# hSSKrSSKrSSKrSSKrSSKrSSKrSSKJr SSKJ r SSK J r SSK r SSK JrJr SSKJr SSKJrJr SS KJr SS KJr SS K7 SS KJrJrJr SSKr SS K!J"r" SS K#J$r$ SSK%J&r& SSK'J(r(J)r) \RT"\+5r,Sr-Sr.Sr/Sr0Sr1Sr2Sr3Sr4Sr5Sr6"SS\5r7Sr8"SS\95r:"SS \:5r;"S!S"\:5r[^-]+)-----END CERTIFICATE-----z PRIVATE KEYz:We expect your public key but detect a private key instead)refindallIstrip ValueError)public_cert_contentpublic_certificatescerts r extract_certsr(#ss**TRTT#)<=)< )<==++ HJ J  % % ' (( >sA/cU(dU$U(a[R"U5O0nSH$nURU05RSU0S9 M& [R"U5$)N) access_tokenvalues)xms_cc)jsonloads setdefaultupdatedumps) capabilitiesclaims_challenge claims_dictkeys r(_merge_claims_challenge_and_capabilitiesr63s\ 2B$**-.KsB'..x6N.O ::k ""rc4URSS9$! Us$=f)Nzutf-8encoding)encode)raws r _str2bytesr<>s$zz7z++ scFSSKJnJn SSKJn [ US5nUR UR5U5upgnSSS5 W(aW(d [S5eURURRS9R5n SRU R5SS 5/n URUR!55R#5n URUR%55R#5n XkX4$!,(df  N=f) Nr)hashes serialization)pkcs12rbz5Your PFX file shall contain both private key and certr8 r)cryptography.hazmat.primitivesr>r?,cryptography.hazmat.primitives.serializationr@openload_key_and_certificatesreadr$ public_bytesEncodingPEMdecodejoin splitlines fingerprintSHA256hexSHA1) pfx_pathpassphrase_bytesr>r?r@f private_keyr'_cert_pemx5csha256_thumbprintsha1_thumbprints r _parse_pfxr\FsDC h %?? FFH& ( 1  DPQQ  -*@*@*D*D ELLNH (%%'"-. C((9==?&&v{{}599;O ? ??  s $D D cXSSKJn SSKJn UR [ U5UU"5S9$)Nr)r?)default_backend)backend)rDr?cryptography.hazmat.backendsr^load_pem_private_keyr<)private_key_pem_strrTr?r^s r_load_private_key_from_pem_strrcZs2<<  - -&'! .  rcPURS5nSUS'SRU5$)N.z********r)splitrM)home_account_idpartss r_pii_less_home_account_idrids)  ! !# &EE!H 88E?rc[U[5(aSU;dSU;a9[R"UR S5UR S5S.SS9US'UVs0sH(nUS:wdM UR S5(aM#XU_M* nnSU;a'[ [R"5US-5US 'U$U$s snf) N_msalruntime_telemetry_msal_python_telemetry)msalruntime_telemetrymsal_python_telemetry),:) separatorsmsal_telemetry refresh_inrW refresh_on) isinstancedictr-r1get startswithinttime)resultk return_values r _clean_upr~js&$ #v -1IV1S'+zz)/4L)M)/4L)M3)(*F# $ #)"(QL  LL% AayL&  6 !),TYY[6,;O-O)PL & Ms C-C Cc.[RS:wagSnS[R;nS[RR SS5;nU(dU(a[R R U5(anSSKnSn[UR U5UR5nU(d8[RS X@5 URUSURU55 U$g!URa S nNVf=f![a gf=f) zuRegister Edge and return a name suitable for subsequent webbrowser.get(...) when appropriate. Otherwise return None. linuxNz/usr/bin/microsoft-edgeBROWSERzmicrosoft-edgerrz msal-edgeFzRegister %s with %s)sysplatformosenvironrwpathexists webbrowserruBackgroundBrowserErrorloggerdebugregister ImportError) browser_pathuser_has_no_preferenceuser_wont_mind_edger browser_nameregistration_availables r_preferred_browserr|s  ||w,L 'bjj8*bjjnnY.KK "5277>>,;W;W  &L /)3NN<0*2N2N*P&* 2LO## $ (D(D\(RT  ## /).& /    s7D%C/-AD/DDDD DDc@^\rSrSrU4SjrU4SjrU4SjrSrU=r$)_ClientWithCcsRoutingInfoc r>URS5(a SUS-US'[[U]"SSS0UD6$)N login_hintzUPN:%sX-AnchorMailbox client_infor)rwsuperrinitiate_auth_code_flow)selfkwargs __class__s rr1_ClientWithCcsRoutingInfo.initiate_auth_code_flowsL ::l # #(06,3G(GF$ %.M rc d>[U[5(a[U[5(deURS05nURS5(a"[R "[ US55O0nSU;aSU;aSR"S0UD6US'[[U]*"X4SU0UD6$)NheadersruidutidzOid:{uid}@{utid}rr) rurvpoprwr-r.r formatrrobtain_token_by_auth_code_flow)rauth_code_flow auth_responserrrrs rr8_ClientWithCcsRoutingInfo.obtain_token_by_auth_code_flows.$//J}d4S4SSS**Y+""=11jj  m4 579  K Fk$9);)B)B)Q[)QG% &.T F3:F>DF Frc ~>URS05nSRU5US'[[U]"X4SU0UD6$)Nrzupn:{}r)rrrr!obtain_token_by_username_password)rusernamepasswordrrrs rr;_ClientWithCcsRoutingInfo.obtain_token_by_username_passwordsO**Y+%-__X%>!".W ;(/;39; ;rr) __name__ __module__ __qualname____firstlineno__rrr__static_attributes__ __classcell__rs@rrrs F;;rrc SSKJn URSSS9upn[U5S:a[U5S:d[R "S5 gg![ a g[a [RS WS 35 gf=f) Nr)rre)maxsplitrzRPlease upgrade msal-extensions. Only msal-extensions 1.2+ can work with msal 1.30+zmsal_extensions version z not in major.minor.patch format) msal_extensionsrrfrywarningswarnrr$r exception)vmajorminorrWs r_msal_extension_checkrs Y4''#'2aE aCJ!O MME F%4   Y3A36VWXYsA A B"BBc\rSrSrSrSrSrSrSrSr Sr S r S r S r S rS rSrSrSrSrSrSrSrS8SjrSrSr\"/SQ54SjrS9SjrS\\4SjrS:Sjr S;Sjr!SS!jr$S=S"jr%S#r&S$r'S%r(S&r)S'r*S(r+S=S)jr,S?S*jr-S?S+jr.S?S,jr/S@S-jr0S.r1S/r2S0r3SS1SSS4S2jr4S3r5S4r6S9S5jr7S=S6jr8S7r9g)AClientApplicationzYou do not usually directly use this class. Use its subclasses instead: :class:`PublicClientApplication` and :class:`ConfidentialClientApplication`. 8485301523622730832169902903TF token_sourceidentity_providercacherzauth_scheme is currently only available from broker. You can enable broker by following these instructions. https://msal-python.readthedocs.io/en/latest/#publicclientapplicationNcXlX lXlXlUUlU(a8[ U[ 5(d#[SR[U555e[U=(d /5Ul SUR;a#[SR[U555eU(aX`l OSSK nUR5Ul XpRlXRl["R$"URR&U S9URlUR(R+SS9nURR-S U5 URR-S U5 [/URU[ U[05(aS OS S 9Ul XlXlU(aU(a [S5e[ U[65(a+[9U5R:R=S5(aUnU=(d SR[>5n[AUURUURUS9Ul!URKUU5 U=(d [M5Ul'Xl(SUl)URUX RB5uUl+Ul,SUl-0Ul.[_5Ul0[c5 g![a e[DaQ U(aHU(dAU(dUc7[FRH"S5(a[AWURSS9Ul!Nef=f)a7Create an instance of application. :param str client_id: Your app has a client_id after you register it on Microsoft Entra admin center. :param client_credential: For :class:`PublicClientApplication`, you use `None` here. For :class:`ConfidentialClientApplication`, it supports many different input formats for different scenarios. .. admonition:: Support using a client secret. Just feed in a string, such as ``"your client secret"``. .. admonition:: Support using a certificate in X.509 (.pem) format Feed in a dict in this form:: { "private_key": "...-----BEGIN PRIVATE KEY-----... in PEM format", "thumbprint": "A1B2C3D4E5F6...", "passphrase": "Passphrase if the private_key is encrypted (Optional. Added in version 1.6.0)", } MSAL Python requires a "private_key" in PEM format. If your cert is in PKCS12 (.pfx) format, you can convert it to X.509 (.pem) format, by ``openssl pkcs12 -in file.pfx -out file.pem -nodes``. The thumbprint is available in your app's registration in Azure Portal. Alternatively, you can `calculate the thumbprint `_. .. admonition:: Support Subject Name/Issuer Auth with a cert in .pem `Subject Name/Issuer Auth `_ is an approach to allow easier certificate rotation. *Added in version 0.5.0*:: { "private_key": "...-----BEGIN PRIVATE KEY-----... in PEM format", "thumbprint": "A1B2C3D4E5F6...", "public_certificate": "...-----BEGIN CERTIFICATE-----...", "passphrase": "Passphrase if the private_key is encrypted (Optional. Added in version 1.6.0)", } ``public_certificate`` (optional) is public key certificate which will be sent through 'x5c' JWT header only for subject name and issuer authentication to support cert auto rolls. Per `specs `_, "the certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate. This MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one." However, your certificate's issuer may use a different order. So, if your attempt ends up with an error AADSTS700027 - "The provided signature value did not match the expected signature value", you may try use only the leaf cert (in PEM/str format) instead. .. admonition:: Supporting raw assertion obtained from elsewhere *Added in version 1.13.0*: It can also be a completely pre-signed assertion that you've assembled yourself. Simply pass a container containing only the key "client_assertion", like this:: { "client_assertion": "...a JWT with claims aud, exp, iss, jti, nbf, and sub..." } .. admonition:: Supporting reading client cerficates from PFX files *Added in version 1.29.0*: Feed in a dictionary containing the path to a PFX file:: { "private_key_pfx_path": "/path/to/your.pfx", "passphrase": "Passphrase if the private_key is encrypted (Optional)", } The following command will generate a .pfx file