AzureAD
diff --git a/‎msal/application.py‎
Lines changed: 39 additions & 2 deletions b/‎msal/application.py‎
Lines changed: 39 additions & 2 deletions
diff --git a/‎msal/authority.py‎
Lines changed: 12 additions & 0 deletions b/‎msal/authority.py‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎msal/mex.py‎
Lines changed: 131 additions & 0 deletions b/‎msal/mex.py‎
Lines changed: 131 additions & 0 deletions
diff --git a/‎msal/wstrust_request.py‎
Lines changed: 130 additions & 0 deletions b/‎msal/wstrust_request.py‎
Lines changed: 130 additions & 0 deletions
@@ -4,13 +4,19 @@
 except:  # Python 3
     from urllib.parse import urljoin
 import logging
+from base64 import b64encode
 
 from oauth2cli import Client
 from .authority import Authority
 from .assertion import create_jwt_assertion
+import mex
+import wstrust_request
+from .wstrust_response import SAML_TOKEN_TYPE_V1, SAML_TOKEN_TYPE_V2
 from .token_cache import TokenCache
 
 
+logger = logging.getLogger(__name__)
+
 def decorate_scope(
         scope, client_id,
         policy=None,  # obsolete
@@ -268,9 +274,40 @@ class PublicClientApplication(ClientApplication):  # browser app or mobile app
     def acquire_token_with_username_password(
             self, username, password, scope=None, **kwargs):
         """Gets a token for a given resource via user credentails."""
+        scope = decorate_scope(scope, self.client_id)
+        if not self.authority.is_adfs:
+            user_realm_result = self.authority.user_realm_discovery(username)
+            if user_realm_result.get("account_type") == "Federated":
+                return self._acquire_token_with_username_password_federated(
+                    user_realm_result, username, password, scope=scope, **kwargs)
         return self.client.obtain_token_with_username_password(
-                username, password,
-                scope=decorate_scope(scope, self.client_id), **kwargs)
+                username, password, scope=scope, **kwargs)
+
+    def _acquire_token_with_username_password_federated(
+            self, user_realm_result, username, password, scope=None, **kwargs):
+        wstrust_endpoint = {}
+        if user_realm_result.get("federation_metadata_url"):
+            wstrust_endpoint = mex.send_request(
+                user_realm_result["federation_metadata_url"])
+        logger.debug("wstrust_endpoint = %s", wstrust_endpoint)
+        wstrust_result = wstrust_request.send_request(
+            username, password, user_realm_result.get("cloud_audience_urn"),
+            wstrust_endpoint.get("address",
+                # Fallback to an AAD supplied endpoint
+                user_realm_result.get("federation_active_auth_url")),
+            wstrust_endpoint.get("action"), **kwargs)
+        if not ("token" in wstrust_result and "type" in wstrust_result):
+            raise RuntimeError("Unsuccessful RSTR. %s" % wstrust_result)
+        grant_type = {
+            SAML_TOKEN_TYPE_V1: 'urn:ietf:params:oauth:grant-type:saml1_1-bearer',
+            SAML_TOKEN_TYPE_V2: self.client.GRANT_TYPE_SAML2,
+            }.get(wstrust_result.get("type"))
+        if not grant_type:
+            raise RuntimeError(
+                "RSTR returned unknown token type: %s", wstrust_result.get("type"))
+        return self.client.obtain_token_with_assertion(
+            b64encode(wstrust_result["token"]),
+            grant_type=grant_type, scope=scope, **kwargs)
 
     def acquire_token(
             self,
 
@@ -41,6 +41,18 @@ def __init__(self, authority_url, validate_authority=True):
         self.authorization_endpoint = openid_config['authorization_endpoint']
         self.token_endpoint = openid_config['token_endpoint']
         _, _, self.tenant = canonicalize(self.token_endpoint)  # Usually a GUID
+        self.is_adfs = self.tenant.lower() == 'adfs'
+
+    def user_realm_discovery(self, username, **kwargs):
+        resp = requests.get(
+            "https://{netloc}/common/userrealm/{username}?api-version=1.0".format(
+                netloc=self.instance, username=username),
+            headers={'Accept':'application/json'}, **kwargs)
+        resp.raise_for_status()
+        return resp.json()
+        # It will typically contain "ver", "account_type",
+        # "federation_protocol", "cloud_audience_urn",
+        # "federation_metadata_url", "federation_active_auth_url", etc.
