acquire_token_interactive() allows customizing the redirect URI's path #593
Conversation
Handle different response outcome
Changing region endpoint, and remove usage of REGION_NAME env var
First attempt was by using BROWSER env var Switch to less intrusive register(browser_name...) Only perform webbrowse.register() when necessary Explain design decisions based on PR review Q&A
Prefer Edge when running on Linux
WIP: Not runnable scratch Doodle Gear towards a different direction WIP Rename to ControllableCache Use new ControllableCache Proof-of-Concept Support runtime storage Rename to IndividualCache Documentation draft Enable http_decorate Precise KeyError message
Decorate the http_client for http_cache behavior Wrap http_client instead of decorate it Rename to throttled_http_client.py Refactor and change default retry-after delay to 60 seconds ThrottledHttpClient test case contains params
Http cache
Bumping version number
Merge MSAL Python 1.14 back to dev branch
X-AnchorMailbox's value is case-insensitive Both auth code flow and interactive flow switch to client_info Add upn:username for ROPC per recent discussion
Implementing CCS Routing info
Allow interactive flow to be aborted by CTRL+C even when running on Windows
rayluo
changed the title
rayluo
force-pushed
the
path
branch
2 times, most recently
from
7f88f1c to
87a3366
Compare
Mark package as supporting Python 3.12
There was a problem hiding this comment.
-
I don't think
http://localhost:port/pathis a valid redirect uri for a desktop app using system browser. The HTTP listener built in MSAL can't tell betweenhttp://localhost:port/path1andhttp://localhost:port/path2. I am concerned about potential vulnerability this can introduce. -
Please do not change the public API of MSAL with an OK from @localden and a discussion with other MSAL owners
-
For Public Client, please loop in @ashok672 and @iulico-1 as they need to maintain this.
|
Agreed with your suggestion 2 & 3. Will wait for the input from those pinged folks. With regard to suggestion 1, the
That is an implementation detail that can be discussed offline. Traditionally, MSAL uses ephemeral port, state validation and PKCE for security. Path is merely a short well-known string which does not provide any security cryptographically anyway. |
That's an excellent document you found. So I guess the user scenario is to use 1 app registration for both web and desktop? Smth like: 
|
That is correct. That is the scenario that app developers run into, every time they need to start their app locally for development or debug purpose. |
Remove x-client-cpu
|
Minor feedback on documentation, @rayluo - other than that, looking good. |
Traditionally, most parts of the redirect URI for a desktop app is hardcoded in this library as
http://localhost, and only the port is customizable (by aportoptional parameter).Sometimes, an app targets to multiple "platforms" (in this context, "platform" means web, native/desktop, spa, etc.), and they may all run on localhost during development. Those multiple redirect URIs differentiate with each other only by path, as described in the second last bullet point of this "localhost exceptions" documentation.
In this PR, the path will become customizable, but the remaining content (schema and host) remains constant. Therefore, the new optional parameter is
path, rather thanredirect_uri.This will resolve #574 .