from your .key and .pem file:: openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.pem .. admonition:: Support Subject Name/Issuer Auth with a cert in .pfx *Added in version 1.30.0*: If your .pfx file contains both the private key and public cert, you can opt in for Subject Name/Issuer Auth like this:: { "private_key_pfx_path": "/path/to/your.pfx", "public_certificate": True, "passphrase": "Passphrase if the private_key is encrypted (Optional)", } :type client_credential: Union[dict, str, None] :param dict client_claims: *Added in version 0.5.0*: It is a dictionary of extra claims that would be signed by by this :class:`ConfidentialClientApplication` 's private key. For example, you can use {"client_ip": "x.x.x.x"}. You may also override any of the following default claims:: { "aud": the_token_endpoint, "iss": self.client_id, "sub": same_as_issuer, "exp": now + 10_min, "iat": now, "jti": a_random_uuid } :param str authority: A URL that identifies a token authority. It should be of the format ``https://login.microsoftonline.com/your_tenant`` By default, we will use ``https://login.microsoftonline.com/common`` *Changed in version 1.17*: you can also use predefined constant and a builder like this:: from msal.authority import ( AuthorityBuilder, AZURE_US_GOVERNMENT, AZURE_CHINA, AZURE_PUBLIC) my_authority = AuthorityBuilder(AZURE_PUBLIC, "contoso.onmicrosoft.com") # Now you get an equivalent of # "https://login.microsoftonline.com/contoso.onmicrosoft.com" # You can feed such an authority to msal's ClientApplication from msal import PublicClientApplication app = PublicClientApplication("my_client_id", authority=my_authority, ...) :param bool validate_authority: (optional) Turns authority validation on or off. This parameter default to true. :param TokenCache token_cache: Sets the token cache used by this ClientApplication instance. By default, an in-memory cache will be created and used. :param http_client: (optional) Your implementation of abstract class HttpClient Defaults to a requests session instance. Since MSAL 1.11.0, the default session would be configured to attempt one retry on connection error. If you are providing your own http_client, it will be your http_client's duty to decide whether to perform retry. :param verify: (optional) It will be passed to the `verify parameter in the underlying requests library `_ This does not apply if you have chosen to pass your own Http client :param proxies: (optional) It will be passed to the `proxies parameter in the underlying requests library `_ This does not apply if you have chosen to pass your own Http client :param timeout: (optional) It will be passed to the `timeout parameter in the underlying requests library `_ This does not apply if you have chosen to pass your own Http client :param app_name: (optional) You can provide your application name for Microsoft telemetry purposes. Default value is None, means it will not be passed to Microsoft. :param app_version: (optional) You can provide your application version for Microsoft telemetry purposes. Default value is None, means it will not be passed to Microsoft. :param list[str] client_capabilities: (optional) Allows configuration of one or more client capabilities, e.g. ["CP1"]. Client capability is meant to inform the Microsoft identity platform (STS) what this client is capable for, so STS can decide to turn on certain features. For example, if client is capable to handle *claims challenge*, STS may issue `Continuous Access Evaluation (CAE) `_ access tokens to resources, knowing that when the resource emits a *claims challenge* the client will be able to handle those challenges. Implementation details: Client capability is implemented using "claims" parameter on the wire, for now. MSAL will combine them into `claims parameter `_ which you will later provide via one of the acquire-token request. :param str azure_region: (optional) Instructs MSAL to use the Entra regional token service. This legacy feature is only available to first-party applications. Only ``acquire_token_for_client()`` is supported. Supports 4 values: 1. ``azure_region=None`` - This default value means no region is configured. MSAL will use the region defined in env var ``MSAL_FORCE_REGION``. 2. ``azure_region="some_region"`` - meaning the specified region is used. 3. ``azure_region=True`` - meaning MSAL will try to auto-detect the region. This is not recommended. 4. ``azure_region=False`` - meaning MSAL will use no region. .. note:: Region auto-discovery has been tested on VMs and on Azure Functions. It is unreliable. Applications using this option should configure a short timeout. For more details and for the values of the region string see https://learn.microsoft.com/entra/msal/dotnet/resources/region-discovery-troubleshooting New in version 1.12.0. :param list[str] exclude_scopes: (optional) Historically MSAL hardcodes `offline_access` scope, which would allow your app to have prolonged access to user's data. If that is unnecessary or undesirable for your app, now you can use this parameter to supply an exclusion list of scopes, such as ``exclude_scopes = ["offline_access"]``. :param dict http_cache: MSAL has long been caching tokens in the ``token_cache``. Recently, MSAL also introduced a concept of ``http_cache``, by automatically caching some finite amount of non-token http responses, so that *long-lived* ``PublicClientApplication`` and ``ConfidentialClientApplication`` would be more performant and responsive in some situations. This ``http_cache`` parameter accepts any dict-like object. If not provided, MSAL will use an in-memory dict. If your app is a command-line app (CLI), you would want to persist your http_cache across different CLI runs. The following recipe shows a way to do so:: # Just add the following lines at the beginning of your CLI script import sys, atexit, pickle http_cache_filename = sys.argv[0] + ".http_cache" try: with open(http_cache_filename, "rb") as f: persisted_http_cache = pickle.load(f) # Take a snapshot except ( FileNotFoundError, # Or IOError in Python 2 pickle.UnpicklingError, # A corrupted http cache file ): persisted_http_cache = {} # Recover by starting afresh atexit.register(lambda: pickle.dump( # When exit, flush it back to the file. # It may occasionally overwrite another process's concurrent write, # but that is fine. Subsequent runs will reach eventual consistency. persisted_http_cache, open(http_cache_file, "wb"))) # And then you can implement your app as you normally would app = msal.PublicClientApplication( "your_client_id", ..., http_cache=persisted_http_cache, # Utilize persisted_http_cache ..., #token_cache=..., # You may combine the old token_cache trick # Please refer to token_cache recipe at # https://msal-python.readthedocs.io/en/latest/#msal.SerializableTokenCache ) app.acquire_token_interactive(["your", "scope"], ...) Content inside ``http_cache`` are cheap to obtain. There is no need to share them among different apps. Content inside ``http_cache`` will contain no tokens nor Personally Identifiable Information (PII). Encryption is unnecessary. New in version 1.16.0. :param boolean instance_discovery: Historically, MSAL would connect to a central endpoint located at ``https://login.microsoftonline.com`` to acquire some metadata, especially when using an unfamiliar authority. This behavior is known as Instance Discovery. This parameter defaults to None, which enables the Instance Discovery. If you know some authorities which you allow MSAL to operate with as-is, without involving any Instance Discovery, the recommended pattern is:: known_authorities = frozenset([ # Treat your known authorities as const "https://contoso.com/adfs", "https://login.azs/foo"]) ... authority = "https://contoso.com/adfs" # Assuming your app will use this app1 = PublicClientApplication( "client_id", authority=authority, # Conditionally disable Instance Discovery for known authorities instance_discovery=authority not in known_authorities, ) If you do not know some authorities beforehand, yet still want MSAL to accept any authority that you will provide, you can use a ``False`` to unconditionally disable Instance Discovery. New in version 1.19.0. :param boolean allow_broker: Deprecated. Please use ``enable_broker_on_windows`` instead. :param boolean enable_pii_log: When enabled, logs may include PII (Personal Identifiable Information). This can be useful in troubleshooting broker behaviors. The default behavior is False. New in version 1.24.0. :param str oidc_authority: *Added in version 1.28.0*: It is a URL that identifies an OpenID Connect (OIDC) authority of the format ``https://contoso.com/tenant``. MSAL will append ".well-known/openid-configuration" to the authority and retrieve the OIDC metadata from there, to figure out the endpoints. Note: Broker will NOT be used for OIDC authority. z;Invalid exclude_scopes={}. It need to be a list of strings.openidz=Invalid exclude_scopes={}. You can not opt out "openid" scoperN)timeoutr) max_retrieszhttp://https://<) http_cachedefault_throttle_timez5You can not provide both authority and oidc_authorityz/dstsv2zhttps://{}/common/)validate_authorityinstance_discoveryoidc_authority_urlMSAL_FORCE_REGIONFr)2 client_idclient_credential client_claims_client_capabilities_instance_discoveryrulistr$rrepr frozenset_exclude_scopes http_clientrequestsSessionverifyproxies functoolspartialrequestadapters HTTPAdaptermountrPublicClientApplicationapp_name app_versionstrrrrxr r authority Exceptionrgetenv_decide_brokerr token_cache_region_configured_region_detected _build_clientclient_regional_clientauthority_groups_telemetry_bufferr_telemetry_lockr)rrrrrrrrrrrrrclient_capabilities azure_regionexclude_scopesrr allow_brokerroidc_authorityraauthority_to_uses r__init__ClientApplication.__init__s` #!2*$7!#5 *^T"B"BMTT^$&' ' ))=2> t++ +OVV^$&' ' *  '//1D &,   #'.   $(1'8'8  (('(;D   $ !!--!-allow_broker=True is only supported in PublicClientApplicationzgallow_broker is deprecated. Please use PublicClientApplication(..., enable_broker_on_windows=True, ...)win32FzGBroker is unavailable on this platform. We will fallback to non-broker.zBroker enabled? %s)rruConfidentialClientApplicationr$rrDeprecationWarning_enable_brokerrrris_adfs_is_b2cr RuntimeErrorrwarningr)rr ris_confidential_appopted_in_for_brokers rr ClientApplication._decide_brokers"441 /91 <]^ ^  MM #  $    6  4S\\W4   +'' +NN*** +NN***     7^,  )4+>+>?   7&+#67 7s9 D%%&E EcUR$)zFReturns True if this client supports Proof-of-Possession Access Token.r)rs ris_pop_supported"ClientApplication.is_pop_supporteds"""r)rprofileoffline_accessc[U[[[45(d [ S5e[U5nX2-(a-[ SR [U5[U555eX2-nX@R -n[U5$)Nz0The input scopes should be a list, tuple, or setzUYou cannot use any scope value that is reserved. Your input: {} The reserved list: {})rursettupler$rr)rscopesreserved_scope scope_set decorateds r_decorate_scope!ClientApplication._decorate_scopes&4e"455OP PK  %Yn1EFH H. ))) Ircj[RRURURUX#S9$)Ncorrelation_idrefresh_reason)msal telemetry_TelemetryContextrr)rapi_idr.r/s r_build_telemetry_context*ClientApplication._build_telemetry_contexts6~~//  " "D$8$8&)0J JrreturncURSLagURc$[R"S5=(d SUlUR=(d$ [ URb UR OS5UlURUR :waeURUR:waK[RSR[UR5[UR555 URUR :Xa URO URn[RSR[U555 U(ajURS;aSRU5OSRX!R5n[SRX1R5UR SS 9$g) NFrz.Region configured ({}) != region detected ({})zRegion to be used: {})zlogin.microsoftonline.comzlogin.microsoft.comzlogin.windows.netzsts.windows.netz{}.login.microsoft.comz{}.{} https://{}/{}r)rrrrrrATTEMPT_REGION_DISCOVERYrrrrrinstancer tenant)rcentral_authority region_to_use regional_hosts r_get_regional_authority)ClientApplication._get_regional_authoritys  " "e +  " " *&(ii0C&D&LD # $ 5 5!O $ 7 7 CD  :O  # #t'D'D D++t/D/DD NNKRRT,,-tD4I4I/JL M&&$*G*GG  ! !((   ,33D4GHI $--26<<]K^^M3M3MN &&}6N6NO  #(  rc ^^SnSn[[[RSS.nTR(aTRUS'TR (aTR US'SS0n[ U[5(Ga[RnURS5(aUSnGO0nS=pURS5(a[US5OSn URS 5(a2[US U 5uppURS 5S La U (aXS 'OYURS 5(a8URS5(a"USn U (a[US U 5n OUS n O [S5eS U;a5[ URS 5[5(a[!US 5US 'U (aTR"(dSU S.nOU (d [S5eSU S.n[%U 4SU0UD6nUR'TR(TR*TR,=(d 0S9nOXS'TR.TR(TR0S.n[3UTR*TR4UUUUUU4SjTR6R8TR6R:S9 nSnU(aU(dTR=T5nU(awUR.UR(UR0S.n[3UTR*TR4UUUUUU4SjTR6R8TR6R:S9 nUU4$)Nzretry-after, h429)z x-client-skuz x-client-verz x-client-oszx-ms-lib-capabilityz x-app-namez x-app-verrrclient_assertion passphraseprivate_key_pfx_pathpublic_certificateTrYrV thumbprintzclient_credential needs to follow this format https://msal-python.readthedocs.io/en/latest/#msal.ClientApplication.params.client_credentialPS256) algorithmrZz'You shall provide a thumbprint in SHA1.RS256)rHr[r)audienceissueradditional_claims client_secret)authorization_endpointtoken_endpointdevice_authorization_endpointc^>TRR[UTRS95$N environmentraddrvr:eventrrs r1ClientApplication._build_client..Ss)d.>.>.B.B49#5#5D7/8r)rdefault_headers default_bodyrBclient_assertion_typeon_obtaining_tokenson_removing_rton_updating_rtc^>TRR[UTRS95$rRrUrWs rrYrZks*d6F6F6J6J49+=+=L?7@r)rrrrrrrurvrCLIENT_ASSERTION_TYPE_JWTrwr<r\rcr$rr(rrcreate_regenerative_assertionrOrrrNrPrrr remove_rt update_rtr?)rrrskip_regional_clientrBr]r[r\rr[rZrTrVrYassertion_params assertioncentral_configurationcentral_clientregional_clientregional_authorityregional_configurations` ` rrClientApplication._build_clientsl $<<#6  ==,0MMOL )   +/+;+;OK (%q) ' . .$*$D$D !!$$%788#45G#H 6::+..|<<$.%l3$BF!%(()?@@KU)*@A(L*HKO),,-ABdJs),)--m<<-11,??&7 &EO'&D-m<>N'P '8 &F $xyy("#4#8#89M#NPSTT%23DEY3Z%[GEN$Y->->%,CT($+()RSS%,($0F)0F4DF #,#J#J&55dnn&*&8&8&>B$K$@ -> )&/&F&F'66-6-T-T! 3 ! NN((+%-"7!8++55++55 7 ,!%!=!=i!H !.@.W.W&8&G&G*HH *& #<*NN $ 0 0$3!-%5*?)@#'#3#3#=#=#'#3#3#=#= #?..rc [SURR0URURS9n U R X#UUUR U5U[URU5UU S9 n X{S'U $)a Initiate an auth code flow. Later when the response reaches your redirect_uri, you can use :func:`~acquire_token_by_auth_code_flow()` to complete the authentication/authorization. :param list scopes: It is a list of case-sensitive strings. :param str redirect_uri: Optional. If not specified, server will use the pre-registered one. :param str state: An opaque value used by the client to maintain state between the request and callback. If absent, this library will automatically generate one internally. :param str prompt: By default, no prompt value will be sent, not even string ``"none"``. You will have to specify a value explicitly. Its valid values are the constants defined in :class:`Prompt `. :param str login_hint: Optional. Identifier of the user. Generally a User Principal Name (UPN). :param domain_hint: Can be one of "consumers" or "organizations" or your tenant domain "contoso.com". If included, it will skip the email-based discovery process that user goes through on the sign-in page, leading to a slightly more streamlined user experience. More information on possible values available in `Auth Code Flow doc `_ and `domain_hint doc `_. :param int max_age: OPTIONAL. Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated. If the elapsed time is greater than this value, Microsoft identity platform will actively re-authenticate the End-User. MSAL Python will also automatically validate the auth_time in ID token. New in version 1.15. :param str response_mode: OPTIONAL. Specifies the method with which response parameters should be returned. The default value is equivalent to ``query``, which is still secure enough in MSAL Python (because MSAL Python does not transfer tokens via query parameter in the first place). For even better security, we recommend using the value ``form_post``. In "form_post" mode, response parameters will be encoded as HTML form values that are transmitted via the HTTP POST method and encoded in the body using the application/x-www-form-urlencoded format. Valid values can be either "form_post" for HTTP POST to callback URI or "query" (the default) for HTTP GET with parameters encoded in query string. More information on possible values `here ` and `here ` :return: The auth code flow. It is a dict in this form:: { "auth_uri": "https://...", // Guide user to visit this "state": "...", // You may choose to verify it by yourself, // or just let acquire_token_by_auth_code_flow() // do that for you. "...": "...", // Everything else are reserved and internal } The caller is expected to: 1. somehow store this content, typically inside the current session, 2. guide the end user (i.e. resource owner) to visit that auth_uri, 3. and then relay this dict and subsequent auth response to :func:`~acquire_token_by_auth_code_flow()`. rNr) redirect_uristaterpromptscope domain_hintclaimsmax_age response_moder3) rrrNrrrr*r6r) rr&rqrrrsrrur3rwrxrflows rr)ClientApplication.initiate_auth_code_flowqsj+ %t~~'L'L M NN((*--%z&&v.#;))+;='. $4   rc  U RSS5n U (a[R"S5 U (a[U URUR S9O UR n [SU R0URURS9n [R"S[5 [R"SS 9 U RUXCUUURU5UU[URU 5S 9 sSSS5 $!,(df  g=f) aConstructs a URL for you to start a Authorization Code Grant. :param list[str] scopes: (Required) Scopes requested to access a protected API (a resource). :param str state: Recommended by OAuth2 for CSRF protection. :param str login_hint: Identifier of the user. Generally a User Principal Name (UPN). :param str redirect_uri: Address to return to upon receiving a response from the authority. :param str response_type: Default value is "code" for an OAuth2 Authorization Code grant. You could use other content such as "id_token" or "token", which would trigger an Implicit Grant, but that is `not recommended `_. :param str prompt: By default, no prompt value will be sent, not even string ``"none"``. You will have to specify a value explicitly. Its valid values are the constants defined in :class:`Prompt `. :param nonce: A cryptographically random value used to mitigate replay attacks. See also `OIDC specs `_. :param domain_hint: Can be one of "consumers" or "organizations" or your tenant domain "contoso.com". If included, it will skip the email-based discovery process that user goes through on the sign-in page, leading to a slightly more streamlined user experience. More information on possible values available in `Auth Code Flow doc `_ and `domain_hint doc `_. :param claims_challenge: The claims_challenge parameter requests specific claims requested by the resource provider in the form of a claims_challenge directive in the www-authenticate header to be returned from the UserInfo Endpoint and/or in the ID Token and/or Access Token. It is a string of a JSON object which contains lists of claims being requested from these locations. :return: The authorization url as a string. rNzAWe haven't decided if this method will accept authority parameterrrNrpzHChange your get_authorization_request_url() to initiate_auth_code_flow()Trecord) response_typerqrrrrsrtnoncerurv)rrrr rrrrrNrrcatch_warningsbuild_auth_request_urir*r6r)rr&rrrrqr~rsrrur3rr the_authorityrs rget_authorization_request_url/ClientApplication.get_authorization_request_urlsfJJ{D1  MMS U "    #77!%  + %}'K'K L NN((*   +,> @ $ $D 100+):**62'?--/?A1 2 1 1s <9C?? D c URURS055 URUR5n[ UR R "UU4U(aURU5OSUR5[URS05[URURSS55S9S.UD65nSU;aURX`R'URU5 U$)aValidate the auth response being redirected back, and obtain tokens. It automatically provides nonce protection. :param dict auth_code_flow: The same dict returned by :func:`~initiate_auth_code_flow()`. :param dict auth_response: A dict of the query string received from auth server. :param list[str] scopes: Scopes requested to access a protected API (a resource). Most of the time, you can leave it empty. If you requested user consent for multiple resources, here you will need to provide a subset of what you required in :func:`~initiate_auth_code_flow()`. OAuth2 was designed mostly for singleton services, where tokens are always meant for the same resource and the only changes are in the scopes. In Microsoft Entra, tokens can be issued for multiple 3rd party resources. You can ask authorization code for multiple resources, but when you redeem it, the token is for only one intended recipient, called audience. So the developer need to specify a scope so that we can restrict the token to be issued for the corresponding audience. :return: * A dict containing "access_token" and/or "id_token", among others, depends on what scope was used. (See https://tools.ietf.org/html/rfc6749#section-5.1) * A dict containing "error", optionally "error_description", "error_uri". (It is either `this `_ or `that `_) * Most client-side data error would result in ValueError exception. So the usage pattern could be without any protocol details:: def authorize(): # A controller in a web app try: result = msal_app.acquire_token_by_auth_code_flow( session.get("flow", {}), request.args) if "error" in result: return render_template("error.html", result) use(result) # Token(s) are available in result and cache except ValueError: # Usually caused by CSRF pass # Simply ignore them return redirect(url_for("index")) dataNr3rvrtrrr*)_validate_ssh_cert_input_datarwr4&ACQUIRE_TOKEN_BY_AUTHORIZATION_CODE_IDr~rrr*generate_headersrvrr6r_TOKEN_SOURCE_IDP _TOKEN_SOURCEupdate_telemetry)rrrr&rtelemetry_contextresponses racquire_token_by_auth_code_flow1ClientApplication.acquire_token_by_auth_code_flow)sd **6::fb+AB 99  7 79T[[GG   39$&&v.d%668 62&?--"&&'94@BC    X %+/+A+AH'' (**84rc [U[5(dS5eURURS055 [R "S[ 5 [R"SS9 URUR5n[URR"U4UURU5UR5[UR!S05[#UR$U5S9US.UD65nSU;aUR&XR('UR+U5 UsS S S 5 $!,(df  g =f) aThe second half of the Authorization Code Grant. :param code: The authorization code returned from Authorization Server. :param list[str] scopes: (Required) Scopes requested to access a protected API (a resource). If you requested user consent for multiple resources, here you will typically want to provide a subset of what you required in AuthCode. OAuth2 was designed mostly for singleton services, where tokens are always meant for the same resource and the only changes are in the scopes. In Microsoft Entra, tokens can be issued for multiple 3rd party resources. You can ask authorization code for multiple resources, but when you redeem it, the token is for only one intended recipient, called audience. So the developer need to specify a scope so that we can restrict the token to be issued for the corresponding audience. :param nonce: If you provided a nonce when calling :func:`get_authorization_request_url`, same nonce should also be provided here, so that we'll validate it. An exception will be raised if the nonce in id token mismatches. :param claims_challenge: The claims_challenge parameter requests specific claims requested by the resource provider in the form of a claims_challenge directive in the www-authenticate header to be returned from the UserInfo Endpoint and/or in the ID Token and/or Access Token. It is a string of a JSON object which contains lists of claims being requested from these locations. :return: A dict representing the json response from Microsoft Entra: - A successful response would contain "access_token" key, - an error response would contain "error" and usually "error_description". Invalid parameter typerzVChange your acquire_token_by_authorization_code() to acquire_token_by_auth_code_flow()Tr|r)rqrtrrrr*N)rurrrwrrrrr4rr~r"obtain_token_by_authorization_coder*rrvrr6rrrr) rcoder&rqrr3rrrs r#acquire_token_by_authorization_code5ClientApplication.acquire_token_by_authorization_codens,f&$''A)AA' **6::fb+AB  34F H $ $D 1 $ = =;;!