MSAL Python 1.18.0b1 #471
MSAL Python 1.18.0b1 #471
Conversation
Merge MSAL Python 1.17.0 back to dev branch
This way, it will probably show up properly in PyPI, too.
Test more py3 versions
* implement response_mode oidc supports passing the response_mode to allow redirects to send callback parameters as POST for increased security. * Fix error check logic and modify test_ccs to include response_mode * Add more comments * Apply suggestions from code review Co-authored-by: Ray Luo <[email protected]> * PR review comments addressed * remove extraneous line Co-authored-by: Emmanuel Oche <[email protected]> Co-authored-by: Ray Luo <[email protected]>
Emit warning when common or organizations is used in acquire_token_for_client()
Cloud Shell Detection PoC: Silent flow utilizes Cloud Shell IMDS Introduce get_accounts(username=msal.CURRENT_USER) A reasonable-effort to convert scope to resource Replace get_accounts(username=msal.CURRENT_USER) by acquire_token_interactive(..., prompt="none") Detect unsupported Portal so that AzCLI could fallback
Bump cryptography
|
|
||
|
|
||
| def _is_running_in_cloud_shell(): | ||
| return os.environ.get("AZUREPS_HOST_ENVIRONMENT", "").startswith("cloud-shell") |
There was a problem hiding this comment.
Just as an FYI, Azure CLI uses another env var ACC_CLOUD to detect if it is run in Cloud Shell:
def in_cloud_console():
return os.environ.get('ACC_CLOUD', None)$ env | grep ACC_CLOUD
ACC_CLOUD=PROD
There was a problem hiding this comment.
I dug this out from my chat messages history.
10/19/2021 11:54 AM
Ray: ... Az CLI and MSAL would need to detect whether they are currently running inside Cloud Shell. I confirmed with Robin that the recommended way is to use AZUREPS_HOST_ENVIRONMENT env var. I am just letting you know, to keep this env var in the future. Otherwise, its removal would become a breaking change for us. :-)
Edwin: I have previously advised folks to look for the ACC_CLOUD variable. Either should be OK
Ray: The "problem" of ACC_CLOUD is its content seems to vary by design, therefore the consumers would have to detect its presence, without any keyword in its value to "double check". I would prefer that "AZUREPS_HOST_ENVIRONMENT=cloud-shell/1.0" because we can then use some "value.startswith('cloud-shell')" logic just to be sure.
Either way, we just need your blessing to say "yes, that would become a formal contract that would last forever".
Edwin: ACC_CLOUD is a different value per-cloud (Public, Fairfax, etc). Other than that it is static. You can use the AZUREPS one if you like
initiate_auth_code_flow(..., response_mode="form_post")to allow the auth code being delivered to your app by form post, which is considered even more secure. (response_mode in authorization code flow #396, implement response_mode #469)acquire_token_interactive(..., prompt="none")can obtain some tokens from within Cloud Shell, without any prompt. (acquire_token_interactive(..., prompt="none") acquires token via Cloud Shell's IMDS-like interface #420)