Merge branch 'dev' into mi

Author: rayluo

docs/index.rst

@@ -30,9 +30,9 @@ MSAL Python supports some of them.
         usemap="#public-map"><!-- Derived from http://www.image-map.net/ but we had to manually add unique map id -->
     <map name="public-map">
         <area target="_blank" coords="110,150,59,94" shape="rect"
-            alt="Web app" title="Web app" href="https://learn.microsoft.com/azure/active-directory/develop/web-app-quickstart?pivots=devlang-python>
+            alt="Web app" title="Web app" href="https://learn.microsoft.com/azure/active-directory/develop/web-app-quickstart?pivots=devlang-python">
         <area target="_blank" coords="58,281,108,338" shape="rect"
-            alt="Web app" title="Web app" href="https://learn.microsoft.com/azure/active-directory/develop/web-app-quickstart?pivots=devlang-python>
+            alt="Web app" title="Web app" href="https://learn.microsoft.com/azure/active-directory/develop/web-app-quickstart?pivots=devlang-python">
         <area target="_blank" coords="57,529,127,470" shape="rect"
             alt="Desktop App" title="Desktop App" href="https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/dev/sample/interactive_sample.py">
             <!-- TODO: Upgrade this sample to use Interactive Flow: https://github.com/Azure-Samples/ms-identity-python-desktop/blob/master/1-Call-MsGraph-WithUsernamePassword/username_password_sample.py -->

msal/application.py

@@ -25,7 +25,7 @@
 
 
 # The __init__.py will import this. Not the other way around.
-__version__ = "1.21.0"  # When releasing, also check and bump our dependencies's versions if needed
+__version__ = "1.22.0"  # When releasing, also check and bump our dependencies's versions if needed
 
 logger = logging.getLogger(__name__)
 _AUTHORITY_TYPE_CLOUDSHELL = "CLOUDSHELL"
@@ -444,6 +444,8 @@ def __init__(
             New in version 1.19.0.
 
         :param boolean allow_broker:
+            This parameter is NOT applicable to :class:`ConfidentialClientApplication`.
+
             A broker is a component installed on your device.
             Broker implicitly gives your device an identity. By using a broker,
             your device becomes a factor that can satisfy MFA (Multi-factor authentication).

msal/authority.py

@@ -5,8 +5,6 @@
     from urlparse import urlparse
 import logging
 
-from .exceptions import MsalServiceError
-
 
 logger = logging.getLogger(__name__)
 
@@ -28,7 +26,9 @@
     "b2clogin.cn",
     "b2clogin.us",
     "b2clogin.de",
+    "ciamlogin.com",
     ]
+_CIAM_DOMAIN_SUFFIX = ".ciamlogin.com"
 
 
 class AuthorityBuilder(object):
@@ -52,12 +52,6 @@ class Authority(object):
     """
     _domains_without_user_realm_discovery = set([])
 
-    @property
-    def http_client(self):  # Obsolete. We will remove this eventually
-        warnings.warn(
-            "authority.http_client might be removed in MSAL Python 1.21+", DeprecationWarning)
-        return self._http_client
-
     def __init__(
             self, authority_url, http_client,
             validate_authority=True,
@@ -80,7 +74,8 @@ def __init__(
         if isinstance(authority_url, AuthorityBuilder):
             authority_url = str(authority_url)
         authority, self.instance, tenant = canonicalize(authority_url)
-        self.is_adfs = tenant.lower() == 'adfs'
+        is_ciam = self.instance.endswith(_CIAM_DOMAIN_SUFFIX)
+        self.is_adfs = tenant.lower() == 'adfs' and not is_ciam
         parts = authority.path.split('/')
         self._is_b2c = any(
             self.instance.endswith("." + d) for d in WELL_KNOWN_B2C_HOSTS
@@ -109,13 +104,13 @@ def __init__(
                     % authority_url)
             tenant_discovery_endpoint = payload['tenant_discovery_endpoint']
         else:
-            tenant_discovery_endpoint = (
-                'https://{}:{}{}{}/.well-known/openid-configuration'.format(
-                    self.instance,
-                    443 if authority.port is None else authority.port,
-                    authority.path,  # In B2C scenario, it is "/tenant/policy"
-                    "" if tenant == "adfs" else "/v2.0" # the AAD v2 endpoint
-                    ))
+            tenant_discovery_endpoint = authority._replace(
+                path="{prefix}{version}/.well-known/openid-configuration".format(
+                    prefix=tenant if is_ciam and len(authority.path) <= 1  # Path-less CIAM
+                        else authority.path,  # In B2C, it is "/tenant/policy"
+                    version="" if self.is_adfs else "/v2.0",
+                    )
+                ).geturl()  # Keeping original port and query. Query is useful for test.
         try:
             openid_config = tenant_discovery(
                 tenant_discovery_endpoint,
@@ -150,18 +145,28 @@ def user_realm_discovery(self, username, correlation_id=None, response=None):
         return {}  # This can guide the caller to fall back normal ROPC flow
 
