Integrate with PyMsalRuntime on mac

Use new enable_broker

Use 2 flags, one per supported platform

Documents the requirement on parent_window_handle

Author: Ray Luo

msal/__main__.py

@@ -255,6 +255,7 @@ def _main():
             accept_nonempty_string=True,
             ),
         enable_broker_on_windows=enable_broker,
+        enable_broker_on_mac=enable_broker,
         enable_pii_log=enable_pii_log,
         token_cache=global_cache,
         )

msal/application.py

@@ -187,6 +187,8 @@ class ClientApplication(object):
         "You can enable broker by following these instructions. "
         "https://msal-python.readthedocs.io/en/latest/#publicclientapplication")
 
+    _enable_broker = False
+
     def __init__(
             self, client_id,
             client_credential=None, authority=None, validate_authority=True,
@@ -540,7 +542,9 @@ def _decide_broker(self, allow_broker, enable_pii_log):
         if allow_broker:
             warnings.warn(
                 "allow_broker is deprecated. "
-                "Please use PublicClientApplication(..., enable_broker_on_windows=True)",
+                "Please use PublicClientApplication(..., "
+                "enable_broker_on_windows=True, "
+                "enable_broker_on_mac=...)",
                 DeprecationWarning)
         self._enable_broker = self._enable_broker or (
             # When we started the broker project on Windows platform,
@@ -1646,7 +1650,8 @@ def acquire_token_by_username_password(
         """
         claims = _merge_claims_challenge_and_capabilities(
                 self._client_capabilities, claims_challenge)
-        if False:  # Disabled, for now. It was if self._enable_broker:
+        if False:  # Disabled, for now. It was if self._enable_broker and sys.platform != "darwin":
+            # _signin_silently() won't work on Mac. We may revisit on whether it shall work on Windows.
             from .broker import _signin_silently
             response = _signin_silently(
                 "https://{}/{}".format(self.authority.instance, self.authority.tenant),
@@ -1744,7 +1749,7 @@ def __init__(self, client_id, client_credential=None, **kwargs):
 
         .. note::
 
-            You may set enable_broker_on_windows to True.
+            You may set enable_broker_on_windows and/or enable_broker_on_mac to True.
 
             What is a broker, and why use it?
 
@@ -1773,9 +1778,11 @@ def __init__(self, client_id, client_credential=None, **kwargs):
 
                * ``ms-appx-web://Microsoft.AAD.BrokerPlugin/your_client_id``
                  if your app is expected to run on Windows 10+
+               * ``msauth.com.msauth.unsignedapp://auth``
+                 if your app is expected to run on Mac
 
             2. installed broker dependency,
-               e.g. ``pip install msal[broker]>=1.25,<2``.
+               e.g. ``pip install msal[broker]>=1.27.0b1,<2``.
 
             3. tested with ``acquire_token_interactive()`` and ``acquire_token_silent()``.
 
@@ -1784,12 +1791,21 @@ def __init__(self, client_id, client_credential=None, **kwargs):
             This parameter defaults to None, which means MSAL will not utilize a broker.
 
             New in MSAL Python 1.25.0.
+
+        :param boolean enable_broker_on_mac:
+            This setting is only effective if your app is running on Mac.
+            This parameter defaults to None, which means MSAL will not utilize a broker.
+
+            New in MSAL Python 1.27.0.
         """
         if client_credential is not None:
             raise ValueError("Public Client should not possess credentials")
         # Using kwargs notation for now. We will switch to keyword-only arguments.
         enable_broker_on_windows = kwargs.pop("enable_broker_on_windows", False)
-        self._enable_broker = enable_broker_on_windows and sys.platform == "win32"
+        enable_broker_on_mac = kwargs.pop("enable_broker_on_mac", False)
+        self._enable_broker = bool(
+            enable_broker_on_windows and sys.platform == "win32"
+            or enable_broker_on_mac and sys.platform == "darwin")
         super(PublicClientApplication, self).__init__(
             client_id, client_credential=None, **kwargs)
 
@@ -1867,10 +1883,23 @@ def acquire_token_interactive(
             New in version 1.15.
 
