Merge branch 'dev' into cloudshell-imds

Author: rayluo

.github/workflows/python-package.yml

@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [2.7, 3.5, 3.6, 3.7, 3.8, 3.9]
+        python-version: [2.7, 3.5, 3.6, 3.7, 3.8, 3.9, "3.10", "3.11.0-alpha.5"]
 
     steps:
     - uses: actions/checkout@v2

README.md

@@ -18,7 +18,7 @@ Quick links:
 
 Click on the following thumbnail to visit a large map with clickable links to proper samples.
 
-[![Map effect won't work inside github's markdown file, so we have to use a thumbnail here to lure audience to a real static website](docs/thumbnail.png)](https://msal-python.readthedocs.io/en/latest/)
+[![Map effect won't work inside github's markdown file, so we have to use a thumbnail here to lure audience to a real static website](https://raw.githubusercontent.com/AzureAD/microsoft-authentication-library-for-python/dev/docs/thumbnail.png)](https://msal-python.readthedocs.io/en/latest/)
 
 ## Installation
 

msal/application.py

@@ -11,8 +11,6 @@
 from threading import Lock
 import os
 
-import requests
-
 from .oauth2cli import Client, JwtAssertionCreator
 from .oauth2cli.oidc import decode_part
 from .authority import Authority
@@ -28,7 +26,7 @@
 
 
 # The __init__.py will import this. Not the other way around.
-__version__ = "1.16.0"
+__version__ = "1.17.0"  # When releasing, also check and bump our dependencies's versions if needed
 
 logger = logging.getLogger(__name__)
 CURRENT_USER = "Current User"  # The value is subject to change
@@ -84,6 +82,10 @@ def _preferred_browser():
     if sys.platform != "linux":  # On other platforms, we have no browser preference
         return None
     browser_path = "/usr/bin/microsoft-edge"  # Use a full path owned by sys admin
+        # Note: /usr/bin/microsoft-edge, /usr/bin/microsoft-edge-stable, etc.
+        # are symlinks that point to the actual binaries which are found under
+        # /opt/microsoft/msedge/msedge or /opt/microsoft/msedge-beta/msedge.
+        # Either method can be used to detect an Edge installation.
     user_has_no_preference = "BROWSER" not in os.environ
     user_wont_mind_edge = "microsoft-edge" in os.environ.get("BROWSER", "")  # Note:
         # BROWSER could contain "microsoft-edge" or "/path/to/microsoft-edge".
@@ -431,6 +433,8 @@ def __init__(
         if http_client:
             self.http_client = http_client
         else:
+            import requests  # Lazy load
+
             self.http_client = requests.Session()
             self.http_client.verify = verify
             self.http_client.proxies = proxies

msal/authority.py

@@ -5,11 +5,6 @@
     from urlparse import urlparse
 import logging
 
-# Historically some customers patched this module-wide requests instance.
-# We keep it here for now. They will be removed in next major release.
-import requests
-import requests as _requests
-
 from .exceptions import MsalServiceError
 
 
@@ -27,7 +22,6 @@
     AZURE_CHINA,
     'login-us.microsoftonline.com',
     AZURE_US_GOVERNMENT,
-    'login.microsoftonline.de',
     ])
 WELL_KNOWN_B2C_HOSTS = [
     "b2clogin.com",
@@ -59,9 +53,10 @@ class Authority(object):
     _domains_without_user_realm_discovery = set([])
 
     @property
-    def http_client(self):  # Obsolete. We will remove this in next major release.
-        # A workaround: if module-wide requests is patched, we honor it.
-        return self._http_client if requests is _requests else requests
+    def http_client(self):  # Obsolete. We will remove this eventually
+        warnings.warn(
+            "authority.http_client might be removed in MSAL Python 1.21+", DeprecationWarning)
+        return self._http_client
 
