search

AzureAD / microsoft-authentication-library-for-python

Microsoft Authentication Library (MSAL) for Python makes it easy to authenticate to Microsoft Entra ID. General docs are available here https://learn.microsoft.com/entra/msal/python/ Stable APIs are documented here https://msal-python.readthedocs.io. Questions can be asked on www.stackoverflow.com with tag "msal" + "python".
https://stackoverflow.com/questions/tagged/azure-ad-msal+python
Other
788 stars 194 forks source link

Prefer Edge when running on Linux #388

Closed rayluo closed 3 years ago

rayluo commented 3 years ago

Edge will soon become the first browser on Linux to support device-based conditional access policy. This PR has MSAL to prefer using Edge for acquire_token_interactive().

How to test this feature?

  1. Install this feature branch by pip install git+https://github.com/AzureAD/microsoft-authentication-library-for-python.git@prefer-edge-on-linux.
  2. Download the out-of-the-box interactive sample
  3. Prepare a config.json file with content like this, and then run python interactive_sample.py config.json:
{
    "authority": "https://login.microsoftonline.com/common",
    "client_id": "289a413d-284b-4303-9c79-94380abe5d22",
    "scope": ["User.Read"],
    "endpoint": "https://graph.microsoft.com/v1.0/me",
    "placeholder": null
}

@chlowell @jiasli Please help review this feature.

rayluo commented 3 years ago

Before this PR, MSAL would always launch the default browser. After this PR, MSAL would launch Edge browser when running on Linux and when Edge is available. Here we document the different user experience of the two approaches when end user is on Linux and potentially accessing resources that are protected by device-based Conditional Access (CA) policy.

  1. For resources require no device-based CA, it would just work. And, typically user would already have a valid signed-in session (i.e. cookie) in their default browser, so, they even get SSO. This is the most ideal case.

  2. For resources require device-based CA, user will be prompted during the sign-in experience. The suggestion of using Edge is currently in the fine print at the end of slide No.3 in this internal document: Enrollment - high level experience .pptx

    If you have already enrolled with Intune, use Microsoft Edge with your work or school profile to access this resource.​

  3. Note that the error page above only mentions a vague "use Edge", it does NOT cover how to enable Edge for a specific app. And I doubt any MSAL-powered app would bother convey that instruction beforehand.

  4. Even if the end user somehow figure out 2 & 3, he would repeatedly run into the same issue each time he is going to access that resource, which is annoying. To make the things worse, on Linux there is no universal way to specify a browser as default browser. The BROWSER=microsoft-edge way happens to work in Python, but end user may not know that. There would be some trial-and-error for the end user here.

  1. For resources require no device-based CA, the very first time after Edge being installed into this desktop, the Edge will pop up, it contains no signed-in session, so that end user would need to sign in again. That is suboptimal, but at least it would be much easier than the 3 & 4 above. (However, there is currently a known issue: currently the sign-in experience does not (yet?) present a "Stay signed in?" option to end user from Linux. We started an internal conversation here.)

  2. After the sign-in in situation 1 above, the situation 2 here would just work. The end users don't have to read those fine print.

  3. Not applicable.

  4. Not applicable.

UPDATE: We ended up using the second bullet point's approach.

lulujrush commented 1 year ago

I know this is long done and gone but my issue was the last one linked so I wanted to comment.

IMHO I found this unfortunate that you took away the Linux Users choice of default browser. This has led me to remove Edge from my system and will not be re-introduced.

rayluo commented 1 year ago

IMHO I found this unfortunate that you took away the Linux Users choice of default browser. This has led me to remove Edge from my system and will not be re-introduced.

Fair enough. In case you want to try Edge again but want to have MSAL Python (thus Azure CLI) honor your default browser, you can set an env var BROWSER=firefox_excutable_file.

kitingChris commented 1 year ago

Why is the standard browser explicitly ignored and instead it opens edge? This is totally unexpected Behaviour. Why do you not accept my decision on not making edge the standard browser?