ConfidentialClientApplication federated by a Managed Identity #687
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* implement response_mode oidc supports passing the response_mode to allow redirects to send callback parameters as POST for increased security. * Fix error check logic and modify test_ccs to include response_mode * Add more comments * Apply suggestions from code review Co-authored-by: Ray Luo <[email protected]> * PR review comments addressed * remove extraneous line Co-authored-by: Emmanuel Oche <[email protected]> Co-authored-by: Ray Luo <[email protected]>
Emit warning when common or organizations is used in acquire_token_for_client()
Cloud Shell Detection PoC: Silent flow utilizes Cloud Shell IMDS Introduce get_accounts(username=msal.CURRENT_USER) A reasonable-effort to convert scope to resource Replace get_accounts(username=msal.CURRENT_USER) by acquire_token_interactive(..., prompt="none") Detect unsupported Portal so that AzCLI could fallback
Bump cryptography
I stumbled upon this typo while investigating a different issue in this file.
acquire_token_interactive(..., prompt="none") acquires token via Cloud Shell's IMDS-like interface
Merge MSAL Python 1.18.0b1 back to dev
Merge MSAL Python 1.18.0 back to dev
Document our findings on addressing CVE-2022-29217
Fix typo in code
…nt (#484) * Use provided authority port when building the tenant discovery endpoint * address PR comment * Polish the implementation Co-authored-by: Ray Luo <[email protected]>
We got it right in PR 358 based on the specs at that time, but we were using a fragile approach, which caused the "login.microsoft.com" to be left out in subsequent PR 394. Lesson learned. Explicit is better than implicit. https://peps.python.org/pep-0020/
Right regional endpoint for login.microsoft.com
Test latest 3.11 beta
Troubleshooting
Change all find() in application.py to search() Update msal/token_cache.py Co-authored-by: Jiashuo Li <[email protected]> Refine inline comments
macOS, ROPC will call MSAL C++ logic.
Enable public client ROPC via broker
Fix docs Adjusting error message and docs Fix typo
Error out on platforms other than Linux and Windows
* Update ROPC broker tests * Get test account and password from .env * update
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a proof-of-concept. It provides a high-level API which allows your confidential client to federate with a managed identity.
The high-level API also supports some variations. See the last purple box of the
client_credentialparameter's document for more details.See how it is simpler than the low-level API in the coming-soon Managed Identity implementation.
Installation:
pip install --force-reinstall "git+https://github.com/AzureAD/microsoft-authentication-library-for-python.git@fic-by-mi"