Support ADFS (pending PyMsalRuntime's ADFS support)

rayluo · rayluo · commit c5c5e086f682 · 2022-02-02T00:30:27.000-08:00
Experimental welcome_template support for testing
Adjust test cases to expect PyMsalRuntime failure on ADFS
diff --git a/msal/application.py b/msal/application.py
@@ -1589,10 +1589,16 @@ def acquire_token_interactive(
                     logger.warning(
                         "Ignoring parameter extra_scopes_to_consent, "
                         "which is not supported on current platform")
+                if "welcome_template" in kwargs:
+                    logger.debug(kwargs["welcome_template"])  # Experimental
                 response = _signin_interactively(
-                    "https://{}/{}".format(self.authority.instance, self.authority.tenant),  # TODO: What about B2C & ADFS?
+                    "https://{}/{}".format(self.authority.instance, self.authority.tenant),  # TODO: What about B2C?
                     self.client_id,
                     scopes,
+                    validateAuthority="no"
+                        if self.authority._validate_authority is False
+                        or self.authority.is_adfs
+                        else None,
                     login_hint=login_hint,
                     prompt=prompt,
                     claims=claims,
diff --git a/msal/authority.py b/msal/authority.py
@@ -79,7 +79,8 @@ def __init__(self, authority_url, http_client, validate_authority=True):
         parts = authority.path.split('/')
         is_b2c = any(self.instance.endswith("." + d) for d in WELL_KNOWN_B2C_HOSTS) or (
             len(parts) == 3 and parts[2].lower().startswith("b2c_"))
-        if (tenant != "adfs" and (not is_b2c) and validate_authority
+        self._validate_authority = True if validate_authority is None else bool(validate_authority)
+        if (tenant != "adfs" and (not is_b2c) and self._validate_authority
                 and self.instance not in WELL_KNOWN_AUTHORITY_HOSTS):
             payload = instance_discovery(
                 "https://{}{}/oauth2/v2.0/authorize".format(
diff --git a/tests/test_e2e.py b/tests/test_e2e.py
@@ -86,7 +86,7 @@ def assertCacheWorksForUser(
         self.assertNotEqual(0, len(accounts))
         account = accounts[0]
         if ("scope" not in result_from_wire  # This is the usual case
-                or  # Authority server could reject some scopes
+                or  # Authority server could return different set of scopes
                 set(scope) <= set(result_from_wire["scope"].split(" "))
                 ):
             # Going to test acquire_token_silent(...) to locate an AT from cache
@@ -115,7 +115,7 @@ def assertCacheWorksForUser(
             #   result_from_wire['access_token'] != result_from_cache['access_token']
             # but ROPC in B2C tends to return the same AT we obtained seconds ago.
             # Now looking back, "refresh_token grant would return a brand new AT"
-            # was just an empirical observation but never a committment in specs,
+            # was just an empirical observation but never a commitment in specs,
             # so we adjust our way to assert here.
             (result_from_cache or {}).get("access_token"),
             "We should get an AT from acquire_token_silent(...) call")
@@ -683,9 +683,18 @@ def test_adfs2019_onprem_acquire_token_interactive(self):
         config["authority"] = "https://fs.%s.com/adfs" % config["lab_name"]
         config["scope"] = self.adfs2019_scopes
         config["port"] = 8080
-        self._test_acquire_token_interactive(
-            username_uri="https://msidlab.com/api/user?usertype=onprem&federationprovider=ADFSv2019",
-            **config)
+        username_uri = "https://msidlab.com/api/user?usertype=onprem&federationprovider=ADFSv2019"
+        try:
+            import pymsalruntime
+            logger.warning("Absorbing an AssertionError because PyMsalRuntime does not yet support onprem ADFS")
+            with self.assertRaises(AssertionError):  # Expecting a failure because
+                # PyMsalRuntime does not yet support on-prem ADFS.
+                # But if this expectation is not met,
+                # it would mean the latest PyMsalRuntime supports onprem ADFS.
+                # At that time we would revert this patch.
+                self._test_acquire_token_interactive(username_uri=username_uri, **config)
+        except ImportError:  # Then use browser-based interactive flow, which will work
+            self._test_acquire_token_interactive(username_uri=username_uri, **config)
 
     @unittest.skipUnless(
         os.getenv("LAB_OBO_CLIENT_SECRET"),
