tessl/pypi-msal
Microsoft Authentication Library for Python enabling OAuth2/OIDC authentication with Microsoft identity platform
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-msal@1.33.0index.mddocs/
MSAL - Microsoft Authentication Library
The Microsoft Authentication Library (MSAL) for Python enables your app to access the Microsoft Cloud by supporting authentication of users with Microsoft Azure Active Directory accounts (AAD), Microsoft Accounts (MSA), External identities, and Azure AD B2C accounts using industry standard OAuth2 and OpenID Connect protocols.
MSAL Python provides both public client applications for desktop/mobile scenarios and confidential client applications for server-side scenarios, with automatic token caching, refresh capabilities, broker support for enhanced security, and extensive configuration options for different authentication flows.
Package Information
- Package Name: msal
- Language: Python
- Installation:
pip install msal - Optional broker support:
pip install msal[broker]
Core Imports
import msalCommon imports for different application types:
from msal import PublicClientApplication, ConfidentialClientApplicationToken caching imports:
from msal import TokenCache, SerializableTokenCacheManaged identity imports:
from msal import ManagedIdentityClient, SystemAssignedManagedIdentity, UserAssignedManagedIdentityVersion information:
import msal
print(msal.__version__) # "1.33.0"Basic Usage
Public Client Application (Desktop/Mobile)
import msal
# Create a public client application
app = msal.PublicClientApplication(
client_id="your-client-id",
authority="https://login.microsoftonline.com/your-tenant-id"
)
# Get accounts from cache
accounts = app.get_accounts()
# Try silent authentication first
result = None
if accounts:
result = app.acquire_token_silent(
scopes=["User.Read"],
account=accounts[0]
)
# If silent fails, use interactive authentication
if not result:
result = app.acquire_token_interactive(
scopes=["User.Read"]
)
if "access_token" in result:
print("Authentication successful!")
print(f"Access token: {result['access_token'][:20]}...")
else:
print(f"Authentication failed: {result.get('error_description')}")Confidential Client Application (Server-side)
import msal
# Create a confidential client application
app = msal.ConfidentialClientApplication(
client_id="your-client-id",
client_credential="your-client-secret",
authority="https://login.microsoftonline.com/your-tenant-id"
)
# Acquire token for client (Client Credentials flow)
result = app.acquire_token_for_client(
scopes=["https://graph.microsoft.com/.default"]
)
if "access_token" in result:
print("Authentication successful!")
access_token = result["access_token"]
else:
print(f"Authentication failed: {result.get('error_description')}")Architecture
MSAL Python follows the OAuth2/OIDC protocol specifications with Microsoft identity platform extensions:
- Application Types: PublicClientApplication for native apps, ConfidentialClientApplication for server apps
- Token Management: Automatic caching, refresh, and persistence with TokenCache/SerializableTokenCache
- Authentication Flows: Interactive, device flow, authorization code, username/password, client credentials, on-behalf-of
- Security Features: Proof-of-Possession tokens, broker integration, certificate-based authentication
- Azure Integration: Managed identity support, Azure AD B2C, multi-tenant applications
The library handles protocol complexities like token refresh, scope validation, and error handling while providing a simple, consistent API across different authentication scenarios.
Capabilities
Public Client Applications
Desktop and mobile application authentication with interactive browser flows, device code authentication for browserless devices, and optional broker integration for enhanced security through device identity.
class PublicClientApplication(ClientApplication):
def __init__(
self,
client_id: str,
client_credential=None,
*,
enable_broker_on_windows=None,
enable_broker_on_mac=None,
enable_broker_on_linux=None,
enable_broker_on_wsl=None,
**kwargs
): ...
def acquire_token_interactive(
self,
scopes: list,
prompt=None,
login_hint=None,
domain_hint=None,
claims_challenge=None,
timeout=None,
port=None,
extra_scopes_to_consent=None,
max_age=None,
parent_window_handle=None,
on_before_launching_ui=None,
auth_scheme=None,
**kwargs
): ...
def initiate_device_flow(self, scopes=None, **kwargs): ...
def acquire_token_by_device_flow(self, flow, claims_challenge=None, **kwargs): ...Confidential Client Applications
Server-side web application authentication with client credentials flow for service-to-service authentication, authorization code flow for web apps, and on-behalf-of flow for middle-tier services acting on behalf of users.
class ConfidentialClientApplication(ClientApplication):
def __init__(
self,
client_id: str,
client_credential,
authority=None,
**kwargs
): ...
