From 7d9ccd55069383f762b96614cecc10e2b924b118 Mon Sep 17 00:00:00 2001 From: Petar Dimov Date: Mon, 16 Mar 2026 10:56:46 -0700 Subject: [PATCH 1/2] Fix PoP flow in the test app Currently the test app sends both PoP parameters (see placeholder_auth_scheme definition) and also passes req_cnf and token type. There parameters are not compatible. If application passes PoP parameters, then MSAL (or the broker) owns the key and does the signing of the SHR. If application passes req_cnf, then application owns the key and creates and signs the SHR, so in this case it should not pass PoP parameters. The main flow is the first one - application passes only PoP parameters and either MSAL or the broker owns the key and generates the SHR. --- msal/__main__.py | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/msal/__main__.py b/msal/__main__.py index a28801eb..3b7ca8be 100644 --- a/msal/__main__.py +++ b/msal/__main__.py @@ -189,20 +189,11 @@ def _acquire_ssh_cert_interactive(app): if result.get("token_type") != "ssh-cert": logging.error("Unable to acquire an ssh-cert") -_POP_KEY_ID = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-AAAAAAAA' # Fake key with a certain format and length -_RAW_REQ_CNF = json.dumps({"kid": _POP_KEY_ID, "xms_ksl": "sw"}) -_POP_DATA = { # Sampled from Azure CLI's plugin connectedk8s - 'token_type': 'pop', - 'key_id': _POP_KEY_ID, - "req_cnf": base64.urlsafe_b64encode(_RAW_REQ_CNF.encode('utf-8')).decode('utf-8').rstrip('='), - # Note: Sending _RAW_REQ_CNF without base64 encoding would result in an http 500 error -} # See also https://github.com/Azure/azure-cli-extensions/blob/main/src/connectedk8s/azext_connectedk8s/_clientproxyutils.py#L86-L92 - def _acquire_pop_token_interactive(app): """Acquire a POP token interactively - This typically only works with Azure CLI""" assert isinstance(app, msal.PublicClientApplication) POP_SCOPE = ['6256c85f-0aad-4d50-b960-e6e9b21efe35/.default'] # KAP 1P Server App Scope, obtained from https://github.com/Azure/azure-cli-extensions/pull/4468/files#diff-a47efa3186c7eb4f1176e07d0b858ead0bf4a58bfd51e448ee3607a5b4ef47f6R116 - result = _acquire_token_interactive(app, scopes=POP_SCOPE, data=_POP_DATA) + result = _acquire_token_interactive(app, scopes=POP_SCOPE) print_json(result) if result.get("token_type") != "pop": logging.error("Unable to acquire a pop token") From 145ffc164c5abe4d5fbf7062b1f43899a16ab84a Mon Sep 17 00:00:00 2001 From: PetarSDimov Date: Mon, 16 Mar 2026 11:10:37 -0700 Subject: [PATCH 2/2] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- msal/__main__.py | 1 - 1 file changed, 1 deletion(-) diff --git a/msal/__main__.py b/msal/__main__.py index 3b7ca8be..5cb08206 100644 --- a/msal/__main__.py +++ b/msal/__main__.py @@ -194,7 +194,6 @@ def _acquire_pop_token_interactive(app): assert isinstance(app, msal.PublicClientApplication) POP_SCOPE = ['6256c85f-0aad-4d50-b960-e6e9b21efe35/.default'] # KAP 1P Server App Scope, obtained from https://github.com/Azure/azure-cli-extensions/pull/4468/files#diff-a47efa3186c7eb4f1176e07d0b858ead0bf4a58bfd51e448ee3607a5b4ef47f6R116 result = _acquire_token_interactive(app, scopes=POP_SCOPE) - print_json(result) if result.get("token_type") != "pop": logging.error("Unable to acquire a pop token")