 
 def canonicalize(url):
     # Returns (canonicalized_url, netloc, tenant). Raises ValueError on errors.
 
@@ -0,0 +1,131 @@
+#------------------------------------------------------------------------------
+#
+# Copyright (c) Microsoft Corporation.
+# All rights reserved.
+#
+# This code is licensed under the MIT License.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files(the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions :
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#
+#------------------------------------------------------------------------------
+
+try:
+    from urllib.parse import urlparse
+except:
+    from urlparse import urlparse
+try:
+    from xml.etree import cElementTree as ET
+except ImportError:
+    from xml.etree import ElementTree as ET
+
+import requests
+
+
+def _xpath_of_root(route_to_leaf):
+    # Construct an xpath suitable to find a root node which has a specified leaf
+    return '/'.join(route_to_leaf + ['..'] * (len(route_to_leaf)-1))
+
+def send_request(mex_endpoint, **kwargs):
+    mex_document = requests.get(
+        mex_endpoint, headers={'Content-Type': 'application/soap+xml'},
+        **kwargs).text
+    return Mex(mex_document).get_wstrust_username_password_endpoint()
+
+
+class Mex(object):
+
+    NS = {  # Also used by wstrust_*.py
+        'wsdl': 'http://schemas.xmlsoap.org/wsdl/',
+        'sp': 'http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702',
+        'sp2005': 'http://schemas.xmlsoap.org/ws/2005/07/securitypolicy',
+        'wsu': 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd',
+        'wsa': 'http://www.w3.org/2005/08/addressing',  # Duplicate?
+        'wsa10': 'http://www.w3.org/2005/08/addressing',
+        'http': 'http://schemas.microsoft.com/ws/06/2004/policy/http',
+        'soap12': 'http://schemas.xmlsoap.org/wsdl/soap12/',
+        'wsp': 'http://schemas.xmlsoap.org/ws/2004/09/policy',
+        's': 'http://www.w3.org/2003/05/soap-envelope',
+        'wst': 'http://docs.oasis-open.org/ws-sx/ws-trust/200512',
+        'trust': "http://docs.oasis-open.org/ws-sx/ws-trust/200512",  # Duplicate?
+        'saml': "urn:oasis:names:tc:SAML:1.0:assertion",
+        'wst2005': 'http://schemas.xmlsoap.org/ws/2005/02/trust',  # was named "t"
+        }
+    ACTION_13 = 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue'
+    ACTION_2005 = 'http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue'
+
+    def __init__(self, mex_document):
+        self.dom = ET.fromstring(mex_document)
+
+    def _get_policy_ids(self, components_to_leaf, binding_xpath):
+        id_attr = '{%s}Id' % self.NS['wsu']
+        return set(["#{}".format(policy.get(id_attr))
+            for policy in self.dom.findall(_xpath_of_root(components_to_leaf), self.NS)
+            # If we did not find any binding, this is potentially bad.
