Skip to content

Adding API to support PKCE in interactive auth #261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
abhidnya13 wants to merge 1 commit into from
Closed

Adding API to support PKCE in interactive auth #261

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 16 additions & 1 deletion msal/application.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -293,6 +293,8 @@ def get_authorization_request_url(
nonce=None,
domain_hint=None, # type: Optional[str]
claims_challenge=None,
code_challenge=None,
code_challenge_method=None,
**kwargs):
"""Constructs a URL for you to start a Authorization Code Grant.

Expand Down Expand Up @@ -330,6 +332,11 @@ def get_authorization_request_url(
in the form of a claims_challenge directive in the www-authenticate header to be
returned from the UserInfo Endpoint and/or in the ID Token and/or Access Token.
It is a string of a JSON object which contains lists of claims being requested from these locations.
:param code_challenge:
A challenge derived from the code verifier that is sent in the
authorization request, to be verified against later. Please refer: https://tools.ietf.org/html/rfc7636
:param code_challenge_method:
A method that was used to derive code challenge. Please refer: https://tools.ietf.org/html/rfc7636

:return: The authorization url as a string.
"""
Expand Down Expand Up @@ -365,6 +372,8 @@ def get_authorization_request_url(
domain_hint=domain_hint,
claims=_merge_claims_challenge_and_capabilities(
self._client_capabilities, claims_challenge),
code_challenge=code_challenge,
code_challenge_method=code_challenge_method,
)

def acquire_token_by_authorization_code(
Expand All @@ -377,6 +386,7 @@ def acquire_token_by_authorization_code(
# values MUST be identical.
nonce=None,
claims_challenge=None,
code_verifier=None,
**kwargs):
"""The second half of the Authorization Code Grant.

Expand Down Expand Up @@ -408,6 +418,10 @@ def acquire_token_by_authorization_code(
returned from the UserInfo Endpoint and/or in the ID Token and/or Access Token.
It is a string of a JSON object which contains lists of claims being requested from these locations.

:param code_verifier:
A cryptographically random string that is used to correlate the
authorization request to the token request. Please refer: https://tools.ietf.org/html/rfc7636

:return: A dict representing the json response from AAD:

- A successful response would contain "access_token" key,
Expand All @@ -431,7 +445,8 @@ def acquire_token_by_authorization_code(
data=dict(
kwargs.pop("data", {}),
claims=_merge_claims_challenge_and_capabilities(
self._client_capabilities, claims_challenge)),
self._client_capabilities, claims_challenge),
code_verifier=code_verifier),
nonce=nonce,
**kwargs)

Expand Down