Add pop token support (#37482)

* Add pop token support

* Update sdk/identity/azure-identity-broker/CHANGELOG.md

Co-authored-by: Paul Van Eck <paulvaneck@microsoft.com>

* rename sample

* update changelog

* Update sdk/identity/azure-identity-broker/CHANGELOG.md

Co-authored-by: Paul Van Eck <paulvaneck@microsoft.com>

* unblock this PR. fix incoming in 37450

* Update version

Signed-off-by: Paul Van Eck <paulvaneck@microsoft.com>

---------

Signed-off-by: Paul Van Eck <paulvaneck@microsoft.com>
Co-authored-by: Paul Van Eck <paulvaneck@microsoft.com>
Co-authored-by: Scott Beddall <scbedd@microsoft.com>

sdk/identity/azure-identity-broker/CHANGELOG.md

@@ -1,14 +1,11 @@
 # Release History
 
-## 1.1.1 (Unreleased)
+## 1.2.0b1 (2024-09-20)
 
 ### Features Added
 
-### Breaking Changes
-
-### Bugs Fixed
-
-### Other Changes
+- `InteractiveBrowserBrokerCredential` now implements the `SupportsTokenInfo` protocol. It now has a `get_token_info` method which returns an `AccessTokenInfo` object. The `get_token_info` method is an alternative method to `get_token` that improves support for more complex authentication scenarios.
+- Added Proof-of-Possession (PoP) token support to `InteractiveBrowserBrokerCredential`.
 
 ## 1.1.0 (2024-04-09)
 

sdk/identity/azure-identity-broker/azure/identity/broker/__init__.py

@@ -2,9 +2,10 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 # ------------------------------------
-from ._browser import InteractiveBrowserBrokerCredential
+from ._browser import InteractiveBrowserBrokerCredential, PopTokenRequestOptions
 
 
 __all__ = [
     "InteractiveBrowserBrokerCredential",
+    "PopTokenRequestOptions",
 ]

sdk/identity/azure-identity-broker/azure/identity/broker/_browser.py

@@ -3,10 +3,11 @@
 # Licensed under the MIT License.
 # ------------------------------------
 import socket
-from typing import Dict, Any
+from typing import Dict, Any, Mapping, Union
 import msal
 
 from azure.core.exceptions import ClientAuthenticationError
+from azure.core.credentials import TokenRequestOptions
 from azure.identity._credentials import (
     InteractiveBrowserCredential as _InteractiveBrowserCredential,
 )  # pylint:disable=protected-access
@@ -15,6 +16,12 @@
 from ._utils import wrap_exceptions, resolve_tenant
 
 
+class PopTokenRequestOptions(TokenRequestOptions):
+    """Options to use for pop token requests."""
+
+    pop: Union[bool, Mapping[str, str]]
+
+
 class InteractiveBrowserBrokerCredential(_InteractiveBrowserCredential):
     """Uses an authentication broker to interactively sign in a user.
 
@@ -64,8 +71,14 @@ def __init__(self, **kwargs: Any) -> None:
     def _request_token(self, *scopes: str, **kwargs: Any) -> Dict:
         scopes = list(scopes)  # type: ignore
         claims = kwargs.get("claims")
+        pop = kwargs.get("pop")
         app = self._get_app(**kwargs)
         port = self._parsed_url.port if self._parsed_url else None
+        auth_scheme = None
+        if pop:
+            auth_scheme = msal.PopAuthScheme(
+                http_method=pop["resource_request_method"], url=pop["resource_request_url"], nonce=pop["nonce"]
+            )
 
         if self._use_default_broker_account:
             try:
@@ -78,6 +91,7 @@ def _request_token(self, *scopes: str, **kwargs: Any) -> Dict:
                     port=port,
                     parent_window_handle=self._parent_window_handle,
                     enable_msa_passthrough=self._enable_msa_passthrough,
+                    auth_scheme=auth_scheme,
                 )
                 if "access_token" in result:
                     return result
@@ -93,6 +107,7 @@ def _request_token(self, *scopes: str, **kwargs: Any) -> Dict:
                 port=port,
                 parent_window_handle=self._parent_window_handle,
                 enable_msa_passthrough=self._enable_msa_passthrough,
+                auth_scheme=auth_scheme,
             )
         except socket.error as ex:
             raise CredentialUnavailableError(message="Couldn't start an HTTP server.") from ex

sdk/identity/azure-identity-broker/azure/identity/broker/_version.py

@@ -2,4 +2,4 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 # ------------------------------------
-VERSION = "1.1.1"
+VERSION = "1.2.0b1"

sdk/identity/azure-identity-broker/pyproject.toml

@@ -1,3 +1,4 @@
 [tool.azure-sdk-build]
 type_check_samples = false
 pyright = false
+mindependency = false

sdk/identity/azure-identity-broker/samples/pop_sample.py

@@ -0,0 +1,24 @@
+# ------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# ------------------------------------
+"""
+This sample is intended to show how to get a Proof-of-Possession (PoP) token.
+"""
+
+from azure.identity.broker import PopTokenRequestOptions, InteractiveBrowserBrokerCredential
+
+nonce = "nonce"  # needs to be a valid nonce
+resource_request_url = "url"  # needs to be a valid URL
+resource_request_method = "GET"  # needs to be a valid HTTP method
+request_options = PopTokenRequestOptions(
+    {
+        "pop": {
+            "nonce": nonce,
+            "resource_request_url": resource_request_url,
+            "resource_request_method": resource_request_method,
+        }
+    }
+)
+cred = InteractiveBrowserBrokerCredential(parent_window_handle="window_handle")
+pop_token = cred.get_token_info("scope", options=request_options)

sdk/identity/azure-identity-broker/setup.py

@@ -41,7 +41,7 @@
     url="https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/identity/azure-identity-broker",
     keywords="azure, azure sdk",
     classifiers=[
-        "Development Status :: 5 - Production/Stable",
+        "Development Status :: 4 - Beta",
         "Programming Language :: Python",
         "Programming Language :: Python :: 3 :: Only",
         "Programming Language :: Python :: 3",
@@ -62,7 +62,7 @@
     },
     python_requires=">=3.8",
     install_requires=[
-        "azure-identity<2.0.0,>=1.15.0",
-        "msal[broker]>=1.25,<2",
+        "azure-identity<2.0.0,>=1.18.0",
+        "msal[broker]>=1.31,<2",
     ],
 )