     def __init__(self, authority_url, http_client, validate_authority=True):
         """Creates an authority instance, and also validates it.
@@ -84,7 +79,7 @@ def __init__(self, authority_url, http_client, validate_authority=True):
             payload = instance_discovery(
                 "https://{}{}/oauth2/v2.0/authorize".format(
                     self.instance, authority.path),
-                self.http_client)
+                self._http_client)
             if payload.get("error") == "invalid_instance":
                 raise ValueError(
                     "invalid_instance: "
@@ -104,12 +99,13 @@ def __init__(self, authority_url, http_client, validate_authority=True):
         try:
             openid_config = tenant_discovery(
                 tenant_discovery_endpoint,
-                self.http_client)
+                self._http_client)
         except ValueError:
             raise ValueError(
                 "Unable to get authority configuration for {}. "
                 "Authority would typically be in a format of "
-                "https://login.microsoftonline.com/your_tenant_name".format(
+                "https://login.microsoftonline.com/your_tenant "
+                "Also please double check your tenant name or GUID is correct.".format(
                 authority_url))
         logger.debug("openid_config = %s", openid_config)
         self.authorization_endpoint = openid_config['authorization_endpoint']
@@ -123,7 +119,7 @@ def user_realm_discovery(self, username, correlation_id=None, response=None):
         # "federation_protocol", "cloud_audience_urn",
         # "federation_metadata_url", "federation_active_auth_url", etc.
         if self.instance not in self.__class__._domains_without_user_realm_discovery:
-            resp = response or self.http_client.get(
+            resp = response or self._http_client.get(
                 "https://{netloc}/common/userrealm/{username}?api-version=1.0".format(
                     netloc=self.instance, username=username),
                 headers={'Accept': 'application/json',
@@ -170,7 +166,10 @@ def tenant_discovery(tenant_discovery_endpoint, http_client, **kwargs):
     if 400 <= resp.status_code < 500:
         # Nonexist tenant would hit this path
         # e.g. https://login.microsoftonline.com/nonexist_tenant/v2.0/.well-known/openid-configuration
-        raise ValueError("OIDC Discovery endpoint rejects our request")
+        raise ValueError(
+            "OIDC Discovery endpoint rejects our request. Error: {}".format(
+                resp.text  # Expose it as-is b/c OIDC defines no error response format
+            ))
     # Transient network error would hit this path
     resp.raise_for_status()
     raise RuntimeError(  # A fallback here, in case resp.raise_for_status() is no-op

msal/oauth2cli/assertion.py

@@ -4,8 +4,6 @@
 import uuid
 import logging
 
-import jwt
-
 
 logger = logging.getLogger(__name__)
 
@@ -99,6 +97,7 @@ def create_normal_assertion(
         Parameters are defined in https://tools.ietf.org/html/rfc7523#section-3
         Key-value pairs in additional_claims will be added into payload as-is.
         """
+        import jwt  # Lazy loading
         now = time.time()
         payload = {
             'aud': audience,

msal/oauth2cli/oauth2.py

@@ -17,8 +17,6 @@
 import string
 import hashlib
 
-import requests
-
 from .authcode import AuthCodeReceiver as _AuthCodeReceiver
 
 try:
@@ -159,6 +157,8 @@ def __init__(
                     "when http_client is in use")
             self._http_client = http_client
         else:
+            import requests  # Lazy loading
+
             self._http_client = requests.Session()
             self._http_client.verify = True if verify is None else verify
             self._http_client.proxies = proxies

msal/oauth2cli/oidc.py

@@ -44,10 +44,11 @@ def decode_id_token(id_token, client_id=None, issuer=None, nonce=None, now=None)
     err = None  # https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
     _now = int(now or time.time())
     skew = 120  # 2 minutes
+    TIME_SUGGESTION = "Make sure your computer's time and time zone are both correct."
     if _now + skew < decoded.get("nbf", _now - 1):  # nbf is optional per JWT specs
         # This is not an ID token validation, but a JWT validation
         # https://tools.ietf.org/html/rfc7519#section-4.1.5
-        err = "0. The ID token is not yet valid."
+        err = "0. The ID token is not yet valid. " + TIME_SUGGESTION
     if issuer and issuer != decoded["iss"]:
         # https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
         err = ('2. The Issuer Identifier for the OpenID Provider, "%s", '
@@ -68,7 +69,7 @@ def decode_id_token(id_token, client_id=None, issuer=None, nonce=None, now=None)
     # the TLS server validation MAY be used to validate the issuer
     # in place of checking the token signature.
     if _now - skew > decoded["exp"]:
-        err = "9. The current time MUST be before the time represented by the exp Claim."
+        err = "9. The ID token already expires. " + TIME_SUGGESTION
     if nonce and nonce != decoded.get("nonce"):
         err = ("11. Nonce must be the same value "
             "as the one that was sent in the Authentication Request.")

