Is this the proper way to use MSAL for python to authenticate a user for web app using id_token_claims?

Question

Background:

I have successfully setup this website sample code using MSAL for python. This example works with the Microsoft Graph API permissions in Azure AD, asks user to give consent and gets the expected result that looks similar to:

{
    "token_type": "Bearer",
    "access_token": "eyJ0...",
    "refresh_token": "OAQ...",
    "id_token": "eyJ...",
    ...

    "id_token_claims": {
        "aud": "289...",
        "iss": "https://login.microsoftonline.com/f645ad92-e38d-4d1a-b510-d1b09a74a8ca/v2.0",
        "iat": 1559626249,
        "nbf": 1559626249,
        "exp": 1559630149,
        "aio": "ATQ...",
        "name": "Cloud IDLAB Basic User",
        "oid": "9f4...",
        "preferred_username": "idlab@msidlab4.onmicrosoft.com",
        "sub": "4mB...",
        "tid": "f64...",
        "uti": "91H...",
        "ver": "2.0"
    }
}

My configuration is the same as the sample code but with my own Azure AD client_secret and client_id:

{
    "authority": "https://login.microsoftonline.com/organizations",
    "client_id": "my_client_id",
    "scope": ["https://graph.microsoft.com/.default"],
    "redirect_uri": "http://localhost:5000/getAToken",
    "client_secret": "mysecret"
}

Goal:

What I hope to do is only use MSAL to authenticate a user. In this case all I need is the id_token. Thanks to MSAL I can use the id_token_claims from the result (see above example) which is the validated and decoded id_token claims.

Question:

Is this the correct way to use MSAL to authenticate a user? I do not need an access_token because I'm not wanting to call any other APIs.

It feels a little weird that I'm making a request that includes an 'access_token` for microsoft graph in it's response but not making a call to the graph api (as is done in this ADAL sample).

It may be completely legit that MSAL is returning everything that someone may need regardless if they use them. I just want to be sure that I'm using MSAL properly. Maybe my scope should be different (e.g. my client_id maybe based on the comments in the code)?

Answer 1

That is a correct way to authenticate an user and understand why it might feel odd.

The reason you're getting an access token and a ID token and a refresh token is because of the flow you're using. My suggestion is to review the flows for a better understanding of how the authentication process works and what will be returned accordingly.

See the official docs here : https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios

For more information about the Python MSAL Library specifically here : https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki

I'd also like to clarify that ADAL and MSAL are different libraries, as the MSAL library hits the V2.0 endpoint and ADAL uses the v1.0 endpoint.

Many different authentication types and scenarios are also described in the doc here : https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-app-types

One of which describes the scenario where only the ID_token is returned. However the issue here is that I don't believe the Python MSAL library has properly implemented this flow as of yet.

So if you're getting an access token that doesn't have any permissions and you're getting the ID_token with said Python MSAL library, that solution should be fine for your application to validate the user is who they say they are.

However, if you are trying to be closer to the spec and have a cleaner implementation, you might want to explore the different OAuth2 flows available per the Microsoft docs.

In addition to that, the RFC describes OAuth2 protocols in closer detail as well. https://www.rfc-editor.org/rfc/rfc6749