Remove automatic msa-pt for Azure CLI and Visual Studio

rayluo · rayluo · commit 28b45a394cec · 2022-09-29T19:14:45.000-07:00
diff --git a/msal/application.py b/msal/application.py
@@ -1766,6 +1766,17 @@ def acquire_token_interactive(
             - A dict containing an "error" key, when token refresh failed.
         """
         data = kwargs.pop("data", {})
+        enable_msa_passthrough = kwargs.pop(  # MUST remove it from kwargs
+            "enable_msa_passthrough",  # Keep it as a hidden param, for now.
+                # OPTIONAL. MSA-Passthrough is a legacy configuration,
+                # needed by a small amount of Microsoft first-party apps,
+                # which would login MSA accounts via ".../organizations" authority.
+                # If you app belongs to this category, AND you are enabling broker,
+                # you would want to enable this flag. Default value is False.
+                # More background of MSA-PT is available from this internal docs:
+                # https://microsoft.sharepoint.com/:w:/t/Identity-DevEx/EatIUauX3c9Ctw1l7AQ6iM8B5CeBZxc58eoQCE0IuZ0VFw?e=tgc3jP&CID=39c853be-76ea-79d7-ee73-f1b2706ede05
+            False
+            ) and data.get("token_type") != "ssh-cert"  # Work around a known issue as of PyMsalRuntime 0.8
         self._validate_ssh_cert_input_data(data)
         if not on_before_launching_ui:
             on_before_launching_ui = lambda **kwargs: None
@@ -1786,21 +1797,6 @@ def acquire_token_interactive(
                 logger.warning(
                     "Ignoring parameter extra_scopes_to_consent, "
                     "which is not supported by broker")
-            enable_msa_passthrough = kwargs.pop(
-                "enable_msa_passthrough",  # Keep it as a hidden param, for now.
-                    # OPTIONAL. MSA-Passthrough is a legacy configuration,
-                    # needed by a small amount of Microsoft first-party apps,
-                    # which would login MSA accounts via ".../organizations" authority.
-                    # If you app belongs to this category, AND you are enabling broker,
-                    # you would want to enable this flag. Default value is equivalent to False.
-                self.client_id in [
-                    # Experimental: Automatically enable MSA-PT mode for known MSA-PT apps
-                    # More background of MSA-PT is available from this internal docs:
-                    # https://microsoft.sharepoint.com/:w:/t/Identity-DevEx/EatIUauX3c9Ctw1l7AQ6iM8B5CeBZxc58eoQCE0IuZ0VFw?e=tgc3jP&CID=39c853be-76ea-79d7-ee73-f1b2706ede05
-                    "04b07795-8ddb-461a-bbee-02f9e1bf7b46",  # Azure CLI
-                    "04f0c124-f2bc-4f59-8241-bf6df9866bbd",  # Visual Studio
-                    ] and data.get("token_type") != "ssh-cert"  # Work around a known issue as of PyMsalRuntime 0.8
-                )
             return self._acquire_token_interactive_via_broker(
                 scopes,
                 parent_window_handle,
diff --git a/tests/msaltest.py b/tests/msaltest.py
@@ -1,6 +1,9 @@
 import getpass, logging, pprint, sys, msal
 
 
+AZURE_CLI = "04b07795-8ddb-461a-bbee-02f9e1bf7b46"
+VISUAL_STUDIO = "04f0c124-f2bc-4f59-8241-bf6df9866bbd"
+
 def _input_boolean(message):
     return input(
         "{} (N/n/F/f or empty means False, otherwise it is True): ".format(message)
@@ -81,6 +84,9 @@ def _acquire_token_interactive(app, scopes, data=None):
     result = app.acquire_token_interactive(
         scopes,
         parent_window_handle=app.CONSOLE_WINDOW_HANDLE,  # This test app is a console app
+        enable_msa_passthrough=app.client_id in [  # Apps are expected to set this right
+            AZURE_CLI, VISUAL_STUDIO,
+            ],  # Here this test app mimics the setting for some known MSA-PT apps
         prompt=prompt, login_hint=login_hint, data=data or {})
     if login_hint and "id_token_claims" in result:
         signed_in_user = result.get("id_token_claims", {}).get("preferred_username")
@@ -142,8 +148,8 @@ def exit(app):
 def main():
     print("Welcome to the Msal Python Console Test App, committed at 2022-5-2\n")
     chosen_app = _select_options([
-        {"client_id": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "name": "Azure CLI (Correctly configured for MSA-PT)"},
-        {"client_id": "04f0c124-f2bc-4f59-8241-bf6df9866bbd", "name": "Visual Studio (Correctly configured for MSA-PT)"},
+        {"client_id": AZURE_CLI, "name": "Azure CLI (Correctly configured for MSA-PT)"},
+        {"client_id": VISUAL_STUDIO, "name": "Visual Studio (Correctly configured for MSA-PT)"},
         {"client_id": "95de633a-083e-42f5-b444-a4295d8e9314", "name": "Whiteboard Services (Non MSA-PT app. Accepts AAD & MSA accounts.)"},
         ],
         option_renderer=lambda a: a["name"],
