AzureAD / microsoft-authentication-library-for-python

Microsoft Authentication Library (MSAL) for Python makes it easy to authenticate to Microsoft Entra ID. General docs are available here https://learn.microsoft.com/entra/msal/python/ Stable APIs are documented here https://msal-python.readthedocs.io. Questions can be asked on www.stackoverflow.com with tag "msal" + "python".
https://stackoverflow.com/questions/tagged/azure-ad-msal+python
Other
816 stars 203 forks source link

Feature Request - IWA pass through capabilities - align with .net #31

Open danield137 opened 5 years ago

danield137 commented 5 years ago

I am one of the devs working on https://github.com/Azure/azure-kusto-python. We are currently using adal for azure authentication, and we get a lot of requests for silent authentication flow (as we provide in our .net SDK).

Currently, adal python does not expose such a capability, all though it seems possible to achieve using similar low level, OS dependent code.

We would love the ability to provide silent auth for our windows users, and, to take a part of the dev effort, if needed.

Pratik-Gautam commented 5 years ago

@rayluo & @danield137 , as I understand, silent authentication is not available in ADAL for Python yet . So is there a way through which we can still achieve SSO using ADAL for Python?

rayluo commented 5 years ago

To be precise, it is true that the Integrated Windows Auth (IWA) - i.e. current Windows login user can sign in without typing password - is not currently available in either ADAL Python and MSAL Python. You can upvote this feature request. As an open source library, we are open to PR contributions. CC: @danield137 ;-)

On a side note, the lastest version of MSAL .Net and MSAL Python are already using same format of token cache. So if you happen to have an app powered by MSAL .Net and its another version powered by MSAL Python, and they share access to same physical token cache, one app can pick up the other app's token, therefore sign in silently.

In a more generic case, though, you can consider an alternative, the Device Flow. In such flow, the actual sign-in happens on end user's another device, such as their desktop or mobile, which they typically already signed in. It is not necessarily more convenient because the end user would still need to read and type a short user code in such flow, but it is probably more secure than username-password-flow, because the end user does not need to type their password in your app (and worrying whether your app would persist their password - and you should not do that!).

If you have follow-up questions on how to use Device Flow, please create another issue for that topic. Thanks!

jorgst commented 5 years ago

This feature would be awesome, how many upvotes does it need before you consider implementing it?

rayluo commented 5 years ago

@jorgst Thanks for your nudge. :-) We understand that this issue is currently already the most upvoted feature request in this repo. We will defnitely get around to it. From a technical standpoint, this feature is about a platform-specific behavior (which also happens to have a less-convenient-but-still-works workaround as Device Flow). We are now inclined to prioritize some platform-independent features that are potentially covering more customers on multiple platforms. Our roadmap is available here.

patricm-enbw commented 4 years ago

any news on this?

rayluo commented 4 years ago

Sorry, it looks like our roadmap page does not currently provide future plan anymore. Perhaps we should re-draft a roadmap and/or just point people to our kanban board. /CC: @navyasric

Anyway the short answer to this issue remains unchanged: while this feature is a good-to-have and also happens to have a workaround, we currently have some 2~3 other more urgent demands to satisfy. We will revisit this after that.

molinch commented 2 years ago

Is there a plan to ever implement IWA for Python? We work in an environment where Windows sessions are automatically started, and scripts start in the context of a user thus only IWA can be of use here. Having silent/transparent authentication is required in that case. Right now we created a .NET executable to get a valid Azure AD token and call it from Python, but that's far from ideal.

Even if you don't plan on implementing IWA, do you think of alternatives we could rely on?

rayluo commented 2 years ago

Intergrated Windows Auth (IWA) is still not available in MSAL Python. There are alternatives.

Both alternatives are demonstrated in the same interactive flow sample.

molinch commented 2 years ago

Thanks @rayluo your feedback is much appreciated

bgavrilMS commented 1 year ago

IWA is not a good path forward. It is better to use the new capabilities of Windows Broker to get SSO with Windows. @rayluo can point you at a sample showing how to get that.

SSO with WAM is much more stable, doesn't require complex setup and it works with Personal accounts as well.

rayluo commented 1 year ago

IWA is not a good path forward. It is better to use the new capabilities of Windows Broker to get SSO with Windows. @rayluo can point you at a sample showing how to get that.

SSO with WAM is much more stable, doesn't require complex setup and it works with Personal accounts as well.