=  !O!O "#/**62)::<JJvr*C113CEF " " H)/3/E/E++,  . .x 8!2 1 1s -CD88 EcURURRS9nU(dDURURR5HnURUS9nU(dM O U(afUR 5nUVs/sHnUSR 5U:XdMUPM nnU(d$[ R SRU55 U$s snf)aGet a list of accounts which previously signed in, i.e. exists in cache. An account can later be used in :func:`~acquire_token_silent` to find its tokens. :param username: Filter accounts with this username only. Case insensitive. :return: A list of account objects. Each account is a dict. For now, we only document its "username" field. Your app can choose to display those information to end user, and allow user to choose one of his/her accounts to proceed. rSrzget_accounts(username='{}') finds no account. If tokens were acquired without 'profile' scope, they would contain no username for filtering. Consider calling get_accounts(username=None) instead.)_find_msal_accountsrr:_get_authority_aliaseslowerrrr)rraccountsaliaslowercase_usernamer s r get_accountsClientApplication.get_accountss++8O8O+P44T^^5L5LM333F8N !)!1 #+@8aZ=&&(,>>8H@ LfX& (@s C)Cc [RR[RR/n[ 5(aUR [ 5 URR[RRSU0S9Vs0sHnUSU;dMURS5URS5URS5URS5URS5URS5URS5URS5S ._M nn[UR55$s snf) NrTqueryauthority_typergraccount_sourcelocal_account_idrealm)rgrTrrrrr)r AuthorityTypeADFSMSSTSrappend_AUTHORITY_TYPE_CLOUDSHELLrsearchCredentialTypeACCOUNTrwrr+)rrTinterested_authority_typesr grouped_accountss rr%ClientApplication._find_msal_accountss/  $ $ ) ):+C+C+I+I&K" % ' ' & - -.H I%%,,))11$k2-44!"&@@ AEE# $'(uu->'?#$55#7 !j 1&'ee,<&='(ee,<&=().@(AUU7^  4 $$++-..%s  E BEcURRSSS0S9nUR5 [R"UR 5S$)Nzhttps://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https://login.microsoftonline.com/common/oauth2/authorizeAcceptzapplication/json)rmetadata)rrwraise_for_statusr-r.text)rresps r_get_instance_metadata(ClientApplication._get_instance_metadatasR## k12$4 zz$))$Z00rcdURSLa/$URR(a/$UR(d2UR 5Vs/sHn[ US5PM snUlURH$nX;dM UVs/sH o3U:wdM UPM sns $ /$s snfs snf)NFaliases)rr_is_known_to_developerrrr$)rr:grouprs rr(ClientApplication._get_authority_aliasess  # #u ,I >> 0 0I$$373N3N3P%R3P%E)$%3P%RD !**E +0F5%X4E5FF+ %RGsB( B-B-cUR(a9SSKJn U"URUS5nU(a[R SU5 UR U5 g)z*Sign me out and forget me from token cacher)_signout_silentlyrz%_signout_silently() returns error: %sN)rrrrrr _forget_me)raccountrerrors rremove_account ClientApplication.remove_account sB    1%dnng>P6QRE DeL  rcZUSUSS.nURUS5nURR[RR US9Vs/sHJnUSUR :Xd2URS5(dM.URS5US:XdMHUPML snHnURRU5 M [URR[RRUS95HnURRU5 M gs snf)NrTrgrTrgrr family_id) _get_app_metadatarrrr REFRESH_TOKENrrwrdr ACCESS_TOKEN remove_at)r home_accountowned_by_home_account app_metadatartats r _sign_outClientApplication._sign_outs1( 6+,=>!A--l=.IJ ))00))77?T1V  V2k?dnn4 $$[1  {+|K/HH V  B    & &r *  t''..  % % 2 2:O/  B    & &r *   s-D(D(D(cURU5 USUSS.n[URR[R R US95HnURRU5 M [URR[R RUS95HnURRU5 M g)NrTrgrr) rrrrrrID_TOKEN remove_idtrr)rrridtr s rrClientApplication._forget_me5s |$' 6+,=>!A((//  % % . .6K0  C    ' ' ,  d&&--  % % - -5J.  A    + +A .  rc hSSKJn U"URXRUS9nSU;akURR [ URSU;aUSR5OUURRUU=(d 0[S95 SU;aURX@R'U$)Nr) _obtain_token)rrrrt)rrtrOrrrr*) cloudshellrrrrrVrvrfrrOr_TOKEN_SOURCE_BROKERr)rr&rrrs r_acquire_token_by_cloud_shell/ClientApplication._acquire_token_by_cloud_shellFs-   fTK ( "    ..3:h3Fhw'--/F#~~<<!ZR9 "  X %+/+D+DH'' (rc rU(dg[UR"X4X4XVS.UD65nU(aSU;aU$S$)a^Acquire an access token for given account, without user interaction. It has same parameters as the :func:`~acquire_token_silent_with_error`. The difference is the behavior of the return value. This method will combine the cache empty and refresh error into one return value, `None`. If your app does not care about the exact token refresh error during token cache look-up, then this method is easier and recommended. :return: - A dict containing no "error" key, and typically contains an "access_token" key, if cache lookup succeeded. - None when cache lookup does not yield a token. Nr force_refreshr3 auth_schemerr~ _acquire_token_silent_with_error) rr&rrrr3rrr{s racquire_token_silent&ClientApplication.acquire_token_silentWsQ04@@ R'0-RJPRS G6$9vCtCrc PU(dg[UR"X4X4XVS.UD65$)aAcquire an access token for given account, without user interaction. It is done either by finding a valid access token from cache, or by finding a valid refresh token from cache and then automatically use it to redeem a new access token. This method will differentiate cache empty from token refresh error. If your app cares the exact token refresh error during token cache look-up, then this method is suitable. Otherwise, the other method :func:`~acquire_token_silent` is recommended. :param list[str] scopes: (Required) Scopes requested to access a protected API (a resource). :param account: (Required) One of the account object returned by :func:`~get_accounts`. Starting from MSAL Python 1.23, a ``None`` input will become a NO-OP and always return ``None``. :param force_refresh: If True, it will skip Access Token look-up, and try to find a Refresh Token to obtain a new Access Token. :param claims_challenge: The claims_challenge parameter requests specific claims requested by the resource provider in the form of a claims_challenge directive in the www-authenticate header to be returned from the UserInfo Endpoint and/or in the ID Token and/or Access Token. It is a string of a JSON object which contains lists of claims being requested from these locations. :param object auth_scheme: You can provide an ``msal.auth_scheme.PopAuthScheme`` object so that MSAL will get a Proof-of-Possession (POP) token for you. New in version 1.26.0. :return: - A dict containing no "error" key, and typically contains an "access_token" key, if cache lookup succeeded. - None when there is simply no token in the cache. - A dict containing an "error" key, when token refresh failed. Nrr)rr&rrrr3rrs racquire_token_silent_with_error1ClientApplication.acquire_token_silent_with_errorvs@^>> R'0-RJPRS Src [U[5(dS5eURURS055 [R R 5nU(a[R"S5 UR"XUR4UUUUS.UD6n U (aSU ;aU $U n URURR5Hn [URRURRR SU 0S95(dMM[#SU -S -URR$-UR&S S 9n UR"XU 4UUUUS.UD6n U (dMSU ;aU s $U n M U (a7U RS 5(a!S S S S S S.RU S U S 5U S'U $)NrrzEWe haven't decided how/if this method will accept authority parameter)rr3r.rrrTrr/Frsuberrorr) bad_token token_expiredprotection_policy_requiredclient_mismatchdevice_authentication_failedclassification)rurrrwr0r1_get_new_correlation_idrr8_acquire_token_silent_from_cache_and_possibly_refresh_itrrr:rrrrr r;r) rr&rrrr3rrr.r{ final_resultrrs rr2ClientApplication._acquire_token_silent_with_errors&$''A)AA' **6::fb+AB??A  MMa b NN T^^;H-)#    gV+M 001H1HIE((//$$33AA)%0 0233%U"S(4>>+@+@@  #(M RR>K!1-'   F v&(!M% /J0 L,,Z88!#.0#%02 . #l:. Z0HI ) *rc Sn U(GdU(GdU(GdURURURU=(d 0RS5S.n U RS05RS5n U (aXS'[R"5n [ R RnURRURRRUU S9Hn[US5U - nUS:a[ R RnM6[RS5 S US S URS S 5S [U5UR UR"0n SU;a?