microsoft-authentication-library-for-python icon indicating copy to clipboard operation
microsoft-authentication-library-for-python copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

Pass additional headers to acquire_token_interactive

Open andresperezl opened this issue 2 years ago • 5 comments

Allow passing additional headers to the acquire_token_interactive method, so they don't clash with the ones with the generated from telemetry_context.generate_headers()

andresperezl avatar Mar 03 '23 03:03 andresperezl

Would you please also let us know what header are you trying to send, in what scenario is that useful?

rayluo avatar Mar 03 '23 17:03 rayluo

Is basically this same problem https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/2482 where when running the script locally you get the error

AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests.

And the solution is to pass the missing header Origin , but trying to set header in the kwargs conflicts with the telemetry headers

andresperezl avatar Mar 04 '23 00:03 andresperezl

SPA? Was that because your app's redirect_uri was registered as a SPA? Normally a Python-powered script should be either desktop app or a web app, and then you probably would not run into this. Not sure whether you can add a http://localhost as a desktop redirect URI for your app. You can try and let us know whether it makes a difference.

rayluo avatar Mar 06 '23 17:03 rayluo

Sometime you don't have access to the app configuration, which can happen even with different teams within the same company, if it can be done with the Javascript implementation of the library, why not with the python one?

andresperezl avatar Mar 14 '23 17:03 andresperezl

Not a PY scenario, can be done by HTTP Client customization probably if really needed.

bgavrilMS avatar Nov 20 '23 22:11 bgavrilMS

Sometimes you don't have access to the app configuration, which can happen even with different teams within the same company, if it can be done with the Javascript implementation of the library, why not with the python one?

Our understanding is that a SPA app running inside browser would have browser automatically set that Origin header for you, and Microsoft Entra ID backend apparently verifies that Origin header. Now, if you are using Python to impersonate that SPA app and running outside of browser, mimicking an Origin header may bypass that Entra backend check, however we do not know its security implication. For that reason, we hesitate to take this PR. Closing it for now; we may revisit it in the future when/if the need arises again.

rayluo avatar May 10 '24 06:05 rayluo