ROPC deprecation

Ugonnaak1 · Ugonnaak1 · commit 2e8c9b35c2e9 · 2025-09-25T14:15:24.000-07:00
diff --git a/msal/__main__.py b/msal/__main__.py
@@ -10,7 +10,7 @@
 Usage 2: Build an all-in-one executable file for bug bash.
     shiv -e msal.__main__._main -o msaltest-on-os-name.pyz .
 """
-import base64, getpass, json, logging, sys, os, atexit, msal
+import base64, getpass, json, logging, sys, os, atexit, msal, warnings
 
 _token_cache_filename = "msal_cache.bin"
 global_cache = msal.SerializableTokenCache()
@@ -149,7 +149,13 @@ def _acquire_token_interactive(app, scopes=None, data=None):
     return result
 
 def _acquire_token_by_username_password(app):
-    """acquire_token_by_username_password() - See constraints here: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows#constraints-for-ropc"""
+    """
+    [Deprecated] This API is deprecated and will be removed in a future release. Use a more secure flow instead. 
+    Migration guide: https://aka.ms/msal-ropc-migration
+
+    acquire_token_by_username_password() - See constraints here: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows#constraints-for-ropc
+    """
+    warnings.warn("This API has been deprecated, please use a more secure flow. See https://aka.ms/msal-ropc-migration for migration guidance", DeprecationWarning)
     print_json(app.acquire_token_by_username_password(
         _input("username: "), getpass.getpass("password: "), scopes=_input_scopes()))
 
@@ -322,7 +328,6 @@ def _main():
             _acquire_pop_token_interactive,
             ] if isinstance(app, msal.PublicClientApplication) else []
         ) + [
-            _acquire_token_by_username_password,
             _remove_account,
         ] + ([
             _acquire_token_for_client,
diff --git a/msal/application.py b/msal/application.py
@@ -1815,7 +1815,11 @@ def acquire_token_by_username_password(
             # because this ROPC won't work with MSA account anyway.
             auth_scheme=None,
             **kwargs):
-        """Gets a token for a given resource via user credentials.
+        """
+        [Deprecated] This API is deprecated and will be removed in a future release. Use a more secure flow instead. 
+        Migration guide: https://aka.ms/msal-ropc-migration
+
+        Gets a token for a given resource via user credentials.
 
         See this page for constraints of Username Password Flow.
         https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication
@@ -1841,6 +1845,7 @@ def acquire_token_by_username_password(
             - A successful response would contain "access_token" key,
             - an error response would contain "error" and usually "error_description".
         """
+        warnings.warn("This API has been deprecated, please use a more secure flow. See https://aka.ms/msal-ropc-migration for migration guidance", DeprecationWarning)
         claims = _merge_claims_challenge_and_capabilities(
                 self._client_capabilities, claims_challenge)
         if self._enable_broker and sys.platform in ("win32", "darwin"):
diff --git a/sample/username_password_sample.py b/sample/username_password_sample.py
@@ -69,6 +69,7 @@ def acquire_and_use_token():
         logging.info("No suitable token exists in cache. Let's get a new one from AAD.")
         # See this page for constraints of Username Password Flow.
         # https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication
+        result = global_app.acquire_token
         result = global_app.acquire_token_by_username_password(
             os.getenv("USERNAME"), password, scopes=scopes)
 
diff --git a/tests/broker-test.py b/tests/broker-test.py
@@ -15,6 +15,7 @@
 4. Run this test by `python broker-test.py` and make sure all the tests passed.
 
 """
+import unittest
 import msal
 import getpass
 import os
@@ -67,6 +68,7 @@ def interactive_and_silent(scopes, auth_scheme, data, expected_token_type):
         )
     _assert(result, expected_token_type)
 
+@unittest.skip("ROPC API has been deprecated and thus these tests are no longer needed")
 def test_broker_username_password(scopes, expected_token_type):
     print("Testing broker username password flows by using accounts in local .env")
     username = os.getenv("BROKER_TEST_ACCOUNT") or input("Input test account for broker test: ")
diff --git a/tests/test_account_source.py b/tests/test_account_source.py
@@ -52,6 +52,7 @@ def test_device_flow_and_its_silent_call_should_bypass_broker(self, _, mocked_br
         mocked_broker_ats.assert_not_called()
         self.assertEqual(result["token_source"], "identity_provider")
 
+    @unittest.skip("ROPC API has been deprecated and thus these tests are no longer needed")
     def test_ropc_flow_and_its_silent_call_should_invoke_broker(self, _, mocked_broker_ats):
         with patch("msal.broker._signin_silently", return_value=dict(TOKEN_RESPONSE, _account_id="placeholder")):
             result = self.app.acquire_token_by_username_password(
diff --git a/tests/test_application.py b/tests/test_application.py
@@ -575,6 +575,7 @@ def mock_post(url, headers=None, *args, **kwargs):
         self.assertEqual(result[self.app._TOKEN_SOURCE], self.app._TOKEN_SOURCE_IDP)
         self.assertEqual(at, result.get("access_token"))
 
+    @unittest.skip("ROPC API has been deprecated and thus these tests are no longer needed")
     def test_acquire_token_by_username_password(self):
         at = "this is an access token"
         def mock_post(url, headers=None, *args, **kwargs):
@@ -706,6 +707,7 @@ def test_organizations_authority_should_emit_warning(self):
 
 @patch(_OIDC_DISCOVERY, new=_OIDC_DISCOVERY_MOCK)
 class TestRemoveTokensForClient(unittest.TestCase):
+    @unittest.skip("ROPC API has been deprecated and thus these tests are no longer needed")
     def test_remove_tokens_for_client_should_remove_client_tokens_only(self):
         at_for_user = "AT for user"
         cca = msal.ConfidentialClientApplication(
diff --git a/tests/test_ccs.py b/tests/test_ccs.py
@@ -60,6 +60,7 @@ def test_acquire_token_silent(self):
                 mocked_method.call_args[1].get("headers", {}).get('X-AnchorMailbox'),
                 "CSS routing info should be derived from home_account_id")
 
+    @unittest.skip("ROPC API has been deprecated and thus these tests are no longer needed")
     def test_acquire_token_by_username_password(self):
         app = msal.ClientApplication("client_id")
         username = "johndoe@contoso.com"
diff --git a/tests/test_e2e.py b/tests/test_e2e.py
@@ -197,6 +197,7 @@ def _build_app(cls,
                 enable_broker_on_wsl=_PYMSALRUNTIME_INSTALLED,
                 )
 
+    @unittest.skip("ROPC API has been deprecated and thus these tests are no longer needed")
     def _test_username_password(self,
             authority=None, client_id=None, username=None, password=None, scope=None,
             oidc_authority=None,
@@ -644,6 +645,7 @@ def _test_acquire_token_by_auth_code_flow(
                     username, result["id_token_claims"]["preferred_username"]))
         self.assertCacheWorksForUser(result, scope, username=None)
 
+    @unittest.skip("ROPC API has been deprecated and thus these tests are no longer needed")
     def _test_acquire_token_obo(self, config_pca, config_cca,
             azure_region=None,  # Regional endpoint does not really support OBO.
                 # Here we just test regional apps won't adversely break OBO
