Support ADFS (pending PyMsalRuntime's ADFS support)

Experimental welcome_template support for testing
Adjust test cases to expect PyMsalRuntime failure on ADFS

Author: rayluo

msal/application.py

@@ -1593,10 +1593,16 @@ def acquire_token_interactive(
                     logger.warning(
                         "Ignoring parameter extra_scopes_to_consent, "
                         "which is not supported on current platform")
+                if "welcome_template" in kwargs:
+                    logger.debug(kwargs["welcome_template"])  # Experimental
                 response = _signin_interactively(
-                    "https://{}/{}".format(self.authority.instance, self.authority.tenant),  # TODO: What about B2C & ADFS?
+                    "https://{}/{}".format(self.authority.instance, self.authority.tenant),  # TODO: What about B2C?
                     self.client_id,
                     scopes,
+                    validateAuthority="no"
+                        if self.authority._validate_authority is False
+                        or self.authority.is_adfs
+                        else None,
                     login_hint=login_hint,
                     prompt=prompt,
                     claims=claims,

msal/authority.py

@@ -74,7 +74,8 @@ def __init__(self, authority_url, http_client, validate_authority=True):
         parts = authority.path.split('/')
         is_b2c = any(self.instance.endswith("." + d) for d in WELL_KNOWN_B2C_HOSTS) or (
             len(parts) == 3 and parts[2].lower().startswith("b2c_"))
-        if (tenant != "adfs" and (not is_b2c) and validate_authority
+        self._validate_authority = True if validate_authority is None else bool(validate_authority)
+        if (tenant != "adfs" and (not is_b2c) and self._validate_authority
                 and self.instance not in WELL_KNOWN_AUTHORITY_HOSTS):
             payload = instance_discovery(
                 "https://{}{}/oauth2/v2.0/authorize".format(

tests/test_e2e.py

@@ -685,9 +685,18 @@ def test_adfs2019_onprem_acquire_token_interactive(self):
         config["authority"] = "https://fs.%s.com/adfs" % config["lab_name"]
         config["scope"] = self.adfs2019_scopes
         config["port"] = 8080
-        self._test_acquire_token_interactive(
-            username_uri="https://msidlab.com/api/user?usertype=onprem&federationprovider=ADFSv2019",
-            **config)
+        username_uri = "https://msidlab.com/api/user?usertype=onprem&federationprovider=ADFSv2019"
+        try:
+            import pymsalruntime
+            logger.warning("Absorbing an AssertionError because PyMsalRuntime does not yet support onprem ADFS")
+            with self.assertRaises(AssertionError):  # Expecting a failure because
+                # PyMsalRuntime does not yet support on-prem ADFS.
+                # But if this expectation is not met,
+                # it would mean the latest PyMsalRuntime supports onprem ADFS.
+                # At that time we would revert this patch.
+                self._test_acquire_token_interactive(username_uri=username_uri, **config)
+        except ImportError:  # Then use browser-based interactive flow, which will work
+            self._test_acquire_token_interactive(username_uri=username_uri, **config)
 
     @unittest.skipUnless(
         os.getenv("LAB_OBO_CLIENT_SECRET"),