Added extra_headers to ClientApplication

[cdeler]

Having enabled Auth Code Grant Flow for SPA in our project, we broke
Device Code flow for the Azure app. The only way to fix this error is to
pass an extra "Origin" header to this endpoint
https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token

After that the app initialisation might look like:

application = msal.PublicClientApplication(
          client_id,
          authority=authority,
          extra_headers={"Origin": "http://example.com"})
flow = application.initiate_device_flow(scopes=scopes)

[rayluo]

Hi @cdeler , thanks for bringing this to our attention. While your implementation in this PR looks straightforward, we want to better understand the background of this change, i.e. how to reproduce the issue you encountered.

• When you said you "enable Auth Code Grant Flow for SPA", did you mean you follow these "Migrate javascript SPA from implicit grant to auth code flow" instructions?

• Was Device Flow the only flow which was broken? Do you happen to also use other flows with your app?

[cdeler]

The root cause

Hello @rayluo

When you said you "enable Auth Code Grant Flow for SPA", did you mean you follow these "Migrate javascript SPA from implicit grant to auth code flow" instructions?

Yes. Some context:
We have an application. We need to have an access to the application using both device flow & from web UI.

Updating Azure AD application to SPA in UI causes additional ("Origin") header requirement in requests to https://login.microsoftonline.com//oauth2/v2.0/token.

In both examples below I get the same error like "Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests"

Code examples:

For now we are unable to either run device flow or issue "access_token" using given "refresh_token" (well it's possible with some monkey-patching, but it's awful):

Example 1

assert isintance(application, msal.PublicClientApplication)
flow = application.initiate_device_flow(scopes=scopes)
if "user_code" not in flow:
    raise RuntimeException( f"ERROR, Unable to create device flow. Error: {pprint.pformat(flow)}")

print(flow["message"])
input("Press any key to continue...")
token = application.acquire_token_by_device_flow(flow)
# do something with token

Example 2:

assert isintance(application, msal.PublicClientApplication)
refresh_token = {"credential_type": "RefreshToken", "refresh_token": "<put_your_refresh_token_here>"}
token = application.client.obtain_token_by_refresh_token(token, scope=scopes)
# do something with token

[rayluo]

Posted at 2020-11-6: @cdeler , since this PR unblocks you, you can stick with it for a longer time. Meanwhile, our team is investigating this, to see why/whether this workaround is needed in the first place. We will reply back to this issue when new findings become available.

Update at 2020-11-17: We confirm that the Device Flow should not be affected by SPA. A bugfix will be deployed in near future (while coordinating with the lockdown period during holiday season). New update will be posted in this thread. (Note: This is an internal workitem of this issue.)

[cdeler]

@rayluo thank you

I have a workaround, so I'll be waiting for any updates :-)

Anyway I can provide you with additional details, if you need anything from my side

[rayluo]

@cdeler I'm told that the fix for this, has been rolled out on the service, so, your existing Device Flow app should now work, without needing the workaround. Please verify. This PR will soon be closed without merging.

[cdeler]

@rayluo
I confirm that the device flow works without updating the headers.

Thank you 🎉 🚀