[US5U S'[US5U :a[ R R$n O@UR'S5R)5 U s $ O[ R R*nU(dS5eU(d SSKJn U4nU RS05nU(a;URS5[0:Xa"U(a [3S5eUR5UUS9$UR6(aU(aURS5[8S4;aSSKJn U"SR?UR@RUR@R5URUSU4[CURDU5UUS.UD6nU(a>URS5[8:HnSU;nU(dU(aURGUUU5$U(a[3URH5eU(a'URJ"X0RMU5U4XUS.U D6nOURN"X4SU0U D6nU(aS U;aURPUUR 'U(aSU;dU (dU$U $!Ua U (deU $f=f)Nrg)rrTrrgrkey_id)targetr expires_oni,zCache hit an ATr*secret token_typeBearer expires_inrtrCz-It should have been established at this pointr)RequestExceptionrz+auth_scheme is not supported in Cloud Shellrrr)_acquire_token_silentlyr8r)rvr.rr)r/r3r.r3))rr:r;rwrzr0r1 AT_ABSENTrrrrry AT_EXPIREDrrr_TOKEN_SOURCE_CACHEAT_AGINGr4hit_an_access_token FORCE_REFRESHrequests.exceptionsrrr$rrrrrrrr6r_process_broker_response_AUTH_SCHEME_UNSUPPORTED>_acquire_token_silent_by_finding_rt_belongs_to_me_or_my_familyr*_acquire_token_for_clientr)rr&rrrr3r.http_exceptionsrraccess_token_from_cacherrnowr/entryrrrrr!account_was_established_by_broker!broker_attempt_succeeded_just_nowr{s rrJClientApplication._acquire_token_silent_from_cache_and_possibly_refresh_its#'!1[!%#,#5#5&--(/ 2':':;L'M E ZZ+//9F"(h))+C!^^55N))00  //<< 1!|!45; $%)^^%>%>N ./"E(O %))L("C #j/&&(@(@ +'  5(>+B+BDNNDYDYZNN./  D113CE#1 +  8? (9*-?9@58?x8O58<]#<!>??\\33F;W#1#1  77=M.F2-1-C-Ct))*7&0:Q ;R '&  *+&&  s!AO.)C&O.BO..P?Pc JSU;aURR[URSU;aUSR 5OUUR R UUUSUR R[S95 URXR'[U5$)Nrrt _account_id)rrtrOrrrrT grant_type) rrVrvrrfrrOr:rrrr~)rrr&rs rr *ClientApplication._process_broker_responseXs ( "    ..3:h3Fhw'--/F#~~<<!$]3 NN33- " ,0+D+DH'' (""rc URU=(d 0RS5S.nURUR5nU(d0UR"X[ USS94SSS.UD6nU(aSU;aU$SnURS 5(a.UR"X[ XVS S940UD6=pU(aSU;aU$UR"X[ XPR S 940UD6=(d U$) Nrgr1)rcgNrrt_items rrYbClientApplication._acquire_token_silent_by_finding_rt_belongs_to_me_or_my_family..x4rc,SURS/5;$)Nrerror_additional_info)rwrs rrYr ys&6Mr)RRr) rt_removerbreak_conditionrr)r)r:rwr7_acquire_token_silent_by_finding_specific_refresh_tokenrvr) rrr&rrrrr last_resps rr PClientApplication._acquire_token_silent_by_finding_rt_belongs_to_me_or_my_familygs%-- ' 2223DE --i.@.@A  MMUc*0!S BgR'    K ( (!YY4k9R#S IgR' KK tE^^D#" #rcJURRXR0S9$)N)rTrdefault)rrr)rrTs rr#ClientApplication._get_app_metadatas+11#~~r2K Krcg)NFrr$s rrYClientApplication.serc  2^^[TRRTRRRUS95n [ R S[U 5UR5V V s0sHupXS:XaU (a [U 5OU _M! sn n 5 Sn U (dU $TRTRTSS9upTRTRXvS9n[U SSS9GHn[ R S 5 UR5nUR!S5(a'S R#USR%S S 55US 'UR&"U4SSUU4SjUU[)U R+S05[-TR.U5S9S.U D6n UR1U 5 SU ;aU s $[ R SR#U R!S5U R!S5S95 U"U 5(dGM U $ U $s sn n f)NrzFound %d RTs matching %srgT)rfr-c8[URSS55$)Nlast_modification_time0)ryrw)es rrY[ClientApplication._acquire_token_silent_by_finding_specific_refresh_token..sc!%%(@#"FGr)r5reversezCache attempts an RTzOid:{}re@rc US$)Nrr) token_items rrYr4s Jx4Hrcgrrrs rrYr4strc`>TRR[UTRSS95$)NT)rTskip_account_creationrUrWs rrYr4s-$2B2B2F2Ft ) 2 2*.H3rrr) rt_getterr_r^rtrrrz,Refresh failed. {error}: {error_description}error_descriptionrr=)rrrrrrrlenitemsrirrr4ACQUIRE_TOKEN_SILENT_IDsortedrrwrreplaceobtain_token_by_refresh_tokenrvrr6rr)rrr&rr%r&r/r.r3rmatchesr|rrrrWrrrs`` rr'IClientApplication._acquire_token_silent_by_finding_specific_refresh_tokens8 t''..    + + 9 9/  /W @ % 4E/E!(+QR R%@  O&&  " "ID'J !99  ( ():JG E LL/ 0'88:Gyy*++-5__+,44S#>.@)*;;!H3% JJvr*C113CEF !H"  . .x 8h& LLGNNll7+"*,,/B"CO x((IHe@ s1&HcURS5S:XaCURS5(d [S5eURS5(d [S5egg)Nrssh-certreq_cnfzWhen requesting an SSH certificate, you must include a string parameter named 'req_cnf' containing the public key in JWK format (https://tools.ietf.org/html/rfc7517).rzWhen requesting an SSH certificate, you must include a string parameter named 'key_id' which identifies the key in the 'req_cnf' argument.)rwr$)rrs rr/ClientApplication._validate_ssh_cert_input_datasd 88L !Z /88I&& =>> 88H%% JKK& 0rc URURS055 URUR[R R S9n[URR"U4URU5UR5SSSS.UD65nSU;aURXPR'URU5 U$)aAcquire token(s) based on a refresh token (RT) obtained from elsewhere. You use this method only when you have old RTs from elsewhere, and now you want to migrate them into MSAL. Calling this method results in new tokens automatically storing into MSAL. You do NOT need to use this method if you are already using MSAL. MSAL maintains RT automatically inside its token cache, and an access token can be retrieved when you call :func:`~acquire_token_silent`. :param str refresh_token: The old refresh token, as a string. :param list scopes: The scopes associate with this old RT. Each scope needs to be in the Microsoft identity platform (v2) format. See `Scopes not resources `_. :return: * A dict contains "error" and some other keys, when error happened. * A dict contains no "error" key means migration was successful. rr/cU$rr)rs rrYBClientApplication.acquire_token_by_refresh_token..srFcgrrrs rrYrNr!r)rtrr<r`r_r*)rrwr4ACQUIRE_TOKEN_BY_REFRESH_TOKENr0r1r r~rrDr*rrrr)r refresh_tokenr&rrrs racquire_token_by_refresh_token0ClientApplication.acquire_token_by_refresh_tokens. **6::fb+AB 99  / />>77:9T[[FF &&v.%668# /  X %+/+A+AH'' (**84rc D[URU5nUR(aSSKJn U"SR UR RUR R5URUUUUR R(dURSLaSOSUUS9n URXURS055$U(a[UR5eUR!U5nUR#UR$5n U R'5n [)UR+S05US 9n Sn UR R,(djUR R/X2R4S 9n U RS 5S :Xa![7UR8"XU4UU U S .UD65n U c*[7UR:R<"X4UU U S.UD65n SU ;aUR>XR@'U RCU 5 U $)aGets a token for a given resource via user credentials. See this page for constraints of Username Password Flow. https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication :param str username: Typically a UPN in the form of an email address. :param str password: The password. :param list[str] scopes: Scopes requested to access a protected API (a resource). :param claims_challenge: The claims_challenge parameter requests specific claims requested by the resource provider in the form of a claims_challenge directive in the www-authenticate header to be returned from the UserInfo Endpoint and/or in the ID Token and/or Access Token. It is a string of a JSON object which contains lists of claims being requested from these locations. :param object auth_scheme: You can provide an ``msal.auth_scheme.PopAuthScheme`` object so that MSAL will get a Proof-of-Possession (POP) token for you. New in version 1.26.0. :return: A dict representing the json response from Microsoft Entra: - A successful response would contain "access_token" key, - an error response would contain "error" and usually "error_description". r)_signin_silentlyr8FnoN)MSALRuntime_UsernameMSALRuntime_PasswordvalidateAuthorityrvrrrr. account_type Federated)r&rrrr*)"r6rrrrUrrr:r;rrrr rwr$r r*r4%ACQUIRE_TOKEN_BY_USERNAME_PASSWORD_IDrrvrruser_realm_discoveryr0r1CLIENT_REQUEST_IDr~-_acquire_token_by_username_password_federatedrrrrr)rrrr&r3rrrvrUrrrruser_realm_results r"acquire_token_by_username_password4ClientApplication.acquire_token_by_username_passwords@:))+;=    0'&&t~~'>'>@U@UV%-%-NN99//58#'?C' H006::fVXCYZ Z T::; ;%%f- 99  6 68#446FJJvr*6:~~%% $ C C1Q1Q)R!D!T  $$^4 C$T%W%W%&/BH#&/(.&/0   !N!N"*0" "H X %+/+A+AH'' (**84rc b^^0nURS5(a'[USTR5nUc [S5e[R SU5 [ TUURSS5URSURS55URS5TR5nS U;aS U;d[S U-5eS n[U[TRR[U[TRR0RURS 55n U (d[S URS 55eTRRRU TRR 5 TRR""US U 4UUU4SjS.UD6$)Nfederation_metadata_urlzUnable to find wstrust endpoint from MEX. This typically happens when attempting MSA accounts. More details available here. https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authenticationzwstrust_endpoint = %scloud_audience_urnzurn:federation:MicrosoftOnlineaddressfederation_active_auth_urlactiontokentypezUnsuccessful RSTR. %sz/urn:ietf:params:oauth:grant-type:saml1_1-bearerz$RSTR returned unknown token type: %sct>TRR[UTRRTS95$)N)rTr)rrVrvrr:)rXrrs rrYQClientApplication._acquire_token_by_username_password_federated..us1d.>.>.B.B4 NN33!D/r)rtr^)rwmex_send_requestrr$rrwst_send_requestrSAML_TOKEN_TYPE_V1SAML_TOKEN_TYPE_V2rGRANT_TYPE_SAML2WSS_SAML_TOKEN_PROFILE_V1_1WSS_SAML_TOKEN_PROFILE_V2grant_assertion_encodersr/encode_saml_assertionobtain_token_by_assertion) rrarrr&rwstrust_endpointwstrust_resultGRANT_TYPE_SAML1_1rs ` ` rr`?ClientApplication._acquire_token_by_username_password_federatedQs  !: ; ;/!";<   "  ' "CDD  ,.>?) h  ! !"68X Y  !%%&BC E   *D,<,< >>)f.F6GH HN  2  < < '); %t{{'C'C  c.