Microsoft Authentication Library (MSAL) for Python makes it easy to authenticate to Microsoft Entra ID. General docs are available here https://learn.microsoft.com/entra/msal/python/ Stable APIs are documented here https://msal-python.readthedocs.io. Questions can be asked on www.stackoverflow.com with tag "msal" + "python".
Historically, MSAL Python's acquire_token_silent(..., account=...) has two usages:
it accepts a non-empty account to find token for that user. (This can be used in both PublicClientApplication and ConfidentialClientApplication.)
it also accepts account=None to find a token for the current app. (This is only used in combination with ConfidentialClientApplication.acquire_token_for_client().)
Our existing documentations and samples (for example, this one) always put #1's acquire_token_silent(...) call inside the if accounts clause, such that, when the account is None (i.e. the user signed out), the code path shall NOT accidentally attempt acquire_token_silent(..., account=None) otherwise it would potentially return a token for a different entity.
However, that relies on the app developer to NOT call acquire_token_silent(..., account=None) accidentally.
Proposal
In this PR, acquire_token_silent(..., account=None) has been changed to a NO-OP. And the usage #2 will be fulfilled by acquire_token_for_client()'s automatically looking up cache, as demonstrated in the updated samples in this PR.
The change is therefore backward compatible.
As a byproduct, this PR also modifies the telemetry so that the acquire_token_for_client(...) will include token refresh reason. For example, 4|730,2|, instead of previous 4|730,0|.
Problem Statement
Historically, MSAL Python's
acquire_token_silent(..., account=...)
has two usages:PublicClientApplication
andConfidentialClientApplication
.)ConfidentialClientApplication.acquire_token_for_client()
.)Our existing documentations and samples (for example, this one) always put
#1
'sacquire_token_silent(...)
call inside theif accounts
clause, such that, when the account is None (i.e. the user signed out), the code path shall NOT accidentally attemptacquire_token_silent(..., account=None)
otherwise it would potentially return a token for a different entity.However, that relies on the app developer to NOT call
acquire_token_silent(..., account=None)
accidentally.Proposal
In this PR,
acquire_token_silent(..., account=None)
has been changed to a NO-OP. And the usage#2
will be fulfilled byacquire_token_for_client()
's automatically looking up cache, as demonstrated in the updated samples in this PR.The change is therefore backward compatible.
As a byproduct, this PR also modifies the telemetry so that the
acquire_token_for_client(...)
will include token refresh reason. For example,4|730,2|
, instead of previous4|730,0|
.