Microsoft Authentication Library (MSAL) for Python makes it easy to authenticate to Microsoft Entra ID. General docs are available here https://learn.microsoft.com/entra/msal/python/ Stable APIs are documented here https://msal-python.readthedocs.io. Questions can be asked on www.stackoverflow.com with tag "msal" + "python".
In our own web app testing, we sometimes forgot to append the /v2.0 suffix to a CIAM CUD oidc_authority, and ended up with a cryptic error message, "AADSTS500207: The account type can't be used for the resource you're trying to access". This may become an FAQ and a frequent source of customer support requests.
In this PR, we tentatively add a hint into the error message.
'Did you forget to append "/v2.0" to your oidc_authority? '
so that a full error page in a web app may look like this:
Login Failure
invalid_request
Did you forget to append "/v2.0" to your oidc_authority? AADSTS500207: The account type can't be used for the resource you're trying to access. Trace ID: e4568f2b-f5b3-4e5e-b766-e7689b180000 Correlation ID: 765569d0-7583-45ec-93f1-69d6095164a4 Timestamp: 2024-03-21 03:17:17Z
Note:
Currently, this treatment is added into the most flows, including CCA's auth code flow, Client Credential flow, Username Password flow (ROPC), and PCA's Device Code flow.
Note that the ROPC flow yields a different error number.
PCA's interactive flow has two places to return the error: the API response, and the error rendered in browser. In this PR, we added the treatment for the former because it was easy (just a one-liner). The latter would also be a good candidate to receive this treatment, however it is not implemented in this PR due to its complexity.
The so-called "dev samples" inside the MSAL repo are also updated this time. They can become the blueprint when we update the AzureSamples later.
This PR also contains a change to skip user realm discovery for oidc authority.
In our own web app testing, we sometimes forgot to append the
/v2.0
suffix to a CIAM CUDoidc_authority
, and ended up with a cryptic error message, "AADSTS500207: The account type can't be used for the resource you're trying to access". This may become an FAQ and a frequent source of customer support requests.In this PR, we tentatively add a hint into the error message.
so that a full error page in a web app may look like this:
Note:
Currently, this treatment is added into the most flows, including CCA's auth code flow, Client Credential flow, Username Password flow (ROPC), and PCA's Device Code flow.
PCA's interactive flow has two places to return the error: the API response, and the error rendered in browser. In this PR, we added the treatment for the former because it was easy (just a one-liner). The latter would also be a good candidate to receive this treatment, however it is not implemented in this PR due to its complexity.
The so-called "dev samples" inside the MSAL repo are also updated this time. They can become the blueprint when we update the AzureSamples later.
This PR also contains a change to skip user realm discovery for oidc authority.