Skip to content

Acquire token interactive using system browser #260

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Dec 3, 2020
Merged

Acquire token interactive using system browser #260

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 73 additions & 1 deletion msal/application.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ class ClientApplication(object):
ACQUIRE_TOKEN_BY_DEVICE_FLOW_ID = "622"
ACQUIRE_TOKEN_FOR_CLIENT_ID = "730"
ACQUIRE_TOKEN_BY_AUTHORIZATION_CODE_ID = "832"
ACQUIRE_TOKEN_INTERACTIVE = "169"
GET_ACCOUNTS_ID = "902"
REMOVE_ACCOUNT_ID = "903"

Expand Down Expand Up @@ -318,7 +319,6 @@ def initiate_auth_code_flow(

:param list scope:
It is a list of case-sensitive strings.
Some ID provider can accept empty string to represent default scope.
:param str redirect_uri:
Optional. If not specified, server will use the pre-registered one.
:param str state:
Expand Down Expand Up @@ -998,6 +998,78 @@ def __init__(self, client_id, client_credential=None, **kwargs):
super(PublicClientApplication, self).__init__(
client_id, client_credential=None, **kwargs)

def acquire_token_interactive(
self,
scopes, # type: list[str]
prompt=None,
login_hint=None, # type: Optional[str]
domain_hint=None, # type: Optional[str]
claims_challenge=None,
timeout=None,
port=None,
**kwargs):
"""Acquire token interactively i.e. via a local browser.

:param list scope:
It is a list of case-sensitive strings.
:param str prompt:
By default, no prompt value will be sent, not even "none".
You will have to specify a value explicitly.
Its valid values are defined in Open ID Connect specs
https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
:param str login_hint:
Optional. Identifier of the user. Generally a User Principal Name (UPN).
:param domain_hint:
Can be one of "consumers" or "organizations" or your tenant domain "contoso.com".
If included, it will skip the email-based discovery process that user goes
through on the sign-in page, leading to a slightly more streamlined user experience.
More information on possible values
`here <https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-authorization-code>`_ and
`here <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-oapx/86fb452d-e34a-494e-ac61-e526e263b6d8>`_.

:param claims_challenge:
The claims_challenge parameter requests specific claims requested by the resource provider
in the form of a claims_challenge directive in the www-authenticate header to be
returned from the UserInfo Endpoint and/or in the ID Token and/or Access Token.
It is a string of a JSON object which contains lists of claims being requested from these locations.

:param int timeout:
This method will block the current thread.
This parameter specifies the timeout value in seconds.
Default value ``None`` means wait indefinitely.

:param int port:
The port to be used to listen to an incoming auth response.
By default we will use a system-allocated port.
(The rest of the redirect_uri is hard coded as ``http://localhost``.)

:return:
- A dict containing no "error" key,
and typically contains an "access_token" key,
if cache lookup succeeded.
- A dict containing an "error" key, when token refresh failed.
"""
self._validate_ssh_cert_input_data(kwargs.get("data", {}))
claims = _merge_claims_challenge_and_capabilities(
self._client_capabilities, claims_challenge)
return self.client.obtain_token_by_browser(
scope=decorate_scope(scopes, self.client_id) if scopes else None,
redirect_uri="http://localhost:{port}".format(
# Hardcode the host, for now. AAD portal rejects 127.0.0.1 anyway
port=port or 0),
Copy link
Contributor

@jiasli jiasli Oct 14, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Such a brilliant solution to use port 0 to pick an unused port, such as

https://docs.python.org/3/library/socketserver.html#asynchronous-mixins

    # Port 0 means to select an arbitrary unused port
    HOST, PORT = "localhost", 0

This avoids the unnecessary complexity of dealing with port occupation on Windows (Azure/azure-cli#10955) and try-next-port logic (Azure/azure-cli#6593).

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for noticing this subtle implementation detail. The try-next-port logic was an easy way out, but it was not only just more "unnecessarily complex", it also has potential race condition error. The port-0 approach, on the contrary, wasn't obvious at the beginning. It took us some dedication to find it. This reminds me again C.A.R. Hoare's quote. :-)

Copy link
Contributor

@jiasli jiasli Oct 15, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I read another article about this topic: https://gavv.github.io/articles/ephemeral-port-reuse/

Note that when some application uses bind to allocate an ephemeral port for a TCP socket, and then immediately calls listen, there is still a short period of time when the socket is in the non-listening state.

Thus, to prevent the probability of stealing a port of a random running application, take care not to accidentally enable SO_REUSEADDR when using ephemeral ports, both for UDP and TCP sockets.

Also https://stackoverflow.com/a/23303544/2199657

By default, the kernel will not reuse any in-use port for an ephemeral port, which may result in failures if you have 64K+ simultaneous ports in use.