$$V,-  68J8J68RT T ,,77  99 ;{{44 7 #Z7=! r)rrrrrrrrrrrrrrrrrrr)NNTNNTNNNNNNNNNNNNN)NN)F)NNNNNNNN)NNNrNNNNrNNN)NFNN)FNNNN):rrrr__doc__rArPr]ACQUIRE_TOKEN_ON_BEHALF_OF_IDACQUIRE_TOKEN_BY_DEVICE_FLOW_IDACQUIRE_TOKEN_FOR_CLIENT_IDrACQUIRE_TOKEN_INTERACTIVEGET_ACCOUNTS_IDREMOVE_ACCOUNT_IDr9DISABLE_MSAL_FORCE_REGIONrrrrrr rrrrr*r4rr r?rrrrrrrrrrrrrrrrrr r rr'rrRrbr`rrrrrrs#%)",1)$)!&+#"'-2* %O# %"M+!#N PHL/3;? $ ##g T %@N# %%LM0?CJ HYUb [S5e[U=(a [RS:H=(d U=(a [RS:H5Ul[ [ U]"U4SS0UD6 g)a Same as :func:`ClientApplication.__init__`, except that ``client_credential`` parameter shall remain ``None``. .. note:: You may set enable_broker_on_windows and/or enable_broker_on_mac to True. **What is a broker, and why use it?** A broker is a component installed on your device. Broker implicitly gives your device an identity. By using a broker, your device becomes a factor that can satisfy MFA (Multi-factor authentication). This factor would become mandatory if a tenant's admin enables a corresponding Conditional Access (CA) policy. The broker's presence allows Microsoft identity platform to have higher confidence that the tokens are being issued to your device, and that is more secure. An additional benefit of broker is, it runs as a long-lived process with your device's OS, and maintains its own cache, so that your broker-enabled apps (even a CLI) could automatically SSO from a previously established signed-in session. **You shall only enable broker when your app:** 1. is running on supported platforms, and already registered their corresponding redirect_uri * ``ms-appx-web://Microsoft.AAD.BrokerPlugin/your_client_id`` if your app is expected to run on Windows 10+ * ``msauth.com.msauth.unsignedapp://auth`` if your app is expected to run on Mac 2. installed broker dependency, e.g. ``pip install msal[broker]>=1.31,<2``. 3. tested with ``acquire_token_interactive()`` and ``acquire_token_silent()``. **The fallback behaviors of MSAL Python's broker support** MSAL will either error out, or silently fallback to non-broker flows. 1. MSAL will ignore the `enable_broker_...` and bypass broker on those auth flows that are known to be NOT supported by broker. This includes ADFS, B2C, etc.. For other "could-use-broker" scenarios, please see below. 2. MSAL errors out when app developer opted-in to use broker but a direct dependency "mid-tier" package is not installed. Error message guides app developer to declare the correct dependency ``msal[broker]``. We error out here because the error is actionable to app developers. 3. MSAL silently "deactivates" the broker and fallback to non-broker, when opted-in, dependency installed yet failed to initialize. We anticipate this would happen on a device whose OS is too old or the underlying broker component is somehow unavailable. There is not much an app developer or the end user can do here. Eventually, the conditional access policy shall force the user to switch to a different device. 4. MSAL errors out when broker is opted in, installed, initialized, but subsequent token request(s) failed. :param boolean enable_broker_on_windows: This setting is only effective if your app is running on Windows 10+. This parameter defaults to None, which means MSAL will not utilize a broker. New in MSAL Python 1.25.0. :param boolean enable_broker_on_mac: This setting is only effective if your app is running on Mac. This parameter defaults to None, which means MSAL will not utilize a broker. New in MSAL Python 1.31.0. Nz,Public Client should not possess credentialsrdarwinr)r$boolrrrrrr)rrrrrrrs rr PublicClientApplication.__init__ss`  (KL L" $ @)@ A#@ (@B %t5  9)- 917 9rc  U RS05nU RSS5=(a URS5S:gnURU5 U (dSn [5(aUS:XaUR XS9$[ UR U5nUR(aTU c [S 5eU(a[RS 5 URUU UUUU U UUU S 9 nURUX5$U (a[UR5eU "S S9 URUR5n[!UR"R$"SU(aUR'U5OS USR)U=(d SS9UUU UUUS.[+UUS9UR-5[/5S. U D65nSU;aUR0UUR2'UR5U5 U$)a^Acquire token interactively i.e. via a local browser. Prerequisite: In Azure Portal, configure the Redirect URI of your "Mobile and Desktop application" as ``http://localhost``. If you opts in to use broker during ``PublicClientApplication`` creation, your app also need this Redirect URI: ``ms-appx-web://Microsoft.AAD.BrokerPlugin/YOUR_CLIENT_ID`` :param list scopes: It is a list of case-sensitive strings. :param str prompt: By default, no prompt value will be sent, not even string ``"none"``. You will have to specify a value explicitly. Its valid values are the constants defined in :class:`Prompt `. :param str login_hint: Optional. Identifier of the user. Generally a User Principal Name (UPN). :param domain_hint: Can be one of "consumers" or "organizations" or your tenant domain "contoso.com". If included, it will skip the email-based discovery process that user goes through on the sign-in page, leading to a slightly more streamlined user experience. More information on possible values available in `Auth Code Flow doc `_ and `domain_hint doc `_. :param claims_challenge: The claims_challenge parameter requests specific claims requested by the resource provider in the form of a claims_challenge directive in the www-authenticate header to be returned from the UserInfo Endpoint and/or in the ID Token and/or Access Token. It is a string of a JSON object which contains lists of claims being requested from these locations. :param int timeout: This method will block the current thread. This parameter specifies the timeout value in seconds. Default value ``None`` means wait indefinitely. :param int port: The port to be used to listen to an incoming auth response. By default we will use a system-allocated port. (The rest of the redirect_uri is hard coded as ``http://localhost``.) :param list extra_scopes_to_consent: "Extra scopes to consent" is a concept only available in Microsoft Entra. It refers to other resources you might want to prompt to consent for, in the same interaction, but for which you won't get back a token for in this particular operation. :param int max_age: OPTIONAL. Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated. If the elapsed time is greater than this value, Microsoft identity platform will actively re-authenticate the End-User. MSAL Python will also automatically validate the auth_time in ID token. New in version 1.15. :param int parent_window_handle: OPTIONAL. * If your app does not opt in to use broker, you do not need to provide a ``parent_window_handle`` here. * If your app opts in to use broker, ``parent_window_handle`` is required. - If your app is a GUI app running on Windows or Mac system, you are required to also provide its window handle, so that the sign-in window will pop up on top of your window. - If your app is a console app running on Windows or Mac system, you can use a placeholder ``PublicClientApplication.CONSOLE_WINDOW_HANDLE``. Most Python scripts are console apps. New in version 1.20.0. :param function on_before_launching_ui: A callback with the form of ``lambda ui="xyz", **kwargs: print("A {} will be launched".format(ui))``, where ``ui`` will be either "browser" or "broker". You can use it to inform your end user to expect a pop-up window. New in version 1.20.0. :param object auth_scheme: You can provide an ``msal.auth_scheme.PopAuthScheme`` object so that MSAL will get a Proof-of-Possession (POP) token for you. New in version 1.26.0. :return: - A dict containing no "error" key, and typically contains an "access_token" key. - A dict containing an "error" key, when token refresh failed. renable_msa_passthroughFrrHcgrr)rs rrYCPublicClientApplication.acquire_token_interactive..XsdrnonerNzparent_window_handle is required when you opted into using broker. You need to provide the window handle of your GUI application, or use msal.PublicClientApplication.CONSOLE_WINDOW_HANDLE when and only when your application is a console app.zLIgnoring parameter extra_scopes_to_consent, which is not supported by broker)rsrrwbrowseruizhttp://localhost:{port}r)port)rvrur) rtextra_scope_to_consentrqrsrrwr auth_paramsrrrr*r)rrwrrrr6rrr$rr%_acquire_token_interactive_via_brokerr r r4rr~robtain_token_by_browserr*rrvrrrrr)rr&rsrrur3rrextra_scopes_to_consentrwparent_window_handleon_before_launching_uirrrrrvrrs racquire_token_interactive1PublicClientApplication.acquire_token_interactives`zz&"%!' $  " "7((<(J6  **40%%: " % ' 'Ff,<55f5H H9  % %'79   #+ LMM '78AA$&&%B H006H H T::; ;), 99  * *,T[[@@28$&&v.d#:299YQ: ! *d6*%668+-!"