Agreed with @bgavrilMS . Updated my message above to include the 2nd option and sample. Closing this issue as wontfix.

shajia-deshaw commented 1 year ago

Hello. @rayluo We have a working implementation of Integrated Windows Authentication flow with MSAL python. Do we think we can get it merged if we raise a PR?

bgavrilMS commented 1 year ago

Hi @shajia-deshaw - is there a reason why you can't use broker silent authentication instead of IWA?

shajia-deshaw commented 1 year ago

@bgavrilMS Even if we go with the broker approach, I believe we still have to interactively authenticate once the first time and the subsequent token calls are silent. We would prefer to avoid that scenario as well. With IWA flow, it's silent even the first time. We would also want to avoid starting another broker process to handle authentications in our use-case right now. However if it's necessary and if MSAL will default to broker flow in the future, we will revisit the broker flow in the future. For now, integrated windows authentication is necessary for our use-case.

bgavrilMS commented 1 year ago

I believe we still have to interactively authenticate once the first time and the subsequent token calls are silent - no, the first auth is silent too. As will all silent auth, consent is still a factor - i.e. tenant admin needs to pre-consent to avoid consent issues.

shajia-deshaw commented 1 year ago

@bgavrilMS Oh, that's great. We'd need to evaluate with the team about getting the pre-consent though. As I've been reading about the broker authentication, in mobile devices Microsoft Authenticator / Intune Company Portal can act as the broker, WAM in certain versions of Windows. Our service would be running in Linux boxes. The docs here (under the WAM Limitations section) says it's not supported in Linux yet. How would this work in Linux?

rayluo commented 1 year ago

Broker solutions on Mac and Linux are in development. But that should not be a factor in this conversation context. You were asking about IWA, which is Windows-only anyway.

shajia-deshaw commented 1 year ago

@rayluo @bgavrilMS Integrated Windows Authentication works in our Linux environment btw. We have Kerberos authentication enabled in our Linux hosts which works with our ADFS (It's a custom built solution in our infra). FYI, the IWA flow in Java worked seamlessly in our environment. We have ported that to python which also works fine.

shajia-deshaw commented 1 year ago

If we're on the same page here, shall we revisit the comment in https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/31#issuecomment-1750114780 to see if the IWA changes could be merged to upstream?

bgavrilMS commented 1 year ago

Reopening the issue, @ashok672 can have a look if this is in line with the current public client strategy.

shajia-deshaw commented 1 year ago

@bgavrilMS Should I go ahead and raise a PR then?

shajia-deshaw commented 1 year ago

Hey (@bgavrilMS / @rayluo), checking in here for an update.

rayluo commented 1 year ago

@bgavrilMS Should I go ahead and raise a PR then?

I'll defer that question to @bgavrilMS and/or @ashok672 .

Meanwhile, it sounds like @shajia-deshaw already has the changes readily available in his/her fork. Then I suppose it doesn't hurt to have @shajia-deshaw share a link to that branch, so, at the very least, future readers of this thread can use that as a sample.

shajia-deshaw commented 1 year ago

@rayluo Sounds good. Will do.

velulev commented 10 months ago

Hi @rayluo & @shajia-deshaw, have either of you got the link to the branch, that will be very helpful for us, appreciate your time and efforts on this.

shajia-deshaw commented 10 months ago

@velulev Sorry, was caught up with some work at work :p. I'll try to spin up something in 2 weeks.

velulev commented 10 months ago

Hi @shajia-deshaw , thank you very much for getting back, any pointers or help any earlier is very much appreciated too.

shajia-deshaw commented 9 months ago

@velulev As promised, I have raised a PR: https://github.com/AzureAD/microsoft-authentication-library-for-python/pull/652. I'm not 100% sure if this will work in your environment and it's heavily based on the Java MSAL IWA flow which works seamlessly in our environment out of the box.

cc: @rayluo

velulev commented 9 months ago

Hi @shajia-deshaw, thank you very much, and really appreciate your efforts on this, from myself, and hopefully on the wider community that will benefit as well.

velulev commented 9 months ago

Hi @rayluo , hope you are doing good, do you know if there is interest, and efforts to review, approve and merge this into any future releases of msal-python? Thanks.

shajia-deshaw commented 4 months ago

@ashok672 / @rayluo - just checking if we had a chance to review the PR?

aschafs commented 3 weeks ago

I just wanted to see if this PR was going to be merged/released any time soon? We're keen to get IWA support in MSAL for Python. Thanks!