Skip to content

Fix the PoP flow in the console app#887

Open
PetarSDimov wants to merge 2 commits intodevfrom
fix-pop-flow-in-test-app
Open

Fix the PoP flow in the console app#887
PetarSDimov wants to merge 2 commits intodevfrom
fix-pop-flow-in-test-app

Conversation

@PetarSDimov
Copy link

@PetarSDimov PetarSDimov commented Mar 16, 2026

Currently the console app sends both PoP parameters (see placeholder_auth_scheme definition) and also passes req_cnf and token type. There parameters are not compatible. If application passes PoP parameters, then MSAL (or the broker) owns the key and does the signing of the SHR. If application passes req_cnf, then application owns the key and creates and signs the SHR, so in this case it should not pass PoP parameters.

The main flow is the first one - application passes only PoP parameters and either MSAL or the broker owns the key and generates the SHR.

Fix PoP flow in the test app
7d9ccd5 
Currently the test app sends both PoP parameters (see placeholder_auth_scheme definition)
and also passes req_cnf and token type. There parameters are not
compatible. If application passes PoP parameters, then MSAL (or the
broker) owns the key and does the signing of the SHR. If application
passes req_cnf, then application owns the key and creates and signs the
SHR, so in this case it should not pass PoP parameters.

The main flow is the first one - application passes only PoP parameters
and either MSAL or the broker owns the key and generates the SHR.
@PetarSDimov PetarSDimov requested a review from a team as a code owner March 16, 2026 18:06
Copilot AI review requested due to automatic review settings March 16, 2026 18:06
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the MSAL Python console tester’s PoP interactive flow to avoid sending incompatible PoP request inputs simultaneously (PoP auth scheme parameters vs. req_cnf/token type), aligning the sample with the intended “MSAL/broker owns the key and generates the SHR” model.

Changes:

  • Removes the hardcoded PoP data payload (including req_cnf) previously passed to the interactive PoP acquisition flow.
  • Updates _acquire_pop_token_interactive() to call _acquire_token_interactive() without PoP data.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

msal/__main__.py
assert isinstance(app, msal.PublicClientApplication)
POP_SCOPE = ['6256c85f-0aad-4d50-b960-e6e9b21efe35/.default'] # KAP 1P Server App Scope, obtained from https://github.com/Azure/azure-cli-extensions/pull/4468/files#diff-a47efa3186c7eb4f1176e07d0b858ead0bf4a58bfd51e448ee3607a5b4ef47f6R116
result = _acquire_token_interactive(app, scopes=POP_SCOPE, data=_POP_DATA)
result = _acquire_token_interactive(app, scopes=POP_SCOPE)
@PetarSDimov
Potential fix for pull request finding
145ffc1 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings March 16, 2026 18:10
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the MSAL Python console tester’s PoP acquisition flow to avoid sending mutually exclusive PoP request parameters, aligning the sample with the intended “MSAL/broker owns the key” PoP flow.

Changes:

  • Removed the sample _POP_DATA payload that included req_cnf, token_type, and key_id.
  • Updated the PoP interactive helper to call the generic interactive acquisition without the incompatible payload.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

msal/__main__.py
Comment on lines 195 to 198
POP_SCOPE = ['6256c85f-0aad-4d50-b960-e6e9b21efe35/.default'] # KAP 1P Server App Scope, obtained from https://github.com/Azure/azure-cli-extensions/pull/4468/files#diff-a47efa3186c7eb4f1176e07d0b858ead0bf4a58bfd51e448ee3607a5b4ef47f6R116
result = _acquire_token_interactive(app, scopes=POP_SCOPE, data=_POP_DATA)
print_json(result)
result = _acquire_token_interactive(app, scopes=POP_SCOPE)
if result.get("token_type") != "pop":
logging.error("Unable to acquire a pop token")
fengga
fengga reviewed Mar 16, 2026
View reviewed changes
msal/__main__.py
"""Acquire a POP token interactively - This typically only works with Azure CLI"""
assert isinstance(app, msal.PublicClientApplication)
POP_SCOPE = ['6256c85f-0aad-4d50-b960-e6e9b21efe35/.default'] # KAP 1P Server App Scope, obtained from https://github.com/Azure/azure-cli-extensions/pull/4468/files#diff-a47efa3186c7eb4f1176e07d0b858ead0bf4a58bfd51e448ee3607a5b4ef47f6R116
result = _acquire_token_interactive(app, scopes=POP_SCOPE, data=_POP_DATA)
Copy link
Contributor

@fengga fengga Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you removed _POP_DATA, can you leave some comments/instructions on how to construct POP parameters?
Also, can you validate if the parameters are good in this test?

microsoft-authentication-library-for-python/tests/broker-test.py

Lines 90 to 91 in 2de45ae

scopes=[SCOPE_ARM], auth_scheme=placeholder_auth_scheme, data=None, expected_token_type="pop")
interactive_and_silent(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@fengga fengga fengga approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@PetarSDimov @fengga