#$ X %+/+A+AHT'' (**84rc SSKJn Jn Jn SU ;a[R U S5 SR URRURR5nURR(dURSLaSOSnU (agUS:waaURU S9n[U5S:XaC[R S 5 U"UURUS S U4UUS .UD6nU(aS U;aU$US:XdU(d[R S5 U "XRU4UUU UUS.UD6n[SU;=(a- U =(a$ U UR!S05R!S5:g5nSnU(a[R U5 US:XaU(dU$SUS.$[U5SLdeS SKJn ['UR(UR*/5nU(dS U;aUR!S5U;aOU$[R S5 U"SS9 U "XRUX R,LaSOU4UU UUU UUS.UD6$)Nr)_signin_interactivelyrUrwelcome_templater8FrVselect_account)rz(Calling broker._acquire_token_silently()rr)rvrrrz!Calling broker._signin_silently())rYrvrw enable_msa_ptrr*id_token_claimspreferred_usernamez=prompt="none" will not work for login_hint="non-default-user" broker_errorr>)Response_Status_broker_statusz,Falls back to broker._signin_interactively()rr)rYrrsrvrwrr)rrrUrrrrrr:r;rrrr?rrrw pymsalruntimerrStatus_AccountUnusableStatus_InteractionRequiredCONSOLE_WINDOW_HANDLE)rr&rrrvrrrrsrrwrrrUrrrrris_wrong_accountwrong_account_error_messagerrecoverable_errorss rr=PublicClientApplication._acquire_token_interactive_via_brokers ]\  ' LL 23 4#** NN # #T^^%:%:<  NN 1 1''50"7;  &$44((*(=H8}! GH2NNQK 23  " + x 7#O V 6 LL< ='>>6"44' H $(*EzE(,,%r#++.3/C+DE  F P ( 89'7x!/-H> F|u,,,9%.#::#>>0&"$w(':x||(@*-?@@#O CD(+$ ~~v(,F,FFD) 1!0#   rc [RR5nURR"SUR U=(d /5[RR U0S.UD6nX4UR'U$)aInitiate a Device Flow instance, which will be used in :func:`~acquire_token_by_device_flow`. :param list[str] scopes: Scopes requested to access a protected API (a resource). :return: A dict representing a newly created Device Flow object. - A successful response would contain "user_code" key, among others - an error response would contain some other readable key/value pairs. )rtrr)r0r1rrinitiate_device_flowr*r_DEVICE_FLOW_CORRELATION_ID)rr&rr.rys rr,PublicClientApplication.initiate_device_flowsr??A{{//&&v|4^^55~F1?T , ,- rc URURURUR5S9n[ UR R "U4[URS05US[URU5S9UR5S.UD65nSU;aURXPR'URU5 U$)aObtain token by a device flow object, with customizable polling effect. :param dict flow: A dict previously generated by :func:`~initiate_device_flow`. By default, this method's polling effect will block current thread. You can abort the polling loop at any time, by changing the value of the flow's "expires_at" key to 0. :param claims_challenge: The claims_challenge parameter requests specific claims requested by the resource provider in the form of a claims_challenge directive in the www-authenticate header to be returned from the UserInfo Endpoint and/or in the ID Token and/or Access Token. It is a string of a JSON object which contains lists of claims being requested from these locations. :return: A dict representing the json response from Microsoft Entra: - A successful response would contain "access_token" key, - an error response would contain "error" and usually "error_description". rZr device_code)rrv)rrr*)r4rrwrr~robtain_token_by_device_flowrvrr6rrrrr)rryr3rrrs racquire_token_by_device_flow4PublicClientApplication.acquire_token_by_device_flow s&!99  0 088D$C$CD:FT[[DD   62&-(@--/?A &668    X %+/+A+AH'' (**84rrr) NNNNNNNNNNNr|)rrrrrobjectrrrrrrrrrs@rrr}s|!2"H,0V9"&! V9V9v!$(!%#'xFXt&%%rrc>\rSrSrSrS SjrS SjrSrS SjrSr g) ri) zjSame as :func:`ClientApplication.__init__`, except that ``allow_broker`` parameter shall remain ``None``. Nc URS5(a [S5e[UR"US4SU0UD65$)aAcquires token for the current confidential client, not for an end user. Since MSAL Python 1.23, it will automatically look for token from cache, and only send request to Identity Provider when cache misses. :param list[str] scopes: (Required) Scopes requested to access a protected API (a resource). :param claims_challenge: The claims_challenge parameter requests specific claims requested by the resource provider in the form of a claims_challenge directive in the www-authenticate header to be returned from the UserInfo Endpoint and/or in the ID Token and/or Access Token. It is a string of a JSON object which contains lists of claims being requested from these locations. :return: A dict representing the json response from Microsoft Entra: - A successful response would contain "access_token" key, - an error response would contain "error" and usually "error_description". rzCHistorically, this method does not support force_refresh behavior. Nr3)rwr$r~r)rr&r3rs racquire_token_for_client6ConfidentialClientApplication.acquire_token_for_client. sY& ::o & &U >> DG+;G?EGH Hrc URRR5S;a[R"S[ 5 UR URS055 URURUS9nUR=(d URnUR"SUUR5[URS05[!UR"U5S9S.UD6nUR%U5 U$)N)common organizationsz|Using /common or /organizations authority in acquire_token_for_client() is unreliable. Please use a specific tenant instead.rrLrrr)rr;rrrrrrwr4rrrobtain_token_for_clientrrvrr6rr)rr&r/r3rrrrs rr7ConfidentialClientApplication._acquire_token_for_clientH s >> & & (,G G MM89K M **6::fb+AB 99  , ,^:M&&5$++11%668 62&?--/?AB **84rc bURR/URURR5-Hnn[URR [ RRURUSS.S95HnURRU5 M Mp g)zoRemove all tokens that were previously acquired via :func:`~acquire_token_for_client()` for the current client.N)rrTrgr) rr:rrrrrrrrr)renvrs rremove_tokens_for_client6ConfidentialClientApplication.remove_tokens_for_clientc sNN++,t/J/J''0))C4++22))66!^^"#'?3   **2. )rc URUR5n[URR"UURR 4UR U5[URS05S[URU5S9UR5S.UD65nSU;aURX`R'URU5 U$)aAcquires token using on-behalf-of (OBO) flow. The current app is a middle-tier service which was called with a token representing an end user. The current app can use such token (a.k.a. a user assertion) to request another token to access downstream web API, on behalf of that user. See `detail docs here `_ . The current middle-tier app has no user interaction to obtain consent. See how to gain consent upfront for your middle-tier app from this article. https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#gaining-consent-for-the-middle-tier-application :param str user_assertion: The incoming token already received by this app :param list[str] scopes: Scopes required by downstream API (a resource). :param claims_challenge: The claims_challenge parameter requests specific claims requested by the resource provider in the form of a claims_challenge directive in the www-authenticate header to be returned from the UserInfo Endpoint and/or in the ID Token and/or Access Token. It is a string of a JSON object which contains lists of claims being requested from these locations. :return: A dict representing the json response from Microsoft Entra: - A successful response would contain "access_token" key, - an error response would contain "error" and usually "error_description". r on_behalf_of)requested_token_userv)rtrrr*)r4r~r~rrwGRANT_TYPE_JWTr*rvrr6rrrrr)ruser_assertionr&r3rrrs racquire_token_on_behalf_of8ConfidentialClientApplication.acquire_token_on_behalf_ofq s4!99  . .0T[[BB  KK & &&&v.  62&$2?--/?AB &668 !" X %+/+A+AH'' (**84rrr) rrrrr}rrrrrrrrrr) s!H< 6 /1rr)=rr-rzloggingrr threadingrtypingr urllib.parserr oauth2clirroauth2cli.oidcr rr r mexr rnwstrust_requestrowstrust_responserrrrmsal.telemetryr0regionrthrottled_http_clientrrrskurr getLoggerrrrrr(r6r<r\rcrir~rrrrrrrrrrrs  ! 2',1=FF"62!   8 $)! ) #@(  $)X;;< YeeP5i/iX y$5yr