Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Client assertion should accept a callback function #746

Open
jdeus opened this issue Sep 18, 2024 · 2 comments · May be fixed by #747
Open

[Feature Request] Client assertion should accept a callback function #746

jdeus opened this issue Sep 18, 2024 · 2 comments · May be fixed by #747
Labels
documentation feature request

Comments

@jdeus
Copy link

jdeus commented Sep 18, 2024

MSAL client type

Confidential

Problem Statement

When client_credential is set to client_assertion, the only acceptable value is a token. However, tokens have a definite validity and as a result, the library as is it not suitable when using dynamic tokens - such as when using workload identities in AKS - because at some point the token becomes expired and a new instance of the Confidential client has to be initiated, which is not straightforward.

Proposed solution

I propose that client_assertion should accept a callback function which is evaluated on demand by the MSAL library, allowing the user-supplied function to retrieve a custom token.

This feature is already available in the .NET and JS versions of this library.
@rayluo
Copy link
Collaborator

rayluo commented Sep 18, 2024
edited
Loading

Guess what? Since day 1, MSAL Python has an undocumented feature of accepting this:

def assertion_callback():
    return "dynamically obtain your new assertion here"

app = ConfidentialClientApplication(
   ...,
   client_credential={"client_assertion": assertion_callback},
)

Note that the callback will be called whenever a token request needs to be sent on the wire. That means:

  1. If you are acquiring the same token (via acquire_token_for_client(..., scopes=["same", "scopes"]) or via acquire_token_silent(...)), MSAL Python's token cache will automatically kick in, no new token request will be made, and your callback won't be called, which is good for efficiency.
  2. If you are acquiring a new token (via acquire_token_for_client(..., scopes=["different", "scopes"]), or via acquire_token_on_behalf_of("a new user assertion", ...)), your callback will be frequently called. But lucky that MSAL Python also has an internal helper AutoRefresher. 
    from msal import AutoRefresher  # NOT YET available, but we can expose it in our next release
smart_callback = AutoRefresher(assertion_callback, expires_in=3600)
app = ConfidentialClientApplication(
   ...,
   client_credential={"client_assertion": smart_callback},
)

@bgavrilMS
Copy link
Member

Cool, can you please (soft) deprecate the string variant then and ensure the docs are updated?

It just causes confusion and there is really no scenario where a string should be provided, because the string assertion expires.

@rayluo rayluo linked a pull request Sep 19, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

client_assertion can accept a callback AzureAD/microsoft-authentication-library-for-python
3 participants
@rayluo @bgavrilMS @jdeus