def acquire_token_for_client(
self,
scopes: list,
claims_challenge=None,
**kwargs
): ...
def acquire_token_on_behalf_of(
self,
user_assertion: str,
scopes: list,
claims_challenge=None,
**kwargs
): ...Confidential Client Applications
Token Caching
Unified token cache system supporting both in-memory caching for single-session applications and persistent caching for multi-session scenarios. Includes automatic token refresh, account management, and cross-application token sharing.
class TokenCache:
def __init__(self): ...
def find(
self,
credential_type: str,
target=None,
query=None,
now=None
) -> list: ...
def add(self, event: dict, now=None): ...
class SerializableTokenCache(TokenCache):
def serialize(self) -> str: ...
def deserialize(self, state: str): ...Common Authentication Flows
Shared authentication functionality including silent token acquisition from cache, authorization code flow initiation and completion, username/password authentication, refresh token handling, and account management across all application types.
class ClientApplication:
def acquire_token_silent(
self,
scopes: list,
account,
authority=None,
force_refresh=False,
claims_challenge=None,
**kwargs
): ...
def initiate_auth_code_flow(
self,
scopes: list,
redirect_uri=None,
state=None,
prompt=None,
login_hint=None,
**kwargs
): ...
def acquire_token_by_auth_code_flow(
self,
auth_code_flow: dict,
auth_response: dict,
scopes=None,
**kwargs
): ...
def acquire_token_by_username_password(
self,
username: str,
password: str,
scopes: list,
claims_challenge=None,
auth_scheme=None,
**kwargs
): ...
def acquire_token_by_refresh_token(
self,
refresh_token: str,
scopes: list,
**kwargs
): ...
def get_accounts(self, username=None) -> list: ...
def remove_account(self, account): ...Azure Managed Identity
Azure managed identity authentication for virtual machines, container instances, and other Azure services. Supports both system-assigned identities (automatically created with the resource) and user-assigned identities (standalone resources assigned to multiple services).
class ManagedIdentityClient:
def __init__(
self,
managed_identity,
http_client=None,
token_cache=None,
**kwargs
): ...
def acquire_token_for_client(
self,
resource: str,
claims_challenge=None
): ...
class SystemAssignedManagedIdentity:
def __init__(self): ...
class UserAssignedManagedIdentity:
def __init__(
self,
client_id=None,
object_id=None,
resource_id=None
): ...Security and Advanced Features
Advanced security features including Proof-of-Possession (PoP) token authentication for enhanced security, certificate-based authentication with X.509 certificates, custom authentication schemes, and comprehensive error handling with detailed error information.
class PopAuthScheme:
def __init__(
self,
http_method: str = None,
url: str = None,
nonce: str = None
): ...
def extract_certs(public_cert_content: str) -> list: ...
class Prompt:
NONE = "none"
LOGIN = "login"
CONSENT = "consent"
SELECT_ACCOUNT = "select_account"
CREATE = "create"Security and Advanced Features
Types
# Authentication result dictionary
AuthResult = dict # Contains 'access_token', 'token_type', 'expires_in', etc.
# Account dictionary from cache
Account = dict # Contains 'home_account_id', 'environment', 'username', etc.
# Auth code flow state dictionary
AuthCodeFlow = dict # Contains 'auth_uri', 'state', 'code_verifier', etc.
# Device flow state dictionary
DeviceFlow = dict # Contains 'device_code', 'user_code', 'verification_uri', etc.Exception Types
class MsalError(Exception):
"""Base exception for MSAL errors."""
class MsalServiceError(MsalError):
"""Exception for errors from identity service."""
def __init__(self, *args, error: str, error_description: str, **kwargs): ...
class IdTokenError(RuntimeError):
"""Exception for ID token validation errors."""
class IdTokenIssuerError(IdTokenError):
"""Exception for ID token issuer validation errors."""
class IdTokenAudienceError(IdTokenError):
"""Exception for ID token audience validation errors."""
class IdTokenNonceError(IdTokenError):
"""Exception for ID token nonce validation errors."""
class BrowserInteractionTimeoutError(RuntimeError):
"""Exception for browser interaction timeout."""
class ManagedIdentityError(ValueError):
"""Exception for managed identity errors."""
class ArcPlatformNotSupportedError(ManagedIdentityError):
"""Exception for unsupported Azure Arc platforms."""