def test_claims_challenge():
"""get_token should and authenticate pass any claims challenge to MSAL token acquisition APIs"""
msal_acquire_token_result = dict(
build_aad_response(access_token="**", id_token=build_id_token()),
id_token_claims=id_token_claims("issuer", "subject", "audience", upn="upn"),
)
expected_claims = '{"access_token": {"essential": "true"}'
transport = Mock(send=Mock(side_effect=Exception("this test mocks MSAL, so no request should be sent")))
credential = UsernamePasswordCredential("client-id", "username", "password", transport=transport)
with patch.object(UsernamePasswordCredential, "_get_app") as get_mock_app:
msal_app = get_mock_app()
msal_app.acquire_token_by_username_password.return_value = msal_acquire_token_result
credential.authenticate(scopes=["scope"], claims=expected_claims)
assert msal_app.acquire_token_by_username_password.call_count == 1
args, kwargs = msal_app.acquire_token_by_username_password.call_args
assert kwargs["claims_challenge"] == expected_claims
credential.get_token("scope", claims=expected_claims)
assert msal_app.acquire_token_by_username_password.call_count == 2
args, kwargs = msal_app.acquire_token_by_username_password.call_args
assert kwargs["claims_challenge"] == expected_claims
msal_app.get_accounts.return_value = [{"home_account_id": credential._auth_record.home_account_id}]
msal_app.acquire_token_silent_with_error.return_value = msal_acquire_token_result
credential.get_token("scope", claims=expected_claims)
assert msal_app.acquire_token_silent_with_error.call_count == 1
args, kwargs = msal_app.acquire_token_silent_with_error.call_args
assert kwargs["claims_challenge"] == expected_claims
def test_authenticate():
client_id = "client-id"
environment = "localhost"
issuer = "https://" + environment
tenant_id = "some-tenant"
authority = issuer + "/" + tenant_id
access_token = "***"
scope = "scope"
# mock AAD response with id token
object_id = "object-id"
home_tenant = "home-tenant-id"
username = "******"
id_token = build_id_token(aud=client_id,
iss=issuer,
object_id=object_id,
tenant_id=home_tenant,
username=username)
auth_response = build_aad_response(uid=object_id,
utid=home_tenant,
access_token=access_token,
refresh_token="**",
id_token=id_token)
transport = validating_transport(
requests=[Request(url_substring=issuer)] * 4,
responses=[
get_discovery_response(authority), # instance discovery
get_discovery_response(authority), # tenant discovery
mock_response(status_code=404), # user realm discovery
mock_response(json_payload=auth_response
), # token request following authenticate()
],
)
credential = UsernamePasswordCredential(
username=username,
password="******",
authority=environment,
client_id=client_id,
tenant_id=tenant_id,
transport=transport,
)
record = credential.authenticate(scopes=(scope, ))
for auth_record in (record, credential.authentication_record):
assert auth_record.authority == environment
assert auth_record.home_account_id == object_id + "." + home_tenant
assert auth_record.tenant_id == home_tenant
assert auth_record.username == username
# credential should have a cached access token for the scope passed to authenticate
token = credential.get_token(scope)
assert token.token == access_token
