[Bug] app.get_accounts() return empty list

[copdips]

Describe the bug Hello,

When I use ConfidentialClientApplication, app.get_accounts() returns an empty list, so I cannot use the cache later.

To Reproduce Steps to reproduce the behavior:

from os import environ
import msal

config = {
    "authority": f"https://login.microsoftonline.com/{tenant_id}",
    "client_id": environ["sp_client_id"],
    "client_secret": environ["sp_client_secret"],
    "scope": ["api://{api_app_client_id}/.default"],
}

app = msal.ConfidentialClientApplication(
    client_id=config["client_id"],
    client_credential=config["client_secret"],
    authority=config["authority"],
)

accounts = app.get_accounts()

Expected behavior accounts is not empty

What you see instead

1. accounts is an empty list []
2. use app.acquire_token_for_client(scopes=config["scope"]) will return the object containing the token

The MSAL Python version you are using

msal 1.26.0 msal-extensions 1.1.0

Additional context Add any other context about the problem here.

[rayluo]

What scenarios are you trying to implement?

For a daemon app which uses acquire_token_for_client() only, you won't need account in the first place. Please follow the samples.

And if you are using a web app which deals with human user accounts, you shall follow our Flask web app sample or Django web app sample.

[copdips]

@rayluo Thanks for your prompt reply, it seems that the msal code has been evoluated since last year. In my previous notes, I have code example like follows:

app = msal.ConfidentialClientApplication(
    config["client_id"],
    authority=config["authority"],
    client_credential=config["client_secret"],
)

result = app.acquire_token_silent(scopes=config["scope"], account=None)
if not result:
    result = app.acquire_token_for_client(scopes=config["scope"])

By your given example, it seems that acquire_token_for_client() tries to get token from the cache firstly already, it's very good, that I can combine the last three lines into one.

BTW, could you please explain a little the difference between msal.ConfidentialClientApplication and azure.identity.aio.ClientSecretCredential, by checking its source code, its get_token() function seems to get token from cache firstly too, if token not found, fallback to new token generation.

https://github.com/Azure/azure-sdk-for-python/blob/f3eafc9bee4669c1437a9a037a2845c67889563e/sdk/identity/azure-identity/azure/identity/aio/_internal/get_token_mixin.py#L88-L97

Forgot to reply your question, yes my use case is just like what you supposed, a web app flask or django that calls an backend azure api always from the same client id.

[rayluo]

it seems that the msal code has been evoluated since last year

Sure thing. We keep adding new feature into MSAL and its samples. If you haven't already, please subscribe/watch this repo (and those sample repos that I mentioned in my earlier message).

could you please explain a little the difference between msal.ConfidentialClientApplication and azure.identity.aio.ClientSecretCredential

Azure Identity library is built on top of MSAL. The functionality shall be comparable, if not equivalent. And Azure Identity provides a different API style. You can ask similar question in the Azure Identity's repo and get a perspective from there.

yes my use case is just like what you supposed, a web app flask or django that calls an backend azure api always from the same client id.

Then you shall really look into our Flask web app sample or Django web app sample.

[copdips]

Thanks a lot, in the meantime, I also found some very helpful insights from this issue https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/299