feat: add integrated windows authentication support under public clients

Author: shajia-deshaw

msal/application.py

@@ -11,7 +11,7 @@
 from .oauth2cli import Client, JwtAssertionCreator
 from .oauth2cli.oidc import decode_part
 from .authority import Authority, WORLD_WIDE
-from .mex import send_request as mex_send_request
+from .mex import send_request as mex_send_request, send_request_iwa as mex_send_request_iwa
 from .wstrust_request import send_request as wst_send_request
 from .wstrust_response import *
 from .token_cache import TokenCache, _get_username, _GRANT_TYPE_BROKER
@@ -222,6 +222,7 @@ class ClientApplication(object):
     ACQUIRE_TOKEN_FOR_CLIENT_ID = "730"
     ACQUIRE_TOKEN_BY_AUTHORIZATION_CODE_ID = "832"
     ACQUIRE_TOKEN_INTERACTIVE = "169"
+    ACQUIRE_TOKEN_INTEGRATED_WINDOWS_AUTH_ID = "870"
     GET_ACCOUNTS_ID = "902"
     REMOVE_ACCOUNT_ID = "903"
 
@@ -2334,6 +2335,78 @@ def acquire_token_by_device_flow(self, flow, claims_challenge=None, **kwargs):
         telemetry_context.update_telemetry(response)
         return response
 
+    def acquire_token_integrated_windows_auth(self, username, scopes="openid", **kwargs):
+        """Gets a token for a given resource via Integrated Windows Authentication (IWA).
+
+        :param str username: Typically a UPN in the form of an email address.
+        :param str scopes: Scopes requested to access a protected API (a resource).
+
+        :return: A dict representing the json response from AAD:
+
+            - A successful response would contain "access_token" key,
+            - an error response would contain "error" and usually "error_description".
+        """
+        telemetry_context = self._build_telemetry_context(
+            self.ACQUIRE_TOKEN_INTEGRATED_WINDOWS_AUTH_ID)
+        headers = telemetry_context.generate_headers()
+        user_realm_result = self.authority.user_realm_discovery(
+            username,
+            correlation_id=headers[msal.telemetry.CLIENT_REQUEST_ID]
+        )
+        if user_realm_result.get("account_type") != "Federated":
+            raise ValueError("Server returned an unknown account type: %s" % user_realm_result.get("account_type"))
+        response = _clean_up(self._acquire_token_by_iwa_federated(user_realm_result, username, scopes, **kwargs))
+        if response is None:  # Either ADFS or not federated
+            raise ValueError("Integrated Windows Authentication failed for this user: %s", username)
+        if "access_token" in response:
+            response[self._TOKEN_SOURCE] = self._TOKEN_SOURCE_IDP
+        telemetry_context.update_telemetry(response)
+        return response
+
+    def _acquire_token_by_iwa_federated(
+            self, user_realm_result, username, scopes="openid", **kwargs):
+        wstrust_endpoint = {}
+        if user_realm_result.get("federation_metadata_url"):
+            mex_endpoint = user_realm_result.get("federation_metadata_url")
+            logger.debug(
+                "Attempting mex at: %(mex_endpoint)s",
+                {"mex_endpoint": mex_endpoint})
+            wstrust_endpoint = mex_send_request_iwa(mex_endpoint, self.http_client)
+            if wstrust_endpoint is None:
+                raise ValueError("Unable to find wstrust endpoint from MEX. "
+                                 "This typically happens when attempting MSA accounts. "
+                                 "More details available here. "
+                                 "https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication")
+        logger.debug("wstrust_endpoint = %s", wstrust_endpoint)
+        wstrust_result = wst_send_request(
+            None, None,
+            user_realm_result.get("cloud_audience_urn", "urn:federation:MicrosoftOnline"),
+            wstrust_endpoint.get("address",
+                                 # Fallback to an AAD supplied endpoint
+                                 user_realm_result.get("federation_active_auth_url")),
+            wstrust_endpoint.get("action"), self.http_client)
+        if not ("token" in wstrust_result and "type" in wstrust_result):
+            raise RuntimeError("Unsuccessful RSTR. %s" % wstrust_result)
+        GRANT_TYPE_SAML1_1 = 'urn:ietf:params:oauth:grant-type:saml1_1-bearer'
+        grant_type = {
+            SAML_TOKEN_TYPE_V1: GRANT_TYPE_SAML1_1,
+            SAML_TOKEN_TYPE_V2: self.client.GRANT_TYPE_SAML2,
+            WSS_SAML_TOKEN_PROFILE_V1_1: GRANT_TYPE_SAML1_1,
+            WSS_SAML_TOKEN_PROFILE_V2: self.client.GRANT_TYPE_SAML2
+        }.get(wstrust_result.get("type"))
+        if not grant_type:
+            raise RuntimeError(
+                "RSTR returned unknown token type: %s", wstrust_result.get("type"))
+        self.client.grant_assertion_encoders.setdefault(  # Register a non-standard type
+            grant_type, self.client.encode_saml_assertion)
+        return self.client.obtain_token_by_assertion(
+            wstrust_result["token"], grant_type, scope=scopes,
+            on_obtaining_tokens=lambda event: self.token_cache.add(dict(
+                event,
+                environment=self.authority.instance,
+                username=username,  # Useful in case IDT contains no such info
+            )),
+            **kwargs)
 
 class ConfidentialClientApplication(ClientApplication):  # server-side web app
     """Same as :func:`ClientApplication.__init__`,

msal/mex.py

@@ -53,6 +53,16 @@ def send_request(mex_endpoint, http_client, **kwargs):
             "Malformed MEX document: %s, %s", mex_resp.status_code, mex_resp.text)
         raise
 
