Pass additional headers to acquire_token_interactive

AzureAD / microsoft-authentication-library-for-python

Microsoft Authentication Library (MSAL) for Python makes it easy to authenticate to Microsoft Entra ID. General docs are available here https://learn.microsoft.com/entra/msal/python/ Stable APIs are documented here https://msal-python.readthedocs.io. Questions can be asked on www.stackoverflow.com with tag "msal" + "python".

https://stackoverflow.com/questions/tagged/azure-ad-msal+python

Other

757 stars 192 forks source link

Pass additional headers to acquire_token_interactive #541

Closed andresperezl closed 2 months ago

andresperezl commented 1 year ago

Allow passing additional headers to the acquire_token_interactive method, so they don't clash with the ones with the generated from telemetry_context.generate_headers()

rayluo commented 1 year ago

Would you please also let us know what header are you trying to send, in what scenario is that useful?

andresperezl commented 1 year ago

Is basically this same problem https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/2482 where when running the script locally you get the error

AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests.

And the solution is to pass the missing header Origin , but trying to set header in the kwargs conflicts with the telemetry headers

rayluo commented 1 year ago

SPA? Was that because your app's redirect_uri was registered as a SPA? Normally a Python-powered script should be either desktop app or a web app, and then you probably would not run into this. Not sure whether you can add a http://localhost as a desktop redirect URI for your app. You can try and let us know whether it makes a difference.

andresperezl commented 1 year ago

Sometime you don't have access to the app configuration, which can happen even with different teams within the same company, if it can be done with the Javascript implementation of the library, why not with the python one?

bgavrilMS commented 7 months ago

Not a PY scenario, can be done by HTTP Client customization probably if really needed.

rayluo commented 2 months ago

Sometimes you don't have access to the app configuration, which can happen even with different teams within the same company, if it can be done with the Javascript implementation of the library, why not with the python one?

Our understanding is that a SPA app running inside browser would have browser automatically set that Origin header for you, and Microsoft Entra ID backend apparently verifies that Origin header. Now, if you are using Python to impersonate that SPA app and running outside of browser, mimicking an Origin header may bypass that Entra backend check, however we do not know its security implication. For that reason, we hesitate to take this PR. Closing it for now; we may revisit it in the future when/if the need arises again.