 
-def canonicalize(authority_url):
+def canonicalize(authority_or_auth_endpoint):
     # Returns (url_parsed_result, hostname_in_lowercase, tenant)
-    authority = urlparse(authority_url)
-    parts = authority.path.split("/")
-    if authority.scheme != "https" or len(parts) < 2 or not parts[1]:
-        raise ValueError(
-            "Your given address (%s) should consist of "
-            "an https url with a minimum of one segment in a path: e.g. "
-            "https://login.microsoftonline.com/<tenant> "
-            "or https://<tenant_name>.b2clogin.com/<tenant_name>.onmicrosoft.com/policy"
-            % authority_url)
-    return authority, authority.hostname, parts[1]
+    authority = urlparse(authority_or_auth_endpoint)
+    if authority.scheme == "https":
+        parts = authority.path.split("/")
+        first_part = parts[1] if len(parts) >= 2 and parts[1] else None
+        if authority.hostname.endswith(_CIAM_DOMAIN_SUFFIX):  # CIAM
+            # Use path in CIAM authority. It will be validated by OIDC Discovery soon
+            tenant = first_part if first_part else "{}.onmicrosoft.com".format(
+                # Fallback to sub domain name. This variation may not be advertised
+                authority.hostname.rsplit(_CIAM_DOMAIN_SUFFIX, 1)[0])
+            return authority, authority.hostname, tenant
+        # AAD
+        if len(parts) >= 2 and parts[1]:
+            return authority, authority.hostname, parts[1]
+    raise ValueError(
+        "Your given address (%s) should consist of "
+        "an https url with a minimum of one segment in a path: e.g. "
+        "https://login.microsoftonline.com/<tenant> "
+        "or https://<tenant_name>.ciamlogin.com/<tenant> "
+        "or https://<tenant_name>.b2clogin.com/<tenant_name>.onmicrosoft.com/policy"
+        % authority_or_auth_endpoint)
 
 def _instance_discovery(url, http_client, instance_discovery_endpoint, **kwargs):
     resp = http_client.get(
@@ -174,16 +179,14 @@ def tenant_discovery(tenant_discovery_endpoint, http_client, **kwargs):
     # Returns Openid Configuration
     resp = http_client.get(tenant_discovery_endpoint, **kwargs)
     if resp.status_code == 200:
-        payload = json.loads(resp.text)  # It could raise ValueError
-        if 'authorization_endpoint' in payload and 'token_endpoint' in payload:
-            return payload  # Happy path
-        raise ValueError("OIDC Discovery does not provide enough information")
+        return json.loads(resp.text)  # It could raise ValueError
     if 400 <= resp.status_code < 500:
         # Nonexist tenant would hit this path
         # e.g. https://login.microsoftonline.com/nonexist_tenant/v2.0/.well-known/openid-configuration
-        raise ValueError(
-            "OIDC Discovery endpoint rejects our request. Error: {}".format(
-                resp.text  # Expose it as-is b/c OIDC defines no error response format
+        raise ValueError("OIDC Discovery failed on {}. HTTP status: {}, Error: {}".format(
+            tenant_discovery_endpoint,
+            resp.status_code,
+            resp.text,  # Expose it as-is b/c OIDC defines no error response format
             ))
     # Transient network error would hit this path
     resp.raise_for_status()

msal/oauth2cli/http.py

@@ -58,6 +58,11 @@ class Response(object):
         # but a `text` would be more generic,
         # when downstream packages would potentially access some XML endpoints.
 
+    headers = {}  # Duplicated headers are expected to be combined into one header
+                  # with its value as a comma-separated string.
+                  # https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.2
+                  # Popular HTTP libraries model it as a case-insensitive dict.
+
     def raise_for_status(self):
         """Raise an exception when http response status contains error"""
         raise NotImplementedError("Your implementation should provide this")

setup.cfg

@@ -4,3 +4,6 @@ universal=1
 [metadata]
 project_urls =
     Changelog = https://github.com/AzureAD/microsoft-authentication-library-for-python/releases
+    Documentation = https://msal-python.readthedocs.io/
+    Questions = https://stackoverflow.com/questions/tagged/azure-ad-msal+python
+    Feature/Bug Tracker = https://github.com/AzureAD/microsoft-authentication-library-for-python/issues

setup.py

@@ -77,7 +77,7 @@
         'requests>=2.0.0,<3',
         'PyJWT[crypto]>=1.0.0,<3',  # MSAL does not use jwt.decode(), therefore is insusceptible to CVE-2022-29217 so no need to bump to PyJWT 2.4+
 
