Release 0.4.1

msal/application.py

@@ -18,7 +18,7 @@
 
 
 # The __init__.py will import this. Not the other way around.
-__version__ = "0.4.0"
+__version__ = "0.4.1"
 
 logger = logging.getLogger(__name__)
 
@@ -271,7 +271,8 @@ def _get_authority_aliases(self, instance):
         if not self.authority_groups:
             resp = requests.get(
                 "https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https://login.microsoftonline.com/common/oauth2/authorize",
-                headers={'Accept': 'application/json'})
+                headers={'Accept': 'application/json'},
+                verify=self.verify, proxies=self.proxies, timeout=self.timeout)
             resp.raise_for_status()
             self.authority_groups = [
                 set(group['aliases']) for group in resp.json()['metadata']]
@@ -511,7 +512,7 @@ def acquire_token_by_device_flow(self, flow, **kwargs):
                 **kwargs)
 
     def acquire_token_by_username_password(
-            self, username, password, scopes=None, **kwargs):
+            self, username, password, scopes, **kwargs):
         """Gets a token for a given resource via user credentails.
 
         See this page for constraints of Username Password Flow.

msal/authority.py

@@ -1,10 +1,12 @@
 import re
+import logging
 
 import requests
 
 from .exceptions import MsalServiceError
 
 
+logger = logging.getLogger(__name__)
 WORLD_WIDE = 'login.microsoftonline.com'  # There was an alias login.windows.net
 WELL_KNOWN_AUTHORITY_HOSTS = set([
     WORLD_WIDE,
@@ -38,14 +40,15 @@ def __init__(self, authority_url, validate_authority=True,
         canonicalized, self.instance, tenant = canonicalize(authority_url)
         tenant_discovery_endpoint = (  # Hard code a V2 pattern as default value
             'https://{}/{}/v2.0/.well-known/openid-configuration'
-            .format(WORLD_WIDE, tenant))
+            .format(self.instance, tenant))
         if validate_authority and self.instance not in WELL_KNOWN_AUTHORITY_HOSTS:
             tenant_discovery_endpoint = instance_discovery(
                 canonicalized + "/oauth2/v2.0/authorize",
                 verify=verify, proxies=proxies, timeout=timeout)
         openid_config = tenant_discovery(
             tenant_discovery_endpoint,
             verify=verify, proxies=proxies, timeout=timeout)
+        logger.debug("openid_config = %s", openid_config)
         self.authorization_endpoint = openid_config['authorization_endpoint']
         self.token_endpoint = openid_config['token_endpoint']
         _, _, self.tenant = canonicalize(self.token_endpoint)  # Usually a GUID
@@ -65,7 +68,7 @@ def user_realm_discovery(self, username):
 
 def canonicalize(url):
     # Returns (canonicalized_url, netloc, tenant). Raises ValueError on errors.
-    match_object = re.match("https://([^/]+)/([^/\?#]+)", url.lower())
+    match_object = re.match(r'https://([^/]+)/([^/?#]+)', url.lower())
     if not match_object:
         raise ValueError(
             "Your given address (%s) should consist of "
@@ -76,7 +79,11 @@ def canonicalize(url):
 def instance_discovery(url, response=None, **kwargs):
     # Returns tenant discovery endpoint
     resp = requests.get(  # Note: This URL seemingly returns V1 endpoint only
-        'https://{}/common/discovery/instance'.format(WORLD_WIDE),
+        'https://{}/common/discovery/instance'.format(
+            WORLD_WIDE  # Historically using WORLD_WIDE. Could use self.instance too
+                # See https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/4.0.0/src/Microsoft.Identity.Client/Instance/AadInstanceDiscovery.cs#L101-L103
+                # and https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/4.0.0/src/Microsoft.Identity.Client/Instance/AadAuthority.cs#L19-L33
+            ),
         params={'authorization_endpoint': url, 'api-version': '1.0'},
         **kwargs)
     payload = response or resp.json()

msal/oauth2cli/__init__.py

@@ -1,5 +1,5 @@
-__version__ = "0.1.0"
+__version__ = "0.2.0"
 
-from .oauth2 import Client
+from .oidc import Client
 from .assertion import JwtSigner
 

msal/oauth2cli/oidc.py

@@ -0,0 +1,70 @@
+import json
+import base64
+import time
+
+from . import oauth2
+
+
+def base64decode(raw):
+    """A helper can handle a padding-less raw input"""
+    raw += '=' * (-len(raw) % 4)  # https://stackoverflow.com/a/32517907/728675
+    return base64.b64decode(raw).decode("utf-8")
+
+
+def decode_id_token(id_token, client_id=None, issuer=None, nonce=None, now=None):
+    """Decodes and validates an id_token and returns its claims as a dictionary.
+
+    ID token claims would at least contain: "iss", "sub", "aud", "exp", "iat",
+    per `specs <https://openid.net/specs/openid-connect-core-1_0.html#IDToken>`_
+    and it may contain other optional content such as "preferred_username",
+    `maybe more <https://openid.net/specs/openid-connect-core-1_0.html#Claims>`_
+    """
+    decoded = json.loads(base64decode(id_token.split('.')[1]))
+    err = None  # https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
+    if issuer and issuer != decoded["iss"]:
+        # https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
+        err = ('2. The Issuer Identifier for the OpenID Provider, "%s", '
+            "(which is typically obtained during Discovery), "
+            "MUST exactly match the value of the iss (issuer) Claim.") % issuer
+    if client_id:
+        valid_aud = client_id in decoded["aud"] if isinstance(
+            decoded["aud"], list) else client_id == decoded["aud"]
+        if not valid_aud:
+            err = "3. The aud (audience) Claim must contain this client's client_id."
+    # Per specs:
+    # 6. If the ID Token is received via direct communication between
+    # the Client and the Token Endpoint (which it is in this flow),
+    # the TLS server validation MAY be used to validate the issuer
+    # in place of checking the token signature.
+    if (now or time.time()) > decoded["exp"]:
+        err = "9. The current time MUST be before the time represented by the exp Claim."
+    if nonce and nonce != decoded.get("nonce"):
+        err = ("11. Nonce must be the same value "
+            "as the one that was sent in the Authentication Request")
+    if err:
+        raise RuntimeError("%s id_token was: %s" % (
+            err, json.dumps(decoded, indent=2)))
+    return decoded
+
+
+class Client(oauth2.Client):
+    """OpenID Connect is a layer on top of the OAuth2.
+
+    See its specs at https://openid.net/connect/
+    """
+
+    def decode_id_token(self, id_token, nonce=None):
+        """See :func:`~decode_id_token`."""
+        return decode_id_token(
+            id_token, nonce=nonce,
+            client_id=self.client_id, issuer=self.configuration.get("issuer"))
+
+    def _obtain_token(self, grant_type, *args, **kwargs):
+        """The result will also contain one more key "id_token_claims",
+        whose value will be a dictionary returned by :func:`~decode_id_token`.
+        """
+        ret = super(Client, self)._obtain_token(grant_type, *args, **kwargs)
+        if "id_token" in ret:
+            ret["id_token_claims"] = self.decode_id_token(ret["id_token"])
+        return ret
+