         :param int parent_window_handle:
-            OPTIONAL. If your app is a GUI app running on modern Windows system,
-            and your app opts in to use broker,
-            you are recommended to also provide its window handle,
-            so that the sign in UI window will properly pop up on top of your window.
+            OPTIONAL.
+
+            * If your app does not opt in to use broker,
+              you do not need to provide a ``parent_window_handle`` here.
+
+            * If your app opts in to use broker,
+              ``parent_window_handle`` is required.
+
+              - If your app is a GUI app running on modern Windows system,
+                you are required to also provide its window handle,
+                so that the sign-in window will pop up on top of your window.
+              - If your app is a console app runnong on Windows system,
+                you can use a placeholder
+                ``PublicClientApplication.CONSOLE_WINDOW_HANDLE``.
+              - If your app is running on Mac,
+                you can use a placeholder
+                ``PublicClientApplication.CONSOLE_WINDOW_HANDLE``.
 
             New in version 1.20.0.
 

msal/broker.py

@@ -1,7 +1,6 @@
 """This module is an adaptor to the underlying broker.
 It relies on PyMsalRuntime which is the package providing broker's functionality.
 """
-from threading import Event
 import json
 import logging
 import time
@@ -35,14 +34,12 @@ class TokenTypeError(ValueError):
     pass
 
 
-class _CallbackData:
-    def __init__(self):
-        self.signal = Event()
-        self.result = None
-
-    def complete(self, result):
-        self.signal.set()
-        self.result = result
+_redirect_uri_on_mac = "msauth.com.msauth.unsignedapp://auth"  # Note:
+    # On Mac, the native Python has a team_id which links to bundle id
+    # com.apple.python3 however it won't give Python scripts better security.
+    # Besides, the homebrew-installed Pythons have no team_id
+    # so they have to use a generic placeholder anyway.
+    # The v-team chose to combine two situations into using same placeholder.
 
 
 def _convert_error(error, client_id):
@@ -52,8 +49,9 @@ def _convert_error(error, client_id):
             or "AADSTS7000218" in context  # This "request body must contain ... client_secret" is just a symptom of current app has no WAM redirect_uri
             ):
         raise RedirectUriError(  # This would be seen by either the app developer or end user
-            "MsalRuntime won't work unless this one more redirect_uri is registered to current app: "
-            "ms-appx-web://Microsoft.AAD.BrokerPlugin/{}".format(client_id))
+            "MsalRuntime needs the current app to register these redirect_uri "
+            "(1) ms-appx-web://Microsoft.AAD.BrokerPlugin/{} (2) {}".format(
+            client_id, _redirect_uri_on_mac))
         # OTOH, AAD would emit other errors when other error handling branch was hit first,
         # so, the AADSTS50011/RedirectUriError is not guaranteed to happen.
     return {
@@ -70,8 +68,8 @@ def _convert_error(error, client_id):
 
