Exposes the enable_msa_passthrough flag

AzureAD · May 5, 2022 · 9843d6f · 9843d6f
1 parent 649d0e9
commit 9843d6f
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 12 deletions.
diff --git a/msal/application.py b/msal/application.py
@@ -1598,6 +1598,7 @@ def acquire_token_interactive(
             extra_scopes_to_consent=None,
             max_age=None,
             window=None,
+            enable_msa_passthrough=None,
             **kwargs):
         """Acquire token interactively i.e. via a local browser.
 
@@ -1660,6 +1661,13 @@ def acquire_token_interactive(
             you are recommended to also provide its window handle,
             so that the sign in UI window will properly pop up on top of your window.
 
+        :param boolean enable_msa_passthrough:
+            OPTIONAL. MSA-Passthrough is a legacy configuration,
+            needed by a small amount of Microsoft first-party apps,
+            which would login MSA accounts via ".../organizations" authority.
+            If you app belongs to this category, AND you are enabling broker,
+            you would want to enable this flag. Default value is equivalent to False.
+
         :return:
             - A dict containing no "error" key,
               and typically contains an "access_token" key.
@@ -1686,14 +1694,21 @@ def acquire_token_interactive(
                     "no" if self.authority._validate_authority is False
                         or self.authority.is_adfs or self.authority._is_b2c
                     else None)
-
+                enable_msa_passthrough = self.client_id in [
+                    # Experimental: Automatically enable MSA-PT mode for known MSA-PT apps
+                    # More background of MSA-PT is available from this internal docs:
+                    # https://microsoft.sharepoint.com/:w:/t/Identity-DevEx/EatIUauX3c9Ctw1l7AQ6iM8B5CeBZxc58eoQCE0IuZ0VFw?e=tgc3jP&CID=39c853be-76ea-79d7-ee73-f1b2706ede05
+                    "04b07795-8ddb-461a-bbee-02f9e1bf7b46",  # Azure CLI
+                    "04f0c124-f2bc-4f59-8241-bf6df9866bbd",  # Visual Studio
+                    ] if enable_msa_passthrough is None else enable_msa_passthrough
                 # Call _signin_silently() and/or _signin_interactively()
                 if prompt == "none" or (not prompt and not login_hint):
                     response = _signin_silently(
                         authority, self.client_id, scopes,
                         validateAuthority=validate_authority,
                         claims=claims,
                         max_age=max_age,
+                        enable_msa_pt=enable_msa_passthrough,
                         **kwargs.get("data", {}))
                     import pymsalruntime
                     if prompt == "none" or response.get("_broker_status") not in (
@@ -1710,6 +1725,7 @@ def acquire_token_interactive(
                     claims=claims,
                     max_age=max_age,
                     window=window,
+                    enable_msa_pt=enable_msa_passthrough,
                     **kwargs.get("data", {}))
                 return self._process_broker_response(response, scopes, kwargs.get("data", {}))
 

diff --git a/msal/broker.py b/msal/broker.py
@@ -104,17 +104,14 @@ def _get_new_correlation_id():
     return str(uuid.uuid4())
 
 
-def _enable_msa_pt_when_needed(params, client_id):
-    if client_id in [  # Experimental: Automatically enable MSA-PT mode for known MSA-PT apps
-			# More background of MSA-PT is available from this internal docs:
-			# https://microsoft.sharepoint.com/:w:/t/Identity-DevEx/EatIUauX3c9Ctw1l7AQ6iM8B5CeBZxc58eoQCE0IuZ0VFw?e=tgc3jP&CID=39c853be-76ea-79d7-ee73-f1b2706ede05
-            "04b07795-8ddb-461a-bbee-02f9e1bf7b46",  # Azure CLI
-            "04f0c124-f2bc-4f59-8241-bf6df9866bbd",  # Visual Studio
-            ]:
-        params.set_additional_parameter("msal_request_type", "consumer_passthrough")  # PyMsalRuntime 0.8+
+def _enable_msa_pt(params):
+    params.set_additional_parameter("msal_request_type", "consumer_passthrough")  # PyMsalRuntime 0.8+
 
 
-def _signin_silently(authority, client_id, scopes, correlation_id=None, claims=None, **kwargs):
+def _signin_silently(
+        authority, client_id, scopes, correlation_id=None, claims=None,
+        enable_msa_pt=False,
+        **kwargs):
     params = pymsalruntime.MSALRuntimeAuthParameters(client_id, authority)
     params.set_requested_scopes(scopes)
     if claims:
@@ -123,7 +120,8 @@ def _signin_silently(authority, client_id, scopes, correlation_id=None, claims=N
     for k, v in kwargs.items():  # This can be used to support domain_hint, max_age, etc.
         if v is not None:
             params.set_additional_parameter(k, str(v))
-    _enable_msa_pt_when_needed(params, client_id)
+    if enable_msa_pt:
+        _enable_msa_pt(params)
     pymsalruntime.signin_silently(
         params,
         correlation_id or _get_new_correlation_id(),
@@ -139,6 +137,7 @@ def _signin_interactively(
         login_hint=None,
         claims=None,
         correlation_id=None,
+        enable_msa_pt=False,
         **kwargs):
     params = pymsalruntime.MSALRuntimeAuthParameters(client_id, authority)
     params.set_requested_scopes(scopes)
@@ -156,7 +155,8 @@ def _signin_interactively(
                 logger.warning("Using both select_account and login_hint is ambiguous. Ignoring login_hint.")
         else:
             logger.warning("prompt=%s is not supported by this module", prompt)
-    _enable_msa_pt_when_needed(params, client_id)
+    if enable_msa_pt:
+        _enable_msa_pt(params)
     for k, v in kwargs.items():  # This can be used to support domain_hint, max_age, etc.
         if v is not None:
             params.set_additional_parameter(k, str(v))