-        'cryptography>=0.6,<41',
+        'cryptography>=0.6,<43',
             # load_pem_private_key() is available since 0.6
             # https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst#06---2014-09-29
             #

tests/http_client.py

@@ -25,9 +25,10 @@ def close(self):  # Not required, but we use it to avoid a warning in unit test
 
 
 class MinimalResponse(object):  # Not for production use
-    def __init__(self, requests_resp=None, status_code=None, text=None):
+    def __init__(self, requests_resp=None, status_code=None, text=None, headers=None):
         self.status_code = status_code or requests_resp.status_code
         self.text = text if text is not None else requests_resp.text
+        self.headers = {} if headers is None else headers
         self._raw_resp = requests_resp
 
     def raise_for_status(self):

tests/test_authority.py

@@ -79,6 +79,26 @@ def test_invalid_host_skipping_validation_can_be_turned_off(self):
             pass  # Those are expected for this unittest case
 
 
+@patch("msal.authority.tenant_discovery", return_value={
+    "authorization_endpoint": "https://contoso.com/placeholder",
+    "token_endpoint": "https://contoso.com/placeholder",
+    })
+class TestCiamAuthority(unittest.TestCase):
+    http_client = MinimalHttpClient()
+
+    def test_path_less_authority_should_work(self, oidc_discovery):
+        Authority('https://contoso.ciamlogin.com', self.http_client)
+        oidc_discovery.assert_called_once_with(
+            "https://contoso.ciamlogin.com/contoso.onmicrosoft.com/v2.0/.well-known/openid-configuration",
+            self.http_client)
+
+    def test_authority_with_path_should_be_used_as_is(self, oidc_discovery):
+        Authority('https://contoso.ciamlogin.com/anything', self.http_client)
+        oidc_discovery.assert_called_once_with(
+            "https://contoso.ciamlogin.com/anything/v2.0/.well-known/openid-configuration",
+            self.http_client)
+
+
 class TestAuthorityInternalHelperCanonicalize(unittest.TestCase):
 
     def test_canonicalize_tenant_followed_by_extra_paths(self):

tests/test_e2e.py

@@ -897,6 +897,57 @@ def test_b2c_allows_using_client_id_as_scope(self):
             )
 
 
+class CiamTestCase(LabBasedTestCase):
+    # Test cases below show you what scenarios need to be covered for CIAM.
+    # Detail test behaviors have already been implemented in preexisting helpers.
+
+    @classmethod
+    def setUpClass(cls):
+        super(CiamTestCase, cls).setUpClass()
+        cls.user = cls.get_lab_user(
+            federationProvider="ciam", signinAudience="azureadmyorg", publicClient="No")
+        # FYI: Only single- or multi-tenant CIAM app can have other-than-OIDC
+        # delegated permissions on Microsoft Graph.
+        cls.app_config = cls.get_lab_app_object(cls.user["client_id"])
+
+    def test_ciam_acquire_token_interactive(self):
+        self._test_acquire_token_interactive(
+            authority=self.app_config["authority"],
+            client_id=self.app_config["appId"],
+            scope=self.app_config["scopes"],
+            username=self.user["username"],
+            lab_name=self.user["lab_name"],
+            )
+
+    def test_ciam_acquire_token_for_client(self):
+        self._test_acquire_token_by_client_secret(
+            client_id=self.app_config["appId"],
+            client_secret=self.get_lab_user_secret(
+                self.app_config["clientSecret"].split("=")[-1]),
+            authority=self.app_config["authority"],
+            scope=["{}/.default".format(self.app_config["appId"])],  # App permission
+            )
+
+    def test_ciam_acquire_token_by_ropc(self):
+        # Somehow, this would only work after creating a secret for the test app
+        # and enabling "Allow public client flows".
+        # Otherwise it would hit AADSTS7000218.
+        self._test_username_password(
+            authority=self.app_config["authority"],
+            client_id=self.app_config["appId"],
+            username=self.user["username"],
+            password=self.get_lab_user_secret(self.user["lab_name"]),
+            scope=self.app_config["scopes"],
+            )
+
+    def test_ciam_device_flow(self):
+        self._test_device_flow(
+            authority=self.app_config["authority"],
+            client_id=self.app_config["appId"],
+            scope=self.app_config["scopes"],
+            )
+
+
 class WorldWideRegionalEndpointTestCase(LabBasedTestCase):
     region = "westus"
     timeout = 2  # Short timeout makes this test case responsive on non-VM

tests/test_throttled_http_client.py

@@ -11,19 +11,13 @@
 logging.basicConfig(level=logging.DEBUG)
 
 
-class DummyHttpResponse(MinimalResponse):
-    def __init__(self, headers=None, **kwargs):
-        self.headers = {} if headers is None else headers
-        super(DummyHttpResponse, self).__init__(**kwargs)
-
-
 class DummyHttpClient(object):
     def __init__(self, status_code=None, response_headers=None):
         self._status_code = status_code
         self._response_headers = response_headers
 
     def _build_dummy_response(self):
-        return DummyHttpResponse(
+        return MinimalResponse(
             status_code=self._status_code,
             headers=self._response_headers,
             text=random(),  # So that we'd know whether a new response is received