search

AzureAD / microsoft-authentication-library-for-python

Microsoft Authentication Library (MSAL) for Python makes it easy to authenticate to Microsoft Entra ID. General docs are available here https://learn.microsoft.com/entra/msal/python/ Stable APIs are documented here https://msal-python.readthedocs.io. Questions can be asked on www.stackoverflow.com with tag "msal" + "python".
https://stackoverflow.com/questions/tagged/azure-ad-msal+python
Other
756 stars 191 forks source link

Remove acquire_token_silent(..., account=None) usage in a backward-compatible way #577

Closed rayluo closed 11 months ago

rayluo commented 1 year ago

Problem Statement

Historically, MSAL Python's acquire_token_silent(..., account=...) has two usages:

  1. it accepts a non-empty account to find token for that user. (This can be used in both PublicClientApplication and ConfidentialClientApplication.)
  2. it also accepts account=None to find a token for the current app. (This is only used in combination with ConfidentialClientApplication.acquire_token_for_client().)

Our existing documentations and samples (for example, this one) always put #1's acquire_token_silent(...) call inside the if accounts clause, such that, when the account is None (i.e. the user signed out), the code path shall NOT accidentally attempt acquire_token_silent(..., account=None) otherwise it would potentially return a token for a different entity.

However, that relies on the app developer to NOT call acquire_token_silent(..., account=None) accidentally.

Proposal

In this PR, acquire_token_silent(..., account=None) has been changed to a NO-OP. And the usage #2 will be fulfilled by acquire_token_for_client()'s automatically looking up cache, as demonstrated in the updated samples in this PR.

The change is therefore backward compatible.

As a byproduct, this PR also modifies the telemetry so that the acquire_token_for_client(...) will include token refresh reason. For example, 4|730,2|, instead of previous 4|730,0|.