|
| 1 | +# How to Smoke Test MSAL Python |
| 2 | + |
| 3 | +The experimental `python -m msal` usage is designed to be an interactive tool, |
| 4 | +which can impersonate arbitrary apps and test most of the MSAL Python APIs. |
| 5 | +Note that MSAL Python API's behavior is modeled after OIDC behavior in browser, |
| 6 | +which are not exactly the same as the broker API's behavior, |
| 7 | +despite that the two sets of API happen to have similar names. |
| 8 | + |
| 9 | +Tokens acquired during the tests will be cached by MSAL Python. |
| 10 | +MSAL Python uses an in-memory token cache by default. |
| 11 | +This test tool, however, saves a token cache snapshot on disk upon each exit, |
| 12 | +and you may choose to reuse it or start afresh during start up. |
| 13 | + |
| 14 | +Typical test cases are listed below. |
| 15 | + |
| 16 | +1. The tool starts with an empty token cache. |
| 17 | + In this state, acquire_token_silent() shall always return empty result. |
| 18 | + |
| 19 | +2. When testing with broker, apps would need to register a certain redirect_uri |
| 20 | + for the test cases below to work. |
| 21 | + We will also test an app without the required redirect_uri registration, |
| 22 | + MSAL Python shall return a meaningful error message on what URIs to register. |
| 23 | + |
| 24 | +3. Interactive acquire_token_interactive() shall get a token. In particular, |
| 25 | + |
| 26 | + * The prompt=none option shall succeed when there is a default account, |
| 27 | + or error out otherwise. |
| 28 | + * The prompt=select_account option shall always prompt with an account picker. |
| 29 | + * The prompt=absent option shall prompt an account picker UI |
| 30 | + if there are multiple accounts available in browser |
| 31 | + and none of them is considered a default account. |
| 32 | + In such a case, an optional login_hint=`one_of_the_account@contoso.com` |
| 33 | + shall bypass the account picker. |
| 34 | + |
| 35 | + With a broker, the behavior shall largely match the browser behavior, |
| 36 | + unless stated otherwise below. |
| 37 | + |
| 38 | + * Broker (PyMsalRuntime) on Mac does not support silent signin, |
| 39 | + so the prompt=absent will also always prompt. |
| 40 | + |
| 41 | +4. ROPC (Resource Owner Password Credential, a.k.a. the username password flow). |
| 42 | + The acquire_token_by_username_password() is supported by broker on Windows. |
| 43 | + As of Oct 2023, it is not yet supported by broker on Mac, |
| 44 | + so it will fall back to non-broker behavior. |
| 45 | + |
| 46 | +5. After step 3 or 4, the acquire_token_silently() shall return a token fast, |
| 47 | + because that is the same token returned by step 3 or 4, cached in MSAL Python. |
| 48 | + We shall also retest this with the force_refresh=True, |
| 49 | + a new token shall be obtained, |
| 50 | + typically slower than a token served from MSAL Python's token cache. |
| 51 | + |
| 52 | +6. POP token. |
| 53 | + POP token is supported via broker. |
| 54 | + This tool test the POP token by using a hardcoded Signed Http Request (SHR). |
| 55 | + A test is successful if the POP test function return a token with type as POP. |
| 56 | + |
| 57 | +7. SSH Cert. |
| 58 | + The interactive test and silent test shall behave similarly to |
| 59 | + their non ssh-cert counterparts, only the `token_type` would be different. |
| 60 | + |
| 61 | +8. Test the remove_account() API. It shall always be successful. |
| 62 | + This effectively signs out an account from MSAL Python, |
| 63 | + we can confirm that by running acquire_token_silent() |
| 64 | + and see that account was gone. |
| 65 | + |
| 66 | + The remove_account() shall also sign out from broker (if broker was enabled), |
| 67 | + it does not sign out account from browser (even when browser was used). |
| 68 | + |
0 commit comments