msal/wstrust_request.py

@@ -44,8 +44,9 @@ def send_request(
             soap_action = Mex.ACTION_2005
         elif '/trust/13/usernamemixed' in endpoint_address:
             soap_action = Mex.ACTION_13
-    assert soap_action in (Mex.ACTION_13, Mex.ACTION_2005), (  # A loose check here
-        "Unsupported soap action: %s" % soap_action)
+    if soap_action not in (Mex.ACTION_13, Mex.ACTION_2005):
+        raise ValueError("Unsupported soap action: %s. "
+            "Contact your administrator to check your ADFS's MEX settings." % soap_action)
     data = _build_rst(
         username, password, cloud_audience_urn, endpoint_address, soap_action)
     resp = http_client.post(endpoint_address, data=data, headers={

sample/interactive_sample.py

@@ -53,7 +53,7 @@
 if not result:
     logging.info("No suitable token exists in cache. Let's get a new one from AAD.")
     print("A local browser window will be open for you to sign in. CTRL+C to cancel.")
-    result = app.acquire_token_interactive(
+    result = app.acquire_token_interactive(  # Only works if your app is registered with redirect_uri as http://localhost
         config["scope"],
         login_hint=config.get("username"),  # Optional.
             # If you know the username ahead of time, this parameter can pre-fill

setup.py

@@ -63,6 +63,7 @@
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
         'Programming Language :: Python :: 3.9',
+        'Programming Language :: Python :: 3.10',
         'License :: OSI Approved :: MIT License',
         'Operating System :: OS Independent',
     ],
@@ -75,7 +76,7 @@
         'requests>=2.0.0,<3',
         'PyJWT[crypto]>=1.0.0,<3',
 
-        'cryptography>=0.6,<38',
+        'cryptography>=0.6,<39',
             # load_pem_private_key() is available since 0.6
             # https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst#06---2014-09-29
             #

