search

AzureAD / microsoft-authentication-library-for-python

Microsoft Authentication Library (MSAL) for Python makes it easy to authenticate to Microsoft Entra ID. General docs are available here https://learn.microsoft.com/entra/msal/python/ Stable APIs are documented here https://msal-python.readthedocs.io. Questions can be asked on www.stackoverflow.com with tag "msal" + "python".
https://stackoverflow.com/questions/tagged/azure-ad-msal+python
Other
757 stars 192 forks source link

What is the Python equivalent to obtain MSAL token interactively? #508

Closed exwhyz closed 1 year ago

exwhyz commented 1 year ago

In PowerShell I successfully use the following for a desktop/client script based application to obtain an MSAL token using an App with Delegated permissions:

PS Version (Delegated Permission): $MsalToken = Get-MsalToken -TenantId [TENANTID] -ClientId [CLIENTID] -LoginHint [LOGINHINT] Connect-mgGraph -AccessToken $MsalToken.AccessToken

However the same does not work with Python. The closest I have for interactive auth code flow in Python, is using the following, but it bombs with an endpoint error for the same [TENANTID] and [CLIENTID] that works perfectly fine in PowerShell.

Python Version (Delegated Permission): msal = msal.PublicClientApplication(client_id=[CLIENTID], authority=[AUTHORITY]) msal.acquire_token_interactive(scopes=[SCOPE], login_hint=[LOGINHINT])

Error message on authentication for the Python version (Note: Redirect URI http://localhost is setup on the App):

The redirect URI 'http://localhost:30352' specified in the request does not match the redirect URIs configured for the application [CLIENTID]

So my main question is why this works with PS but not in Python

BTW, for a different Microsoft Graph API that supports Application permissions (unlike the one above instance which only supports Delegated), I use the following and both PS and Python version works without any issues:

PS Version (Application Permission): $MsalToken = Get-MsalToken -TenantId [TENANTID] -ClientId [CLIENTID] -ClientSecret [CLIENTSECRET] Connect-mgGraph -AccessToken $MsalToken.AccessToken

Python Version (Application Permission): msal = msal.ConfidentialClientApplication(client_id=[CLIENTID], authority=[AUTHORITY], client_credential=[CLIENTSECRET]) msal.acquire_token_silent(scopes=[SCOPE], account=None)

Any suggestions on what I should be doing differently?

rayluo commented 1 year ago 
msal = msal.PublicClientApplication(client_id=[CLIENTID], authority=[AUTHORITY])
msal.acquire_token_interactive(scopes=[SCOPE], login_hint=[LOGINHINT])

Error message on authentication for the Python version (Note: Redirect URI http://localhost/ is setup on the App):

The redirect URI 'http://localhost:30352' specified in the request does not match the redirect URIs configured for the application [CLIENTID]

Your api choice is correct, and that error emitted by service side indicated that your redirect_uri setup is incorrect in your app's registration. Would you mind double checking that? The http://localhost would need to be registered as "native (or desktop)" app, rather than a web app.

exwhyz commented 1 year ago

I can confirm that once I added the http://localhost as the redirect_uri in the App Registration the authentication works fine and I am able to get the graph data successfully.