 
 def _read_account_by_id(account_id, correlation_id):
-    """Return an instance of MSALRuntimeAccount, or log error and return None"""
-    callback_data = _CallbackData()
+    """Return an instance of MSALRuntimeError or MSALRuntimeAccount, or None"""
+    callback_data = pymsalruntime.CallbackData()
     pymsalruntime.read_account_by_id(
         account_id,
         correlation_id,
@@ -142,7 +140,7 @@ def _signin_silently(
         params.set_pop_params(
             auth_scheme._http_method, auth_scheme._url.netloc, auth_scheme._url.path,
             auth_scheme._nonce)
-    callback_data = _CallbackData()
+    callback_data = pymsalruntime.CallbackData()
     for k, v in kwargs.items():  # This can be used to support domain_hint, max_age, etc.
         if v is not None:
             params.set_additional_parameter(k, str(v))
@@ -169,8 +167,11 @@ def _signin_interactively(
         **kwargs):
     params = pymsalruntime.MSALRuntimeAuthParameters(client_id, authority)
     params.set_requested_scopes(scopes)
-    params.set_redirect_uri("placeholder")  # pymsalruntime 0.1 requires non-empty str,
+    params.set_redirect_uri(
+        # pymsalruntime on Windows requires non-empty str,
         # the actual redirect_uri will be overridden by a value hardcoded by the broker
+        _redirect_uri_on_mac,
+        )
     if prompt:
         if prompt == "select_account":
             if login_hint:
@@ -197,7 +198,7 @@ def _signin_interactively(
             params.set_additional_parameter(k, str(v))
     if claims:
         params.set_decoded_claims(claims)
-    callback_data = _CallbackData()
+    callback_data = pymsalruntime.CallbackData(is_interactive=True)
     pymsalruntime.signin_interactively(
         parent_window_handle or pymsalruntime.get_console_window() or pymsalruntime.get_desktop_window(),  # Since pymsalruntime 0.2+
         params,
@@ -230,7 +231,7 @@ def _acquire_token_silently(
     for k, v in kwargs.items():  # This can be used to support domain_hint, max_age, etc.
         if v is not None:
             params.set_additional_parameter(k, str(v))
-    callback_data = _CallbackData()
+    callback_data = pymsalruntime.CallbackData()
     pymsalruntime.acquire_token_silently(
         params,
         correlation_id,
@@ -246,7 +247,7 @@ def _signout_silently(client_id, account_id, correlation_id=None):
     account = _read_account_by_id(account_id, correlation_id)
     if account is None:
         return
-    callback_data = _CallbackData()
+    callback_data = pymsalruntime.CallbackData()
     pymsalruntime.signout_silently(  # New in PyMsalRuntime 0.7
         client_id,
         correlation_id,

sample/interactive_sample.py

@@ -37,8 +37,11 @@
 # Create a preferably long-lived app instance, to avoid the overhead of app creation
 global_app = msal.PublicClientApplication(
     config["client_id"], authority=config["authority"],
+
+    # You may opt in to use broker. See also: https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-acquire-token-wam#wam-value-proposition
     #enable_broker_on_windows=True,  # Opted in. You will be guided to meet the prerequisites, if your app hasn't already
-        # See also: https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-acquire-token-wam#wam-value-proposition
+    #enable_broker_on_mac=True,  # Opted in. You will be guided to meet the prerequisites, if your app hasn't already
+
     token_cache=global_token_cache,  # Let this app (re)use an existing token cache.
         # If absent, ClientApplication will create its own empty token cache
     )

setup.cfg

@@ -63,9 +63,9 @@ broker =
     # The broker is defined as optional dependency,
     # so that downstream apps can opt in. The opt-in is needed, partially because
     # most existing MSAL Python apps do not have the redirect_uri needed by broker.
-    # MSAL Python uses a subset of API from PyMsalRuntime 0.13.0+,
-    # but we still bump the lower bound to 0.13.2+ for its important bugfix (https://github.com/AzureAD/microsoft-authentication-library-for-cpp/pull/3244)
-    pymsalruntime>=0.13.2,<0.14; python_version>='3.6' and platform_system=='Windows'
+    # We need pymsalruntime.CallbackData introduced in PyMsalRuntime 0.14
+    pymsalruntime>=0.14,<0.15; python_version>='3.6' and platform_system=='Windows'
+    pymsalruntime>=0.14,<0.15; python_version>='3.8' and platform_system=='Darwin'
 
 [options.packages.find]
 exclude =

tests/test_e2e.py

@@ -195,6 +195,7 @@ def _build_app(cls,
                 authority=authority,
                 http_client=http_client or MinimalHttpClient(),
                 enable_broker_on_windows=broker_available,
+                enable_broker_on_mac=broker_available,
                 )
 
     def _test_username_password(self,