Finalize the design

Author: rayluo

msal/application.py

@@ -982,7 +982,7 @@ def get_accounts(self, username=None):
             # In Cloud Shell, user already signed in w/ an account [email protected]
             # We pretend we have that account, for acquire_token_silent() to work.
             # Note: If user calls acquire_token_by_xyz() with same account later,
-            # the get_accounts() would return multiple accounts to calling app,
+            # the get_accounts(username=None) would return multiple accounts,
             # with different usernames: [email protected] and CURRENT_USER.
             accounts.insert(0, cloud_shell_pseudo_account)
         # Does not further filter by existing RTs here. It probably won't matter.
@@ -1149,20 +1149,7 @@ def acquire_token_silent_with_error(
         assert isinstance(scopes, list), "Invalid parameter type"
         self._validate_ssh_cert_input_data(kwargs.get("data", {}))
 
-        # TODO: TBD
-        # Currently, the following implementation activates Cloud Shell (CS) code path
-        # when a pseudo account was specified.
-        # But when/if the user signs in explicitly (such as "az login") with SAME account,
-        # to obtain tokens with scope(s) not supported by Cloud Shell's IMDS,
-        # the user would end up with one real account and still one pseudo account,
-        # both with same username.
-        # It would become unrealistic for end user to reason why
-        # the pseudo "default user" account would go one code path,
-        # and the real account would go another.
-        # I will probably refactor to automatically group Cloud Shell's default account
-        # and the real account into one, if they have same username.
-        # And then, acquire_token_silent() will always try real account if RT is available,
-        # and fallback to the Cloud Shell code path.
+        # The special code path only for _CLOUD_SHELL_USER
         if account and account.get("home_account_id") == _CLOUD_SHELL_USER:
             # Since we don't currently store cloud shell tokens in MSAL's cache,
             # we can have a shortcut here, and semantically bypass all those

msal/cloudshell.py

@@ -43,15 +43,14 @@ def _scope_to_resource(scope):
         "https://azuredatabricks.net/",
         "ce34e7e5-485f-4d76-964f-b3d2b16d1e4f",
         "https://azure-devices-provisioning.net"
-        ]
+        ]  # TODO: Cloud Shell IMDS will remove that list soon. What shall we do then?
     for a in cloud_shell_supported_audiences:
         if scope.startswith(a):  # This is an experimental approach
             return a
     return scope  # Some scope would work as-is, such as the SSH Cert scope
 
 
 def _acquire_token(http_client, scopes, **kwargs):
-    kwargs.pop("correlation_id", None)  # IMDS does not use correlation_id
     resp = http_client.post(
         "http://localhost:50342/oauth2/token",
         data=dict(
@@ -72,6 +71,11 @@ def _acquire_token(http_client, scopes, **kwargs):
         "expires_in": int(payload["expires_in"]),
         "token_type": payload.get("token_type", "Bearer"),
         }
+    ## Note: Decided to not surface resource back as scope,
+    ##       because they would cause the downstream OAuth2 code path to
+    ##       cache the token with a different scope and won't hit them later.
+    #if payload.get("resource"):
+    #    oauth2_response["scope"] = payload["resource"]
     if payload.get("refresh_token"):
         oauth2_response["refresh_token"] = payload["refresh_token"]
     return oauth2_response