Merge pull request #173 from AzureAD/nonce-in-msal

Specifying and validating nonce in auth code flow

Author: rayluo

msal/application.py

@@ -229,6 +229,7 @@ def get_authorization_request_url(
             redirect_uri=None,
             response_type="code",  # Can be "token" if you use Implicit Grant
             prompt=None,
+            nonce=None,
             **kwargs):
         """Constructs a URL for you to start a Authorization Code Grant.
 
@@ -247,6 +248,9 @@ def get_authorization_request_url(
             You will have to specify a value explicitly.
             Its valid values are defined in Open ID Connect specs
             https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+        :param nonce:
+            A cryptographically random value used to mitigate replay attacks. See also
+            `OIDC specs <https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest>`_.
         :return: The authorization url as a string.
         """
         """ # TBD: this would only be meaningful in a new acquire_token_interactive()
@@ -276,6 +280,7 @@ def get_authorization_request_url(
             redirect_uri=redirect_uri, state=state, login_hint=login_hint,
             prompt=prompt,
             scope=decorate_scope(scopes, self.client_id),
+            nonce=nonce,
             )
 
     def acquire_token_by_authorization_code(
@@ -286,6 +291,7 @@ def acquire_token_by_authorization_code(
                 # REQUIRED, if the "redirect_uri" parameter was included in the
                 # authorization request as described in Section 4.1.1, and their
                 # values MUST be identical.
+            nonce=None,
             **kwargs):
         """The second half of the Authorization Code Grant.
 
@@ -306,6 +312,11 @@ def acquire_token_by_authorization_code(
             So the developer need to specify a scope so that we can restrict the
             token to be issued for the corresponding audience.
 
+        :param nonce:
+            If you provided a nonce when calling :func:`get_authorization_request_url`,
+            same nonce should also be provided here, so that we'll validate it.
+            An exception will be raised if the nonce in id token mismatches.
+
         :return: A dict representing the json response from AAD:
 
             - A successful response would contain "access_token" key,
@@ -326,6 +337,7 @@ def acquire_token_by_authorization_code(
                 CLIENT_CURRENT_TELEMETRY: _build_current_telemetry_request_header(
                     self.ACQUIRE_TOKEN_BY_AUTHORIZATION_CODE_ID),
                 },
+            nonce=nonce,
             **kwargs)
 
     def get_accounts(self, username=None):

tests/test_e2e.py

@@ -19,12 +19,12 @@ def _get_app_and_auth_code(
         authority="https://login.microsoftonline.com/common",
         port=44331,
         scopes=["https://graph.microsoft.com/.default"],  # Microsoft Graph
-        ):
+        **kwargs):
     from msal.oauth2cli.authcode import obtain_auth_code
     app = msal.ClientApplication(client_id, client_secret, authority=authority)
     redirect_uri = "http://localhost:%d" % port
     ac = obtain_auth_code(port, auth_uri=app.get_authorization_request_url(
-        scopes, redirect_uri=redirect_uri))
+        scopes, redirect_uri=redirect_uri, **kwargs))
     assert ac is not None
     return (app, ac, redirect_uri)
 
@@ -124,20 +124,20 @@ def test_username_password(self):
         self.skipUnlessWithConfig(["client_id", "username", "password", "scope"])
         self._test_username_password(**self.config)
 
-    def _get_app_and_auth_code(self):
+    def _get_app_and_auth_code(self, **kwargs):
         return _get_app_and_auth_code(
             self.config["client_id"],
             client_secret=self.config.get("client_secret"),
             authority=self.config.get("authority"),
             port=self.config.get("listen_port", 44331),
             scopes=self.config["scope"],
-            )
+            **kwargs)
 
-    def test_auth_code(self):
+    def _test_auth_code(self, auth_kwargs, token_kwargs):
         self.skipUnlessWithConfig(["client_id", "scope"])
-        (self.app, ac, redirect_uri) = self._get_app_and_auth_code()
+        (self.app, ac, redirect_uri) = self._get_app_and_auth_code(**auth_kwargs)
         result = self.app.acquire_token_by_authorization_code(
-            ac, self.config["scope"], redirect_uri=redirect_uri)
+            ac, self.config["scope"], redirect_uri=redirect_uri, **token_kwargs)
         logger.debug("%s.cache = %s",
             self.id(), json.dumps(self.app.token_cache._cache, indent=4))
         self.assertIn(
@@ -148,6 +148,18 @@ def test_auth_code(self):
                 error_description=result.get("error_description")))
         self.assertCacheWorksForUser(result, self.config["scope"], username=None)
 
+    def test_auth_code(self):
+        self._test_auth_code({}, {})
+
+    def test_auth_code_with_matching_nonce(self):
+        self._test_auth_code({"nonce": "foo"}, {"nonce": "foo"})
+
+    def test_auth_code_with_mismatching_nonce(self):
+        self.skipUnlessWithConfig(["client_id", "scope"])
+        (self.app, ac, redirect_uri) = self._get_app_and_auth_code(nonce="foo")
+        with self.assertRaises(ValueError):
+            self.app.acquire_token_by_authorization_code(
+                ac, self.config["scope"], redirect_uri=redirect_uri, nonce="bar")
 
     def test_ssh_cert(self):
         self.skipUnlessWithConfig(["client_id", "scope"])