You can explicitly reuse a port by using the SO_REUSEADDR socket option and explicitly binding to the same port. This only works if none of the ports are listening (you can't reuse a listening port), and if you connect each socket to a different remote address.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=174087

Problem #2 is that the ephemeral port number is chosen before the
fport/faddr gets set on the pcb; that is tcp_connect() calls in_pcbbind() to
select the ephemeral port number, then calls in_pcbconnect_setup() to
populate the fport/faddr. With SO_REUSEADDR, in_pcbbind() can select
an in-use local port. If the local port is used by a socket with a different
laddr/fport/faddr, all is good. However, if the local port selection
results in a
full conflict it will get rejected by the call to in_pcblookup_hash() inside
in_pcbconnect_setup(). This happens after the loop inside
in_pcbbind(), so the call to tcp_connect() fails with EADDRINUSE. Thus,
with SO_REUSEADDR, connect() can fail with EADDRINUSE long before
the ephemeral port space has been exhausted. The application could re-try
the call to connect() and likely succeed, as a new local port would be
selected.

Python's http.server.HTTPServer does set SO_REUSEADDR (Azure/azure-cli#10955 (comment)), so there is still a very small chance that race condition may happen between bind and listen.

prompt=prompt,
login_hint=login_hint,
domain_hint=domain_hint,
timeout=timeout,
auth_params={"claims": claims},
data=dict(kwargs.pop("data", {}), claims=claims),
headers={
CLIENT_REQUEST_ID: _get_new_correlation_id(),
CLIENT_CURRENT_TELEMETRY: _build_current_telemetry_request_header(
self.ACQUIRE_TOKEN_INTERACTIVE),
},
**kwargs)

def initiate_device_flow(self, scopes=None, **kwargs):
"""Initiate a Device Flow instance,
which will be used in :func:`~acquire_token_by_device_flow`.
Expand Down
50 changes: 50 additions & 0 deletions tests/test_e2e.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -441,6 +441,39 @@ def _test_acquire_token_by_auth_code_flow(
error_description=result.get("error_description")))
self.assertCacheWorksForUser(result, scope, username=None)

def _test_acquire_token_interactive(
self, client_id=None, authority=None, scope=None, port=None,
username_uri="", # But you would want to provide one
**ignored):
assert client_id and authority and scope
self.app = msal.PublicClientApplication(
client_id, authority=authority, http_client=MinimalHttpClient())
result = self.app.acquire_token_interactive(
scope,
timeout=60,
port=port,
welcome_template= # This is an undocumented feature for testing
"""<html><body><h1>{id}</h1><ol>
<li>Get a username from the upn shown at <a href="{username_uri}">here</a></li>
<li>Get its password from https://aka.ms/GetLabUserSecret?Secret=msidlabXYZ
(replace the lab name with the labName from the link above).</li>
<li><a href="$auth_uri">Sign In</a> or <a href="$abort_uri">Abort</a></li>
</ol></body></html>""".format(id=self.id(), username_uri=username_uri),
)
logger.debug(
"%s: cache = %s, id_token_claims = %s",
self.id(),
json.dumps(self.app.token_cache._cache, indent=4),
json.dumps(result.get("id_token_claims"), indent=4),
)
self.assertIn(
"access_token", result,
"{error}: {error_description}".format(
# Note: No interpolation here, cause error won't always present
error=result.get("error"),
error_description=result.get("error_description")))
self.assertCacheWorksForUser(result, scope, username=None)

def _test_acquire_token_obo(self, config_pca, config_cca):
# 1. An app obtains a token representing a user, for our mid-tier service
pca = msal.PublicClientApplication(
Expand Down Expand Up @@ -525,6 +558,13 @@ def test_adfs2019_fed_user(self):
self.skipTest("MEX endpoint in our test environment tends to fail")
raise

@unittest.skipIf(os.getenv("TRAVIS"), "Browser automation is not yet implemented")
def test_cloud_acquire_token_interactive(self):
config = self.get_lab_user(usertype="cloud")
self._test_acquire_token_interactive(
username_uri="https://msidlab.com/api/user?usertype=cloud",
**config)

def test_ropc_adfs2019_onprem(self):
# Configuration is derived from https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/4.7.0/tests/Microsoft.Identity.Test.Common/TestConstants.cs#L250-L259
config = self.get_lab_user(usertype="onprem", federationProvider="ADFSv2019")
Expand Down Expand Up @@ -557,6 +597,16 @@ def test_adfs2019_onprem_acquire_token_by_auth_code_flow(self):
username_uri="https://msidlab.com/api/user?usertype=onprem&federationprovider=ADFSv2019",
**config)

@unittest.skipIf(os.getenv("TRAVIS"), "Browser automation is not yet implemented")
def test_adfs2019_onprem_acquire_token_interactive(self):
config = self.get_lab_user(usertype="onprem", federationProvider="ADFSv2019")
config["authority"] = "https://fs.%s.com/adfs" % config["lab_name"]
config["scope"] = self.adfs2019_scopes
config["port"] = 8080
self._test_acquire_token_interactive(
username_uri="https://msidlab.com/api/user?usertype=onprem&federationprovider=ADFSv2019",
**config)

@unittest.skipUnless(
os.getenv("LAB_OBO_CLIENT_SECRET"),
"Need LAB_OBO_CLIENT SECRET from https://msidlabs.vault.azure.net/secrets/TodoListServiceV2-OBO/c58ba97c34ca4464886943a847d1db56")
Expand Down