+            if policy.find(binding_xpath, self.NS) is not None])
+
+    def _get_username_password_policy_ids(self):
+        path = ['wsp:Policy', 'wsp:ExactlyOne', 'wsp:All',
+            'sp:SignedEncryptedSupportingTokens', 'wsp:Policy',
+            'sp:UsernameToken', 'wsp:Policy', 'sp:WssUsernameToken10']
+        policies = self._get_policy_ids(path, './/sp:TransportBinding')
+        path2005 = ['wsp:Policy', 'wsp:ExactlyOne', 'wsp:All',
+            'sp2005:SignedSupportingTokens', 'wsp:Policy',
+            'sp2005:UsernameToken', 'wsp:Policy', 'sp2005:WssUsernameToken10']
+        policies.update(self._get_policy_ids(path2005, './/sp2005:TransportBinding'))
+        return policies
+
+    def _get_iwa_policy_ids(self):
+        return self._get_policy_ids(
+            ['wsp:Policy', 'wsp:ExactlyOne', 'wsp:All', 'http:NegotiateAuthentication'],
+            './/sp2005:TransportBinding')
+
+    def _get_bindings(self):
+        bindings = {}  # {binding_name: {"policy_uri": "...", "version": "..."}}
+        for binding in self.dom.findall("wsdl:binding", self.NS):
+            if (binding.find('soap12:binding', self.NS).get("transport") !=
+                    'http://schemas.xmlsoap.org/soap/http'):
+                continue
+            action = binding.find(
+                'wsdl:operation/soap12:operation', self.NS).get("soapAction")
+            for pr in binding.findall("wsp:PolicyReference", self.NS):
+                bindings[binding.get("name")] = {
+                    "policy_uri": pr.get("URI"), "action": action}
+        return bindings
+
+    def _get_endpoints(self, bindings, policy_ids):
+        endpoints = []
+        for port in self.dom.findall('wsdl:service/wsdl:port', self.NS):
+            binding_name = port.get("binding").split(':')[-1]  # Should have 2 parts
+            binding = bindings.get(binding_name)
+            if binding and binding["policy_uri"] in policy_ids:
+                address = port.find('wsa10:EndpointReference/wsa10:Address', self.NS)
+                if address is not None and address.text.lower().startswith("https://"):
+                    endpoints.append(
+                        {"address": address.text, "action": binding["action"]})
+        return endpoints
+
+    def get_wstrust_username_password_endpoint(self):
+        """Returns {"address": "https://...", "action": "the soapAction value"}"""
+        endpoints = self._get_endpoints(
+                self._get_bindings(), self._get_username_password_policy_ids())
+        for e in endpoints:
+            if e["action"] == self.ACTION_13:
+                return e  # Historically, we prefer ACTION_13 a.k.a. WsTrust13
+        return endpoints[0] if endpoints else None
+
@@ -0,0 +1,130 @@
+#------------------------------------------------------------------------------
+#
+# Copyright (c) Microsoft Corporation.
+# All rights reserved.
+#
+# This code is licensed under the MIT License.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files(the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions :
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#
+#------------------------------------------------------------------------------
+
+import uuid
+from datetime import datetime, timedelta
+import re
+import logging
+
+import requests
+
+from .mex import Mex
+import wstrust_response
+
+
+logger = logging.getLogger(__file__)
+
+def send_request(
+        username, password, cloud_audience_urn, endpoint_address, soap_action,
+        **kwargs):
+    if not endpoint_address:
+        raise ValueError("WsTrust endpoint address can not be empty")
+    if soap_action is None:
+        wstrust2005_regex = r'[/trust]?[2005][/usernamemixed]?'
+        wstrust13_regex = r'[/trust]?[13][/usernamemixed]?'
