search

AzureAD / microsoft-authentication-library-for-python

Microsoft Authentication Library (MSAL) for Python makes it easy to authenticate to Microsoft Entra ID. General docs are available here https://learn.microsoft.com/entra/msal/python/ Stable APIs are documented here https://msal-python.readthedocs.io. Questions can be asked on www.stackoverflow.com with tag "msal" + "python".
https://stackoverflow.com/questions/tagged/azure-ad-msal+python
Other
796 stars 200 forks source link

Specifying a custom redirect URI in the PublicClientApplication #574

Closed ADNewsom09 closed 1 year ago

ADNewsom09 commented 1 year ago

Describe the bug Unable to specify a redirectURI in the form http://localhost:1234/MyApp when creating a PublicClientApplication or using that with acquire_token_interactive

To Reproduce Steps to reproduce the behavior:

authUrl = 'https://login.microsoftonline.com/' + app_config.TENANT_ID
app = msal.PublicClientApplication(app_config.APP_ID, authority=authUrl)
token = app.acquire_token_interactive(scopes=app_config.SCOPES)

Expected behavior Using other packages like the C# one, we have been able to access this API.

What you see instead AADSTS50011: The redirect URI 'http://localhost:49686' specified in the request does not match the redirect URIs configured for the application

The MSAL Python version you are using 1.22.0

Additional context We cannot change the redirect URI on the application because there is another application type that uses the bare localhost, and other connecting applications expect the http://localhost:1234/MyApp redirect URI. I see the docs say

The port to be used to listen to an incoming auth response. By default we will use a system-allocated port. (The rest of the redirect_uri is hard coded as http://localhost.) But that isn't the case with other packages.

rayluo commented 1 year ago

Additional context We cannot change the redirect URI on the application because there is another application type that uses the bare localhost, and other connecting applications expect the http://localhost:1234/MyApp redirect URI.

What "other application type" uses the bare localhost?

Note that there are different types (known as "platforms") of applications. Typically, one app (identified by its unique client_id) can target multiple platforms, such as a "Web" platform using redirect URI http://localhost:1234/path for development and https://example.com/path for production, together with a "Mobile and desktop application" platform using bare http://localhost. They will all work together. You shouldn't need to specify a different redirect URI for acquire_token_interactive().

ADNewsom09 commented 1 year ago

The exact situation you are talking about, but in reverse. For this application, there is an SPA platform target that uses bare http://localhost:1234 and a "Mobile and desktop application" platform target that uses http://localhost:1234/path. These are in production item with non-python libraries which support changing the redirect URI to include those paths, which is why changing the SPA paths away from bare localhost would be an issue for existing users. We are trying to build a python based client for this application.

rayluo commented 1 year ago

there is an SPA platform target that uses bare http://localhost:1234 ... in production

Out of curiosity, why is an in-production SPA app would use localhost as redirect URI? Shouldn't localhost be only for development purpose, and shouldn't the production redirect URI contain https://YourCoolWebsite.com/...?

ADNewsom09 commented 1 year ago

There is of course interesting historical reasoning for this for us. I'm advocating for feature parity with the ms auth library for c#, which does support these paths.

rayluo commented 1 year ago

By any chance the website hosting your SPA app is publicly accessible so that I can take a quick look?