Broker did not output token_type, we have to DIY

rayluo · rayluo · commit 389042f309c4 · 2022-05-26T18:17:43.000-07:00
diff --git a/msal/application.py b/msal/application.py
@@ -1289,6 +1289,7 @@ def _acquire_token_silent_from_cache_and_possibly_refresh_it(
                 except RuntimeError:  # TODO: TBD
                     logger.debug("Broker is unavailable on this platform. Fallback to non-broker.")
                 else:
+                    data = kwargs.get("data", {})
                     response = _acquire_token_silently(
                         "https://{}/{}".format(self.authority.instance, self.authority.tenant),
                         self.client_id,
@@ -1297,10 +1298,9 @@ def _acquire_token_silent_from_cache_and_possibly_refresh_it(
                         claims=_merge_claims_challenge_and_capabilities(
                             self._client_capabilities, claims_challenge),
                         correlation_id=correlation_id,
-                        )
-                    if response:  # The broker provided a decisive outcome for this account
-                        return self._process_broker_response(  # Then we use it
-                            response, scopes, kwargs.get("data", {}))
+						**data)
+                    if response:  # The broker provided a decisive outcome, so we use it
+                        return self._process_broker_response(response, scopes, data)
 
             result = _clean_up(self._acquire_token_silent_by_finding_rt_belongs_to_me_or_my_family(
                 authority, self._decorate_scope(scopes), account,
diff --git a/msal/broker.py b/msal/broker.py
@@ -80,7 +80,7 @@ def _read_account_by_id(account_id, correlation_id):
         or None)  # None happens when the account was not created by broker
 
 
-def _convert_result(result, client_id):  # Mimic an on-the-wire response from AAD
+def _convert_result(result, client_id, expected_token_type=None):  # Mimic an on-the-wire response from AAD
     error = result.get_error()
     if error:
         return _convert_error(error, client_id)
@@ -95,8 +95,11 @@ def _convert_result(result, client_id):  # Mimic an on-the-wire response from AA
         "id_token_claims": id_token_claims,
         "client_info": account.get_client_info(),
         "_account_id": account.get_account_id(),
-		"token_type": "Bearer",  # Hardcoded, for now. It is unavailable from broker.
+		"token_type": expected_token_type or "Bearer",  # Workaround its absence from broker
         }.items() if v}
+    likely_a_cert = return_value["access_token"].startswith("AAAA")  # Empirical observation
+    if return_value["token_type"].lower() == "ssh-cert" and not likely_a_cert:
+        logger.warn("Looks like we could not get an SSH Cert")
     granted_scopes = result.get_granted_scopes()  # New in pymsalruntime 0.3.x
     if granted_scopes:
         return_value["scope"] = " ".join(granted_scopes)  # Mimic the on-the-wire data format
@@ -130,7 +133,8 @@ def _signin_silently(
         correlation_id or _get_new_correlation_id(),
         lambda result, callback_data=callback_data: callback_data.complete(result))
     callback_data.signal.wait()
-    return _convert_result(callback_data.result, client_id)
+    return _convert_result(
+        callback_data.result, client_id, expected_token_type=kwargs.get("token_type"))
 
 
 def _signin_interactively(
@@ -173,11 +177,13 @@ def _signin_interactively(
         login_hint,  # None value will be accepted since pymsalruntime 0.3+
         lambda result, callback_data=callback_data: callback_data.complete(result))
     callback_data.signal.wait()
-    return _convert_result(callback_data.result, client_id)
+    return _convert_result(
+        callback_data.result, client_id, expected_token_type=kwargs.get("token_type"))
 
 
 def _acquire_token_silently(
-        authority, client_id, account_id, scopes, claims=None, correlation_id=None):
+        authority, client_id, account_id, scopes, claims=None, correlation_id=None,
+        **kwargs):
     correlation_id = correlation_id or _get_new_correlation_id()
     account = _read_account_by_id(account_id, correlation_id)
     if isinstance(account, pymsalruntime.MSALRuntimeError):
@@ -188,14 +194,18 @@ def _acquire_token_silently(
     params.set_requested_scopes(scopes)
     if claims:
         params.set_decoded_claims(claims)
+    for k, v in kwargs.items():  # This can be used to support domain_hint, max_age, etc.
+        if v is not None:
+            params.set_additional_parameter(k, str(v))
     callback_data = _CallbackData()
     pymsalruntime.acquire_token_silently(
         params,
         correlation_id,
         account,
         lambda result, callback_data=callback_data: callback_data.complete(result))
     callback_data.signal.wait()
-    return _convert_result(callback_data.result, client_id)
+    return _convert_result(
+        callback_data.result, client_id, expected_token_type=kwargs.get("token_type"))
 
 
 def _acquire_token_interactively(
