior There is no error message, but st.experimental_user.is_logged_in being set to `False`. Also the st.contex.cookies does not contain the `_streamlit_user` key that would be used for st.experimental_user. ### Is this a regression? - [ ] Yes, this used to work in a previous version. ### Debug info - Streamlit version: 1.44.0 - Python version: 3.11 - Operating System: Windows - Browser: Edge - Authlib>=1.3.2 ### Additional Information _No response_

giannismo · June 17, 2025, 9:43am

hello @mathcatsand, hope all good

Sharing an unusual behavior: Authentication succeeds when the application URL (i.e., without the /authcallback suffix) is also added as a Redirect URI in the Entra app registration. However, the behavior is not entirely stable—users may occasionally encounter a login loop. Typically, though, authentication succeeds after one retry.

To clarify: the redirect_uri value in secrets.toml remains unchanged and still includes the /oauth2callback path. Meanwhile, the Entra app registration includes both the base application URL and the URL with the /oauth2callback path as valid Redirect URIs.

mathcatsand · June 18, 2025, 3:00pm

Release 1.46.0 has a couple fixes that might impact st.login, so try updating and see if there’s still that inconsistency. If it’s still behaving oddly, I think you can go ahead and file a bug report at this point since it sounds like you’ll need to get further into the weeds to figure it out.

Topic		Replies	Views
St.login() with Microsoft Entra (ID) (streamlit>=1.42.0) Using Streamlit authentication , discussion	1	217	May 19, 2025
Unable to successfully login with st.login for app running with work tenant Using Streamlit authentication , debugging	0	111	March 18, 2025
Session State Not Persisting After Redirect - MSAL Authentication Issue in Streamlit Using Streamlit session-state , debugging	6	241	March 21, 2025
Persistent logins Using Streamlit cache , session-state , authentication	2	5059	November 12, 2023
Login persistence with Streamlit's built-in authentication on browser refresh? Deployment cache , streamlit-cloud , cookies , discussion	3	213	April 23, 2025

User Authenticaction

Related topics

Hello there 👋🏻

Cookie settings

Strictly necessary cookies

Performance cookies

Functional cookies

Targeting cookies