tests/msaltest.py

@@ -0,0 +1,158 @@
+import getpass, logging, pprint, sys, msal
+
+
+def _input_boolean(message):
+    return input(
+        "{} (N/n/F/f or empty means False, otherwise it is True): ".format(message)
+        ) not in ('N', 'n', 'F', 'f', '')
+
+def _input(message, default=None):
+    return input(message.format(default=default)).strip() or default
+
+def _select_options(
+        options, header="Your options:", footer="    Your choice? ", option_renderer=str,
+        accept_nonempty_string=False,
+        ):
+    assert options, "options must not be empty"
+    if header:
+        print(header)
+    for i, o in enumerate(options, start=1):
+        print("    {}: {}".format(i, option_renderer(o)))
+    if accept_nonempty_string:
+        print("    Or you can just type in your input.")
+    while True:
+        raw_data = input(footer)
+        try:
+            choice = int(raw_data)
+            if 1 <= choice <= len(options):
+                return options[choice - 1]
+        except ValueError:
+            if raw_data and accept_nonempty_string:
+                return raw_data
+
+def _input_scopes():
+    return _select_options([
+        "https://graph.microsoft.com/.default",
+        "https://management.azure.com/.default",
+        "User.Read",
+        "User.ReadBasic.All",
+        ],
+        header="Select a scope (multiple scopes can only be input by manually typing them):",
+        accept_nonempty_string=True,
+        ).split()
+
+def _select_account(app):
+    accounts = app.get_accounts()
+    if accounts:
+        return _select_options(
+            accounts,
+            option_renderer=lambda a: a["username"],
+            header="Account(s) already signed in inside MSAL Python:",
+            )
+    else:
+        print("No account available inside MSAL Python. Use other methods to acquire token first.")
+
+def acquire_token_silent(app):
+    """acquire_token_silent() - with an account already signed into MSAL Python."""
+    account = _select_account(app)
+    if account:
+        pprint.pprint(app.acquire_token_silent(
+            _input_scopes(),
+            account=account,
+            force_refresh=_input_boolean("Bypass MSAL Python's token cache?"),
+            ))
+
+def acquire_token_interactive(app):
+    """acquire_token_interactive() - User will be prompted if app opts to do select_account."""
+    pprint.pprint(app.acquire_token_interactive(
+        _input_scopes(),
+        prompt="select_account" if _input_boolean("Select Account?") else None,
+        login_hint=_input("login_hint: ") or None,
+        ))
+
+def acquire_token_by_username_password(app):
+    """acquire_token_by_username_password() - See constraints here: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows#constraints-for-ropc"""
+    pprint.pprint(app.acquire_token_by_username_password(
+        _input("username: "), getpass.getpass("password: "), scopes=_input_scopes()))
+
+_JWK1 = """{"kty":"RSA", "n":"2tNr73xwcj6lH7bqRZrFzgSLj7OeLfbn8216uOMDHuaZ6TEUBDN8Uz0ve8jAlKsP9CQFCSVoSNovdE-fs7c15MxEGHjDcNKLWonznximj8pDGZQjVdfK-7mG6P6z-lgVcLuYu5JcWU_PeEqIKg5llOaz-qeQ4LEDS4T1D2qWRGpAra4rJX1-kmrWmX_XIamq30C9EIO0gGuT4rc2hJBWQ-4-FnE1NXmy125wfT3NdotAJGq5lMIfhjfglDbJCwhc8Oe17ORjO3FsB5CLuBRpYmP7Nzn66lRY3Fe11Xz8AEBl3anKFSJcTvlMnFtu3EpD-eiaHfTgRBU7CztGQqVbiQ", "e":"AQAB"}"""
+SSH_CERT_DATA = {"token_type": "ssh-cert", "key_id": "key1", "req_cnf": _JWK1}
+SSH_CERT_SCOPE = ["https://pas.windows.net/CheckMyAccess/Linux/.default"]
+
+def acquire_ssh_cert_silently(app):
+    """Acquire an SSH Cert silently- This typically only works with Azure CLI"""
+    account = _select_account(app)
+    if account:
+        result = app.acquire_token_silent(
+            SSH_CERT_SCOPE,
+            account,
+            data=SSH_CERT_DATA,
+            force_refresh=_input_boolean("Bypass MSAL Python's token cache?"),
+            )
+        pprint.pprint(result)
+        if result and result.get("token_type") != "ssh-cert":
+            logging.error("Unable to acquire an ssh-cert.")
+
+def acquire_ssh_cert_interactive(app):
+    """Acquire an SSH Cert interactively - This typically only works with Azure CLI"""
+    result = app.acquire_token_interactive(
+        SSH_CERT_SCOPE,
+        prompt="select_account" if _input_boolean("Select Account?") else None,
+        login_hint=_input("login_hint: ") or None,
+        data=SSH_CERT_DATA,
+        )
+    pprint.pprint(result)
+    if result.get("token_type") != "ssh-cert":
+        logging.error("Unable to acquire an ssh-cert")
+
+def remove_account(app):
+    """remove_account() - Invalidate account and/or token(s) from cache, so that acquire_token_silent() would be reset"""
+    account = _select_account(app)
+    if account:
+        app.remove_account(account)
+        print('Account "{}" and/or its token(s) are signed out from MSAL Python'.format(account["username"]))
+
+def exit(_):
+    """Exit"""
+    print("Bye")
+    sys.exit()
+
+def main():
+    print("Welcome to the Msal Python Console Test App")
+    chosen_app = _select_options([
+        {"client_id": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "name": "Azure CLI"},
+        {"client_id": "04f0c124-f2bc-4f59-8241-bf6df9866bbd", "name": "Visual Studio (Correctly configured for MSA-PT)"},
+        ],
+        option_renderer=lambda a: a["name"],
+        header="Impersonate this app (or you can type in the client_id of your own app)",
+        accept_nonempty_string=True)
+    app = msal.PublicClientApplication(
+        chosen_app["client_id"] if isinstance(chosen_app, dict) else chosen_app,
+        authority=_select_options([
+            "https://login.microsoftonline.com/common",
+            "https://login.microsoftonline.com/organizations",
+            "https://login.microsoftonline.com/microsoft.onmicrosoft.com",
+            "https://login.microsoftonline.com/msidlab4.onmicrosoft.com",
+            "https://login.microsoftonline.com/consumers",
+            ], header="Input authority", accept_nonempty_string=True),
+        )
+    if _input_boolean("Enable MSAL Python's DEBUG log?"):
+        logging.basicConfig(level=logging.DEBUG)
+    while True:
+        func = _select_options([
+            acquire_token_silent,
+            acquire_token_interactive,
+            acquire_token_by_username_password,
+            acquire_ssh_cert_silently,
+            acquire_ssh_cert_interactive,
+            remove_account,
+            exit,
+            ], option_renderer=lambda f: f.__doc__, header="MSAL Python APIs:")
+        try:
+            func(app)
+        except KeyboardInterrupt:  # Useful for bailing out a stuck interactive flow
+            print("Aborted")
+
+if __name__ == "__main__":
+    main()
+