Merge pull request #34 from AzureAD/username-password-supportability

rayluo · web-flow · commit 7ffbdd3eb13e · 2019-04-11T09:29:54.000-07:00
Improve supportability for Username Password Flow
diff --git a/msal/application.py b/msal/application.py
@@ -466,6 +466,9 @@ def acquire_token_by_username_password(
             self, username, password, scopes=None, **kwargs):
         """Gets a token for a given resource via user credentails.
 
+        See this page for constraints of Username Password Flow.
+        https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication
+
         :param str username: Typically a UPN in the form of an email address.
         :param str password: The password.
         :param list[str] scopes:
@@ -494,6 +497,11 @@ def _acquire_token_by_username_password_federated(
             wstrust_endpoint = mex_send_request(
                 user_realm_result["federation_metadata_url"],
                 verify=verify, proxies=proxies)
+            if wstrust_endpoint is None:
+                raise ValueError("Unable to find wstrust endpoint from MEX. "
+                    "This typically happens when attempting MSA accounts. "
+                    "More details available here. "
+                    "https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication")
         logger.debug("wstrust_endpoint = %s", wstrust_endpoint)
         wstrust_result = wst_send_request(
             username, password, user_realm_result.get("cloud_audience_urn"),
diff --git a/msal/wstrust_request.py b/msal/wstrust_request.py
@@ -47,7 +47,8 @@ def send_request(
             soap_action = Mex.ACTION_2005
         elif '/trust/13/usernamemixed' in endpoint_address:
             soap_action = Mex.ACTION_13
-    assert soap_action in (Mex.ACTION_13, Mex.ACTION_2005)  # A loose check here
+    assert soap_action in (Mex.ACTION_13, Mex.ACTION_2005), (  # A loose check here
+        "Unsupported soap action: %s" % soap_action)
     data = _build_rst(
         username, password, cloud_audience_urn, endpoint_address, soap_action)
     resp = requests.post(endpoint_address, data=data, headers={
diff --git a/sample/username_password_sample.py b/sample/username_password_sample.py
@@ -45,6 +45,8 @@
 
 if not result:
     logging.info("No suitable token exists in cache. Let's get a new one from AAD.")
+    # See this page for constraints of Username Password Flow.
+    # https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication
     result = app.acquire_token_by_username_password(
         config["username"], config["password"], scopes=config["scope"])
 
