feat: add integrated windows authentication support under public clients

[shajia-deshaw]

Overview

Adds support for Integrated Windows Authentication similar to the Java/.NET clients/

Fixes: #31

[rayluo]

Thanks, @shajia-deshaw . Is there any way to test this? Can they be written into test cases?
Anyway, I'll leave this to @ashok672 for reviewing.

[shajia-deshaw]

Sure @rayluo - I can add the test cases shortly (I had this tested with a driver script internally)

from msal import PublicClientApplication
app = PublicClientApplication(
    "<client_id>",
    authority="https://login.microsoftonline.com/<tenant_id>")
token = app.acquire_token_integrated_windows_auth("<upn>")
print(token)

[shajia-deshaw]

I'm not sure how this number is mapped. I just added a random number for IWA btw.

[shajia-deshaw]

The access token returned by IWA did not meet the criteria to be added as an ACCOUNT credential type in the TokenCache i.e. it didn't have client_info in the response. It was being added as a ACCESS_TOKEN credential type. The cache test in the e2e tests were failing because of it since the get_accounts() call didn't return anything and it assumed there was nothing being added to the cache. Hence, I added a special case of iwa to be added to the ACCOUNT credential type.

The other alternative is to add a method for get_access_tokens similar to get_accounts and use it to decide if we need to acquire new tokens silently for the items in cache.

[shajia-deshaw]

Hello folks, just an update - I'm working with my employer to sign the CLA soon.

[shajia-deshaw]

@microsoft-github-policy-service agree company="D. E. Shaw & Co., L.P."

[shajia-deshaw]

Hello @ashok672 - Checking if you had a chance to review the PR? Thanks.

[velulev]

Hello @ashok672 - Checking if you had a chance to review the PR? Thanks.

Hi @ashok672 , please let us know if there is anything else we can help on this with. Thanks.

[aschafs]

I just wanted to check if this PR was going to be reviewed and merged. We're very interested in getting IWA support in the msal python library. Thanks!

[bgavrilMS]

I don't think so, we are discussing to deprecate Integrated Windows Auth from all MSALs in favor of WAM (broker use). Integrated Windows Auth relies on SAML and HTTP level contracts which are easily broken by network changes, and this causes a lot of churn and support issues. WAM uses a different protocol (PRT) which is not affected.

@iulico-1 @localden - can you provide a perspective as scenario owners?

[rayluo]

I don't think so, we are discussing to deprecate Integrated Windows Auth from all MSALs in favor of WAM (broker use). Integrated Windows Auth relies on SAML and HTTP level contracts which are easily broken by network changes, and this causes a lot of churn and support issues. WAM uses a different protocol (PRT) which is not affected.

@iulico-1 @localden - can you provide a perspective as scenario owners?

For the sake of completeness, we had a similar conversation in the feature request issue with the contributor, who mentioned that IWA also works on Linux and that was part of the reason that they worked out this PR. That is a scenario that not currently satisfied by broker.

[shajia-deshaw]

I don't think so, we are discussing to deprecate Integrated Windows Auth from all MSALs in favor of WAM (broker use). Integrated Windows Auth relies on SAML and HTTP level contracts which are easily broken by network changes, and this causes a lot of churn and support issues. WAM uses a different protocol (PRT) which is not affected.
@iulico-1 @localden - can you provide a perspective as scenario owners?

For the sake of completeness, we had a similar conversation in the feature request issue with the contributor, who mentioned that IWA also works on Linux and that was part of the reason that they worked out this PR. That is a scenario that not currently satisfied by broker.

Thanks @rayluo for adding context!

FTR, we've been using the patched version of MSAL with Kerberos / IWA flow for months in our internal linux services and applications -- Things have been working just fine.

However, we believe this could be a general enhancement in the upstream MSAL library, benefiting similar users, as evident from the comments on the issue/PR.

[localden]

Adding my perspective here - on Windows and macOS, we are indeed shifting to authentication brokers; however, that leaves Linux scenarios in the open and we will need to continue falling back on the vanilla API. I am not inherently opposed to having a native IWA implementation in MSAL Python, but we'd need to coordinate how it falls back to broker and when.

@ashok672 @iulico-1 - something for us to discuss.

[iulico-1]

acquire_token_integrated_windows_auth

I am not convinced we need to introduce Windows integrated Auth flow as a separate API.

Windows Integrated Auth is conceptually the same as functionality as default account that brokers (WAM) expose.

Can we follow the same pattern we did with OS account on .net ?

[localden]

@iulico-1 - how is this going to work on Linux, where there is no WAM? We can't expect every customer to enroll their device either.

[alextok]

On linux there is no WIA also :) this api will just fail with UIRequired on linux without broker integration.

[rayluo]

On linux there is no WIA also :) this api will just fail with UIRequired on linux without broker integration.

But the customer claimed otherwise.