@@ -470,6 +470,9 @@ def __init__(
470470 self .http_client , validate_authority = False )
471471 else :
472472 raise
473+ self ._enable_broker = (
474+ isinstance (self , PublicClientApplication ) # Exclude Confidential ROPC
475+ and sys .platform == "win32" and not self .authority .is_adfs )
473476
474477 self .token_cache = token_cache or TokenCache ()
475478 self ._region_configured = azure_region
@@ -1221,7 +1224,8 @@ def _acquire_token_silent_from_cache_and_possibly_refresh_it(
12211224 refresh_reason = msal .telemetry .FORCE_REFRESH # TODO: It could also mean claims_challenge
12221225 assert refresh_reason , "It should have been established at this point"
12231226 try :
1224- if sys .platform == "win32" :
1227+ if self ._enable_broker : # If interactive flow or ROPC were not through broker,
1228+ # the _acquire_token_silently() is unlikely to locate the account.
12251229 try :
12261230 from .wam import _acquire_token_silently
12271231 response = _acquire_token_silently (
@@ -1432,14 +1436,43 @@ def acquire_token_by_username_password(
14321436 - A successful response would contain "access_token" key,
14331437 - an error response would contain "error" and usually "error_description".
14341438 """
1439+ claims = _merge_claims_challenge_and_capabilities (
1440+ self ._client_capabilities , claims_challenge )
1441+ if self ._enable_broker :
1442+ try :
1443+ from .wam import _signin_silently , RedirectUriError
1444+ response = _signin_silently (
1445+ "https://{}/{}" .format (self .authority .instance , self .authority .tenant ), # TODO: What about B2C?
1446+ self .client_id ,
1447+ scopes , # Decorated scopes won't work due to offline_access
1448+ MSALRuntime_Username = username ,
1449+ MSALRuntime_Password = password ,
1450+ validateAuthority = "no"
1451+ if self .authority ._validate_authority is False
1452+ or self .authority .is_adfs
1453+ else None ,
1454+ claims = claims ,
1455+ )
1456+ if "error" not in response :
1457+ self .token_cache .add (dict (
1458+ client_id = self .client_id ,
1459+ scope = response ["scope" ].split () if "scope" in response else scopes ,
1460+ token_endpoint = self .authority .token_endpoint ,
1461+ response = response .copy (),
1462+ data = kwargs .get ("data" , {}),
1463+ _account_id = response ["_account_id" ],
1464+ ))
1465+ return _clean_up (response )
1466+ except ImportError :
1467+ logger .warning ("PyMsalRuntime is not available" )
1468+ except RedirectUriError as e : # Experimental: Catch, log, and fallback
1469+ logger .warning (str (e ) + " Now we fallback to use non-broker." )
1470+
14351471 scopes = self ._decorate_scope (scopes )
14361472 telemetry_context = self ._build_telemetry_context (
14371473 self .ACQUIRE_TOKEN_BY_USERNAME_PASSWORD_ID )
14381474 headers = telemetry_context .generate_headers ()
1439- data = dict (
1440- kwargs .pop ("data" , {}),
1441- claims = _merge_claims_challenge_and_capabilities (
1442- self ._client_capabilities , claims_challenge ))
1475+ data = dict (kwargs .pop ("data" , {}), claims = claims )
14431476 if not self .authority .is_adfs :
14441477 user_realm_result = self .authority .user_realm_discovery (
14451478 username , correlation_id = headers [msal .telemetry .CLIENT_REQUEST_ID ])
@@ -1586,7 +1619,7 @@ def acquire_token_interactive(
15861619 """
15871620 claims = _merge_claims_challenge_and_capabilities (
15881621 self ._client_capabilities , claims_challenge )
1589- if sys . platform == "win32" :
1622+ if self . _enable_broker :
15901623 try :
15911624 from .wam import _signin_interactively , RedirectUriError
15921625 if extra_scopes_to_consent : # TODO: Not supported in WAM/Mid-tier
0 commit comments