-
Notifications
You must be signed in to change notification settings - Fork 201
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add integrated windows authentication support under public clients #652
base: dev
Are you sure you want to change the base?
Conversation
Thanks, @shajia-deshaw . Is there any way to test this? Can they be written into test cases? |
Sure @rayluo - I can add the test cases shortly (I had this tested with a driver script internally) from msal import PublicClientApplication
app = PublicClientApplication(
"<client_id>",
authority="https://login.microsoftonline.com/<tenant_id>")
token = app.acquire_token_integrated_windows_auth("<upn>")
print(token) |
@@ -172,6 +172,7 @@ class ClientApplication(object): | |||
ACQUIRE_TOKEN_FOR_CLIENT_ID = "730" | |||
ACQUIRE_TOKEN_BY_AUTHORIZATION_CODE_ID = "832" | |||
ACQUIRE_TOKEN_INTERACTIVE = "169" | |||
ACQUIRE_TOKEN_INTEGRATED_WINDOWS_AUTH_ID = "870" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure how this number is mapped. I just added a random number for IWA btw.
@@ -243,7 +243,7 @@ def __add(self, event, now=None): | |||
at["refresh_on"] = str(now + refresh_in) # Schema wants a string | |||
self.modify(self.CredentialType.ACCESS_TOKEN, at, at) | |||
|
|||
if client_info and not event.get("skip_account_creation"): | |||
if (client_info or iwa) and not event.get("skip_account_creation"): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The access token returned by IWA did not meet the criteria to be added as an ACCOUNT
credential type in the TokenCache
i.e. it didn't have client_info
in the response. It was being added as a ACCESS_TOKEN
credential type. The cache test in the e2e tests were failing because of it since the get_accounts()
call didn't return anything and it assumed there was nothing being added to the cache. Hence, I added a special case of iwa
to be added to the ACCOUNT
credential type.
The other alternative is to add a method for get_access_tokens
similar to get_accounts
and use it to decide if we need to acquire new tokens silently for the items in cache.
Hello folks, just an update - I'm working with my employer to sign the CLA soon. |
@microsoft-github-policy-service agree company="D. E. Shaw & Co., L.P." |
Hello @ashok672 - Checking if you had a chance to review the PR? Thanks. |
Overview
Adds support for Integrated Windows Authentication similar to the Java/.NET clients/
Fixes: #31