MSAL Python 1.11.0

README.md

@@ -12,8 +12,8 @@ Not sure whether this is the SDK you are looking for your app? There are other M
 
 Quick links:
 
-| [Getting Started](https://docs.microsoft.com/azure/active-directory/develop/quickstart-v2-python-webapp) | [Docs](https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki) | [Samples](https://aka.ms/aaddevsamplesv2) | [Support](README.md#community-help-and-support)
-| --- | --- | --- | --- |
+| [Getting Started](https://docs.microsoft.com/azure/active-directory/develop/quickstart-v2-python-webapp) | [Docs](https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki) | [Samples](https://aka.ms/aaddevsamplesv2) | [Support](README.md#community-help-and-support) | [Feedback](https://forms.office.com/r/TMjZkDbzjY) |
+| --- | --- | --- | --- | --- |
 
 ## Installation
 
@@ -126,6 +126,9 @@ We recommend you use the "msal" tag so we can see it!
 Here is the latest Q&A on Stack Overflow for MSAL:
 [http://stackoverflow.com/questions/tagged/msal](http://stackoverflow.com/questions/tagged/msal)
 
+## Submit Feedback
+We'd like your thoughts on this library. Please complete [this short survey.](https://forms.office.com/r/TMjZkDbzjY)
+
 ## Security Reporting
 
 If you find a security issue with our libraries or services please report it to [[email protected]](mailto:[email protected]) with as much detail as possible. Your submission may be eligible for a bounty through the [Microsoft Bounty](http://aka.ms/bugbounty) program. Please do not post security issues to GitHub Issues or any other public site. We will contact you shortly upon receiving the information. We encourage you to get notifications of when security incidents occur by visiting [this page](https://technet.microsoft.com/security/dd252948) and subscribing to Security Advisory Alerts.

msal/oauth2cli/authcode.py

@@ -33,9 +33,34 @@ def obtain_auth_code(listen_port, auth_uri=None):  # Historically only used in t
             ).get("code")
 
 
+def is_wsl():
+    # "Official" way of detecting WSL: https://github.com/Microsoft/WSL/issues/423#issuecomment-221627364
+    # Run `uname -a` to get 'release' without python
+    #   - WSL 1: '4.4.0-19041-Microsoft'
+    #   - WSL 2: '4.19.128-microsoft-standard'
+    import platform
+    uname = platform.uname()
+    platform_name = getattr(uname, 'system', uname[0]).lower()
+    release = getattr(uname, 'release', uname[2]).lower()
+    return platform_name == 'linux' and 'microsoft' in release
+
+
 def _browse(auth_uri):  # throws ImportError, possibly webbrowser.Error in future
     import webbrowser  # Lazy import. Some distro may not have this.
-    return webbrowser.open(auth_uri)  # Use default browser. Customizable by $BROWSER
+    browser_opened = webbrowser.open(auth_uri)  # Use default browser. Customizable by $BROWSER
+
+    # In WSL which doesn't have www-browser, try launching browser with PowerShell
+    if not browser_opened and is_wsl():
+        try:
+            import subprocess
+            # https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe
+            # Ampersand (&) should be quoted
+            exit_code = subprocess.call(
+                ['powershell.exe', '-NoProfile', '-Command', 'Start-Process "{}"'.format(auth_uri)])
+            browser_opened = exit_code == 0
+        except FileNotFoundError:  # WSL might be too old
+            pass
+    return browser_opened
 
 
 def _qs2kv(qs):
@@ -245,4 +270,3 @@ def __exit__(self, exc_type, exc_val, exc_tb):
             timeout=60,
             state=flow["state"],  # Optional
             ), indent=4))
-

