Closed jiasli closed 5 months ago
Indeed, the logout semantics is missing for service principal. We would need a new API for that. How about remove_tokens_for_client()
? The name may seem a bit lengthy in the first glance, but it matches the existing acquire_token_for_client()
pattern, so that similarity would give a hint that this new API is only removing tokens obtained by the acquire_token_for_client()
api, NOT tokens by for example acquire_token_interactive()
api. Your thoughts? CC @bgavrilMS
Also, once we have this new API, the other feature request in #650 will become unnecessary.
MSAL client type
Confidential
Problem Statement
Almost 5 years after https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/12, we now need to support logout for service principal.
Azure CLI currently faces this issue:
The root cause is the behavior change of
acquire_token_for_client
.Before https://github.com/AzureAD/microsoft-authentication-library-for-python/pull/581,
acquire_token_for_client
acquires an access token by making a web request to AAD eSTS. This forces MSAL to validate the service principals client ID and secrets against AAD eSTS. However, after this PR,acquire_token_for_client
will check the token cache first and return the access token if the service principals client ID matches what's in the token cache, thus skipping the web request.MSAL also forbids
force_refresh
to bypass the token cache, making it impossible to refresh the service principal token:https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/3d3d02f5a86f668a4662a9cbd7125d70e759a8da/msal/application.py#L2105-L2108
Based on my understanding, there are 2 limitations with MSAL:
Proposed solution
MSAL should have a way to log out a service principal and purge it from the token cache.