+        if re.search(wstrust2005_regex, endpoint_address):
+            soap_action = Mex.ACTION_2005
+        elif re.search(wstrust13_regex, endpoint_address):
+            soap_action = Mex.ACTION_13
+    assert soap_action in (Mex.ACTION_13, Mex.ACTION_2005)  # A loose check here
+    data = _build_rst(
+        username, password, cloud_audience_urn, endpoint_address, soap_action)
+    resp = requests.post(endpoint_address, data=data, headers={
+            'Content-type':'application/soap+xml; charset=utf-8',
+            'SOAPAction': soap_action,
+            }, **kwargs)
+    if resp.status_code >= 400:
+        logger.debug("Unsuccessful WsTrust request receives: %s", resp.text)
+    # It turns out ADFS uses 5xx status code even with client-side incorrect password error
+    # resp.raise_for_status()
+    return wstrust_response.parse_response(resp.text)
+
+def escape_password(password):
+    return (password.replace('&', '&amp;').replace('"', '&quot;')
+        .replace("'", '&apos;')  # the only one not provided by cgi.escape(s, True)
+        .replace('<', '&lt;').replace('>', '&gt;'))
+
+def wsu_time_format(datetime_obj):
+    # WsTrust (http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/ws-trust.html)
+    # does not seem to define timestamp format, but we see YYYY-mm-ddTHH:MM:SSZ
+    # here (https://www.ibm.com/developerworks/websphere/library/techarticles/1003_chades/1003_chades.html)
+    # It avoids the uncertainty of the optional ".ssssss" in datetime.isoformat()
+    # https://docs.python.org/2/library/datetime.html#datetime.datetime.isoformat
+    return datetime_obj.strftime('%Y-%m-%dT%H:%M:%SZ')
+
+def _build_rst(username, password, cloud_audience_urn, endpoint_address, soap_action):
+    now = datetime.utcnow()
+    return """<s:Envelope xmlns:s='{s}' xmlns:wsa='{wsa}' xmlns:wsu='{wsu}'>
+        <s:Header>
+            <wsa:Action s:mustUnderstand='1'>{soap_action}</wsa:Action>
+            <wsa:messageID>urn:uuid:{message_id}</wsa:messageID>
+            <wsa:ReplyTo>
+            <wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
+            </wsa:ReplyTo>
+            <wsa:To s:mustUnderstand='1'>{endpoint_address}</wsa:To>
+
+            <wsse:Security s:mustUnderstand='1'
+            xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'>
+                <wsu:Timestamp wsu:Id='_0'>
+                    <wsu:Created>{time_now}</wsu:Created>
+                    <wsu:Expires>{time_expire}</wsu:Expires>
+                </wsu:Timestamp>
+                <wsse:UsernameToken wsu:Id='ADALUsernameToken'>
+                    <wsse:Username>{username}</wsse:Username>
+                    <wsse:Password>{password}</wsse:Password>
+                </wsse:UsernameToken>
+            </wsse:Security>
+
+        </s:Header>
+        <s:Body>
+        <wst:RequestSecurityToken xmlns:wst='{wst}'>
+        <wsp:AppliesTo xmlns:wsp='http://schemas.xmlsoap.org/ws/2004/09/policy'>
+            <wsa:EndpointReference>
+                <wsa:Address>{applies_to}</wsa:Address>
+            </wsa:EndpointReference>
+        </wsp:AppliesTo>
+        <wst:KeyType>{key_type}</wst:KeyType>
+            <wst:RequestType>{request_type}</wst:RequestType>
+        </wst:RequestSecurityToken>
+        </s:Body>
+        </s:Envelope>""".format(
+            s=Mex.NS["s"], wsu=Mex.NS["wsu"], wsa=Mex.NS["wsa10"],
+            soap_action=soap_action, message_id=str(uuid.uuid4()),
+            endpoint_address=endpoint_address,
+            time_now=wsu_time_format(now),
+            time_expire=wsu_time_format(now + timedelta(minutes=10)),
+            username=username, password=escape_password(password),
+            wst=Mex.NS["wst"] if soap_action == Mex.ACTION_13 else Mex.NS["wst2005"],
+            applies_to=cloud_audience_urn,
+            key_type='http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer'
+                if soap_action == Mex.ACTION_13 else
+                'http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey',
+            request_type='http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue'
+                if soap_action == Mex.ACTION_13 else
+                'http://schemas.xmlsoap.org/ws/2005/02/trust/Issue',
+        )
+