+def send_request_iwa(mex_endpoint, http_client, **kwargs):
+    mex_resp = http_client.get(mex_endpoint, **kwargs)
+    mex_resp.raise_for_status()
+    try:
+        return Mex(mex_resp.text).get_wstrust_iwa_endpoint()
+    except ET.ParseError:
+        logger.exception(
+            "Malformed MEX document: %s, %s", mex_resp.status_code, mex_resp.text)
+        raise
+
 
 class Mex(object):
 
@@ -126,6 +136,14 @@ def _get_endpoints(self, bindings, policy_ids):
                         {"address": address.text, "action": binding["action"]})
         return endpoints
 
+    def get_wstrust_iwa_endpoint(self):
+        """Returns {"address": "https://...", "action": "the soapAction value"}"""
+        endpoints = self._get_endpoints(
+            self._get_bindings(), self._get_iwa_policy_ids())
+        for e in endpoints:
+            if e["action"] == self.ACTION_13:
+                return e  # Historically, we prefer ACTION_13 a.k.a. WsTrust13
+        return endpoints[0] if endpoints else None
     def get_wstrust_username_password_endpoint(self):
         """Returns {"address": "https://...", "action": "the soapAction value"}"""
         endpoints = self._get_endpoints(

msal/wstrust_request.py

@@ -37,6 +37,7 @@
 def send_request(
         username, password, cloud_audience_urn, endpoint_address, soap_action, http_client,
         **kwargs):
+    iwa = username is None and password is None
     if not endpoint_address:
         raise ValueError("WsTrust endpoint address can not be empty")
     if soap_action is None:
@@ -49,10 +50,18 @@ def send_request(
             "Contact your administrator to check your ADFS's MEX settings." % soap_action)
     data = _build_rst(
         username, password, cloud_audience_urn, endpoint_address, soap_action)
-    resp = http_client.post(endpoint_address, data=data, headers={
+    if iwa:
+        # Make request kerberized
+        from requests_kerberos import HTTPKerberosAuth, DISABLED
+        resp = http_client.post(endpoint_address, data=data, headers={
             'Content-type':'application/soap+xml; charset=utf-8',
             'SOAPAction': soap_action,
-            }, **kwargs)
+        }, auth=HTTPKerberosAuth(mutual_authentication=DISABLED), allow_redirects=True)
+    else:
+        resp = http_client.post(endpoint_address, data=data, headers={
+                'Content-type':'application/soap+xml; charset=utf-8',
+                'SOAPAction': soap_action,
+                }, **kwargs)
     if resp.status_code >= 400:
         logger.debug("Unsuccessful WsTrust request receives: %s", resp.text)
     # It turns out ADFS uses 5xx status code even with client-side incorrect password error
@@ -76,16 +85,11 @@ def wsu_time_format(datetime_obj):
 
 
 def _build_rst(username, password, cloud_audience_urn, endpoint_address, soap_action):
+    iwa = username is None and password is None
     now = datetime.utcnow()
-    return """<s:Envelope xmlns:s='{s}' xmlns:wsa='{wsa}' xmlns:wsu='{wsu}'>
-        <s:Header>
-            <wsa:Action s:mustUnderstand='1'>{soap_action}</wsa:Action>
-            <wsa:MessageID>urn:uuid:{message_id}</wsa:MessageID>
-            <wsa:ReplyTo>
-            <wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
-            </wsa:ReplyTo>
-            <wsa:To s:mustUnderstand='1'>{endpoint_address}</wsa:To>
-
+    _security_header = ""
+    if not iwa:
+        _security_header = """
             <wsse:Security s:mustUnderstand='1'
             xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'>
                 <wsu:Timestamp wsu:Id='_0'>
@@ -97,7 +101,21 @@ def _build_rst(username, password, cloud_audience_urn, endpoint_address, soap_ac
                     <wsse:Password>{password}</wsse:Password>
                 </wsse:UsernameToken>
             </wsse:Security>
-
+        """.format(
+            username = username,
+            password = escape_password(password),
+            time_now=wsu_time_format(now),
+            time_expire=wsu_time_format(now + timedelta(minutes=10)),
+        )
+    return """<s:Envelope xmlns:s='{s}' xmlns:wsa='{wsa}' xmlns:wsu='{wsu}'>
+        <s:Header>
+            <wsa:Action s:mustUnderstand='1'>{soap_action}</wsa:Action>
+            <wsa:MessageID>urn:uuid:{message_id}</wsa:MessageID>
+            <wsa:ReplyTo>
+            <wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
+            </wsa:ReplyTo>
+            <wsa:To s:mustUnderstand='1'>{endpoint_address}</wsa:To>
+            {security_header}
         </s:Header>
         <s:Body>
         <wst:RequestSecurityToken xmlns:wst='{wst}'>
@@ -114,9 +132,6 @@ def _build_rst(username, password, cloud_audience_urn, endpoint_address, soap_ac
             s=Mex.NS["s"], wsu=Mex.NS["wsu"], wsa=Mex.NS["wsa10"],
             soap_action=soap_action, message_id=str(uuid.uuid4()),
             endpoint_address=endpoint_address,
-            time_now=wsu_time_format(now),
-            time_expire=wsu_time_format(now + timedelta(minutes=10)),
-            username=username, password=escape_password(password),
             wst=Mex.NS["wst"] if soap_action == Mex.ACTION_13 else Mex.NS["wst2005"],
             applies_to=cloud_audience_urn,
             key_type='http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer'
@@ -125,5 +140,6 @@ def _build_rst(username, password, cloud_audience_urn, endpoint_address, soap_ac
             request_type='http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue'
                 if soap_action == Mex.ACTION_13 else
                 'http://schemas.xmlsoap.org/ws/2005/02/trust/Issue',
+            security_header=_security_header
         )