msal/telemetry.py

@@ -0,0 +1,78 @@
+import uuid
+import logging
+
+
+logger = logging.getLogger(__name__)
+
+CLIENT_REQUEST_ID = 'client-request-id'
+CLIENT_CURRENT_TELEMETRY = "x-client-current-telemetry"
+CLIENT_LAST_TELEMETRY = "x-client-last-telemetry"
+NON_SILENT_CALL = 0
+FORCE_REFRESH = 1
+AT_ABSENT = 2
+AT_EXPIRED = 3
+AT_AGING = 4
+RESERVED = 5
+
+
+def _get_new_correlation_id():
+    return str(uuid.uuid4())
+
+
+class _TelemetryContext(object):
+    """It is used for handling the telemetry context for current OAuth2 "exchange"."""
+    # https://identitydivision.visualstudio.com/DevEx/_git/AuthLibrariesApiReview?path=%2FTelemetry%2FMSALServerSideTelemetry.md&_a=preview
+    _SUCCEEDED = "succeeded"
+    _FAILED = "failed"
+    _FAILURE_SIZE = "failure_size"
+    _CURRENT_HEADER_SIZE_LIMIT = 100
+    _LAST_HEADER_SIZE_LIMIT = 350
+
+    def __init__(self, buffer, lock, api_id, correlation_id=None, refresh_reason=None):
+        self._buffer = buffer
+        self._lock = lock
+        self._api_id = api_id
+        self._correlation_id = correlation_id or _get_new_correlation_id()
+        self._refresh_reason = refresh_reason or NON_SILENT_CALL
+        logger.debug("Generate or reuse correlation_id: %s", self._correlation_id)
+
+    def generate_headers(self):
+        with self._lock:
+            current = "4|{api_id},{cache_refresh}|".format(
+                api_id=self._api_id, cache_refresh=self._refresh_reason)
+            if len(current) > self._CURRENT_HEADER_SIZE_LIMIT:
+                logger.warning(
+                    "Telemetry header greater than {} will be truncated by AAD".format(
+                    self._CURRENT_HEADER_SIZE_LIMIT))
+            failures = self._buffer.get(self._FAILED, [])
+            return {
+                CLIENT_REQUEST_ID: self._correlation_id,
+                CLIENT_CURRENT_TELEMETRY: current,
+                CLIENT_LAST_TELEMETRY: "4|{succeeded}|{failed_requests}|{errors}|".format(
+                    succeeded=self._buffer.get(self._SUCCEEDED, 0),
+                    failed_requests=",".join("{a},{c}".format(**f) for f in failures),
+                    errors=",".join(f["e"] for f in failures),
+                    )
+                }
+
+    def hit_an_access_token(self):
+        with self._lock:
+            self._buffer[self._SUCCEEDED] = self._buffer.get(self._SUCCEEDED, 0) + 1
+
+    def update_telemetry(self, auth_result):
+        if auth_result:
+            with self._lock:
+                if "error" in auth_result:
+                    self._record_failure(auth_result["error"])
+                else:  # Telemetry sent successfully. Reset buffer
+                    self._buffer.clear()  # This won't work: self._buffer = {}
+
+    def _record_failure(self, error):
+        simulation = len(",{api_id},{correlation_id},{error}".format(
+            api_id=self._api_id, correlation_id=self._correlation_id, error=error))
+        if self._buffer.get(self._FAILURE_SIZE, 0) + simulation < self._LAST_HEADER_SIZE_LIMIT:
+            self._buffer[self._FAILURE_SIZE] = self._buffer.get(
+                self._FAILURE_SIZE, 0) + simulation
+            self._buffer.setdefault(self._FAILED, []).append({
+                "a": self._api_id, "c": self._correlation_id, "e": error})
+

msal/token_cache.py

@@ -145,7 +145,7 @@ def __add(self, event, now=None):
             client_info["uid"] = id_token_claims.get("sub")
             home_account_id = id_token_claims.get("sub")
 
-        target = ' '.join(event.get("scope", []))  # Per schema, we don't sort it
+        target = ' '.join(event.get("scope") or [])  # Per schema, we don't sort it
 
         with self._lock:
             now = int(time.time() if now is None else now)

msal/wstrust_response.py

@@ -88,5 +88,7 @@ def parse_token_by_re(raw_response):  # Returns the saml:assertion
         token_types = findall_content(rstr, "TokenType")
         tokens = findall_content(rstr, "RequestedSecurityToken")
         if token_types and tokens:
-            return {"token": tokens[0].encode('us-ascii'), "type": token_types[0]}
+            # Historically, we use "us-ascii" encoding, but it should be "utf-8"
+            # https://stackoverflow.com/questions/36658000/what-is-encoding-used-for-saml-conversations
+            return {"token": tokens[0].encode('utf-8'), "type": token_types[0]}
 

sample/username_password_sample.py

@@ -34,8 +34,9 @@
 config = json.load(open(sys.argv[1]))
 
 # Create a preferably long-lived app instance which maintains a token cache.
-app = msal.PublicClientApplication(
+app = msal.ClientApplication(
     config["client_id"], authority=config["authority"],
+    client_credential=config.get("client_secret"),
     # token_cache=...  # Default cache is in memory only.
                        # You can learn how to use SerializableTokenCache from
                        # https://msal-python.readthedocs.io/en/latest/#msal.SerializableTokenCache