search

AzureAD / microsoft-authentication-library-for-python

Microsoft Authentication Library (MSAL) for Python makes it easy to authenticate to Microsoft Entra ID. General docs are available here https://learn.microsoft.com/entra/msal/python/ Stable APIs are documented here https://msal-python.readthedocs.io. Questions can be asked on www.stackoverflow.com with tag "msal" + "python".
https://stackoverflow.com/questions/tagged/azure-ad-msal+python
Other
788 stars 194 forks source link

Exception raised if `profile` scope is excluded #387

Closed letmaik closed 3 years ago

letmaik commented 3 years ago

Describe the bug When the profile scope is excluded, then an exception is raised. I need to request only the "email" scope.

To Reproduce

app = msal.PublicClientApplication(
    APP_ID,
    # Historically MSAL hardcodes openid, profile, and offline_access scopes,
    # but we don't want all of that.
    exclude_scopes=["profile", "offline_access"]
    )
result = app.acquire_token_interactive(
    scopes=["email"],
    prompt='select_account',
)

Expected behavior No error should be raised.

What you see instead

DEBUG:urllib3.connectionpool:https://login.microsoftonline.com:443 "POST /common/oauth2/v2.0/token HTTP/1.1" 200 2734
DEBUG:msal.token_cache:event={
    "client_id": "b218d3ca...",
    "data": {
        "claims": null,
        "client_id": "b218d3ca...",
        "code": "M.R3_BAY...",
        "code_verifier": "Gy_qT...",
        "redirect_uri": "http://localhost:34389",
        "scope": [
            "openid",
            "email"
        ]
    },
    "environment": "login.microsoftonline.com",
    "grant_type": "authorization_code",
    "params": null,
    "response": {
        "access_token": "********",
        "client_info": "...",
        "expires_in": 3600,
        "ext_expires_in": 3600,
        "id_token": "********",
        "scope": "email openid",
        "token_type": "Bearer"
    },
    "scope": [
        "email",
        "openid"
    ],
    "token_endpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/token"
}
Traceback (most recent call last):
...
  File ".../venv/lib/python3.8/site-packages/msal/application.py", line 1381, in acquire_token_interactive
    response = _clean_up(self.client.obtain_token_by_browser(
  File ".../venv/lib/python3.8/site-packages/msal/oauth2cli/oidc.py", line 258, in obtain_token_by_browser
    return super(Client, self).obtain_token_by_browser(
  File ".../venv/lib/python3.8/site-packages/msal/oauth2cli/oauth2.py", line 648, in obtain_token_by_browser
    return self.obtain_token_by_auth_code_flow(
  File ".../venv/lib/python3.8/site-packages/msal/oauth2cli/oidc.py", line 202, in obtain_token_by_auth_code_flow
    result = super(Client, self).obtain_token_by_auth_code_flow(
  File ".../venv/lib/python3.8/site-packages/msal/oauth2cli/oauth2.py", line 548, in obtain_token_by_auth_code_flow
    return self._obtain_token_by_authorization_code(
  File ".../venv/lib/python3.8/site-packages/msal/oauth2cli/oauth2.py", line 702, in _obtain_token_by_authorization_code
    return self._obtain_token("authorization_code", data=data, **kwargs)
  File ".../venv/lib/python3.8/site-packages/msal/oauth2cli/oidc.py", line 115, in _obtain_token
    ret = super(Client, self)._obtain_token(grant_type, *args, **kwargs)
  File ".../venv/lib/python3.8/site-packages/msal/oauth2cli/oauth2.py", line 759, in _obtain_token
    (on_obtaining_tokens or self.on_obtaining_tokens)({
  File ".../venv/lib/python3.8/site-packages/msal/application.py", line 445, in <lambda>
    on_obtaining_tokens=lambda event: self.token_cache.add(dict(
  File ".../venv/lib/python3.8/site-packages/msal/token_cache.py", line 113, in add
    return self.__add(event, now=now)
  File ".../venv/lib/python3.8/site-packages/msal/token_cache.py", line 145, in __add
    home_account_id = "{uid}.{utid}".format(**client_info)
KeyError: 'uid'

The MSAL Python version you are using 1.13.0

Additional context Add any other context about the problem here.

rayluo commented 3 years ago

Hi @letmaik, thanks for reporting this. Somehow, I am not able to reproduce this issue with our test app and test user. We may probably still change that line to a more robust implementation, but ideally we would also like to know why this issue was observed in your scenario.

Would you mind sharing your "client_id": "b218d3ca..." to me (via email), so that I can double check?

letmaik commented 3 years ago

Hi @letmaik, thanks for reporting this. Somehow, I am not able to reproduce this issue with our test app and test user. We may probably still change that line to a more robust implementation, but ideally we would also like to know why this issue was observed in your scenario.

Would you mind sharing your "client_id": "b218d3ca..." to me (via email), so that I can double check?

I just sent you an email.