Enable broker support on Linux for WSL

msal/__main__.py

@@ -300,6 +300,7 @@ def _main():
         instance_discovery=instance_discovery,
         enable_broker_on_windows=enable_broker,
         enable_broker_on_mac=enable_broker,
+        enable_broker_on_linux=enable_broker,
         enable_pii_log=enable_pii_log,
         token_cache=global_cache,
         ) if not is_cca else msal.ConfidentialClientApplication(

msal/application.py

@@ -21,7 +21,7 @@
 from .throttled_http_client import ThrottledHttpClient
 from .cloudshell import _is_running_in_cloud_shell
 from .sku import SKU, __version__
-
+from .oauth2cli.authcode import is_wsl
 
 
 logger = logging.getLogger(__name__)
@@ -164,6 +164,8 @@ def _preferred_browser():
             pass  # We may still proceed
     return None
 
+def _is_ssh_cert_or_pop_request(token_type, auth_scheme) -> bool:
+    return token_type == "ssh-cert" or token_type == "pop" or isinstance(auth_scheme, msal.auth_scheme.PopAuthScheme)
 
 class _ClientWithCcsRoutingInfo(Client):
 
@@ -705,7 +707,7 @@ def _decide_broker(self, allow_broker, enable_pii_log):
 
     def is_pop_supported(self):
         """Returns True if this client supports Proof-of-Possession Access Token."""
-        return self._enable_broker
+        return self._enable_broker and sys.platform in ("win32", "darwin")
 
     def _decorate_scope(
             self, scopes,
@@ -1577,10 +1579,12 @@ def _acquire_token_silent_from_cache_and_possibly_refresh_it(
                     raise ValueError("auth_scheme is not supported in Cloud Shell")
                 return self._acquire_token_by_cloud_shell(scopes, data=data)
 
+            is_ssh_cert_or_pop_request = _is_ssh_cert_or_pop_request(data.get("token_type"), auth_scheme)
+
             if self._enable_broker and account and account.get("account_source") in (
                 _GRANT_TYPE_BROKER,  # Broker successfully established this account previously.
                 None,  # Unknown data from older MSAL. Broker might still work.
-            ):
+            ) and (sys.platform in ("win32", "darwin") or not is_ssh_cert_or_pop_request):
                 from .broker import _acquire_token_silently
                 response = _acquire_token_silently(
                     "https://{}/{}".format(self.authority.instance, self.authority.tenant),
@@ -1827,7 +1831,7 @@ def acquire_token_by_username_password(
         """
         claims = _merge_claims_challenge_and_capabilities(
                 self._client_capabilities, claims_challenge)
-        if self._enable_broker:
+        if self._enable_broker and sys.platform in ("win32", "darwin"):
             from .broker import _signin_silently
             response = _signin_silently(
                 "https://{}/{}".format(self.authority.instance, self.authority.tenant),
@@ -1924,13 +1928,15 @@ def __init__(
         *,
         enable_broker_on_windows=None,
         enable_broker_on_mac=None,
+        enable_broker_on_linux=None,
+        enable_broker_on_wsl=None,
         **kwargs):
         """Same as :func:`ClientApplication.__init__`,
         except that ``client_credential`` parameter shall remain ``None``.
 
         .. note::
 
-            You may set enable_broker_on_windows and/or enable_broker_on_mac to True.
+            You may set enable_broker_on_windows and/or enable_broker_on_mac and/or enable_broker_on_linux and/or enable_broker_on_wsl to True.
 
             **What is a broker, and why use it?**
 
@@ -1958,9 +1964,11 @@ def __init__(
                  if your app is expected to run on Windows 10+
                * ``msauth.com.msauth.unsignedapp://auth``
                  if your app is expected to run on Mac
+               * ``ms-appx-web://Microsoft.AAD.BrokerPlugin/your_client_id``
+                 if your app is expected to run on Linux, especially WSL
 
             2. installed broker dependency,
-               e.g. ``pip install msal[broker]>=1.31,<2``.
+               e.g. ``pip install msal[broker]>=1.32,<2``.
 
             3. tested with ``acquire_token_interactive()`` and ``acquire_token_silent()``.
 
@@ -1998,12 +2006,27 @@ def __init__(
             This parameter defaults to None, which means MSAL will not utilize a broker.
 
             New in MSAL Python 1.31.0.
+
+        :param boolean enable_broker_on_linux:
+            This setting is only effective if your app is running on Linux.
+            This parameter defaults to None, which means MSAL will not utilize a broker.
+
+            New in MSAL Python 1.32.0. 
+
+        :param boolean enable_broker_on_wsl:
+            This setting is only effective if your app is running on WSL.
+            This parameter defaults to None, which means MSAL will not utilize a broker.
+
+            New in MSAL Python 1.32.0.
         """
         if client_credential is not None:
             raise ValueError("Public Client should not possess credentials")
+
         self._enable_broker = bool(
             enable_broker_on_windows and sys.platform == "win32"
-            or enable_broker_on_mac and sys.platform == "darwin")
+            or enable_broker_on_mac and sys.platform == "darwin"
+            or (enable_broker_on_linux or (enable_broker_on_wsl and is_wsl())) and sys.platform == "linux")
+
         super(PublicClientApplication, self).__init__(
             client_id, client_credential=None, **kwargs)
 
@@ -2131,7 +2154,9 @@ def acquire_token_interactive(
                 # https://microsoft.sharepoint.com/:w:/t/Identity-DevEx/EatIUauX3c9Ctw1l7AQ6iM8B5CeBZxc58eoQCE0IuZ0VFw?e=tgc3jP&CID=39c853be-76ea-79d7-ee73-f1b2706ede05
             False
             ) and data.get("token_type") != "ssh-cert"  # Work around a known issue as of PyMsalRuntime 0.8
-        self._validate_ssh_cert_input_data(data)
+        self._validate_ssh_cert_input_data(data) 
+        is_ssh_cert_or_pop_request = _is_ssh_cert_or_pop_request(data.get("token_type"), auth_scheme)
+
         if not on_before_launching_ui:
             on_before_launching_ui = lambda **kwargs: None
         if _is_running_in_cloud_shell() and prompt == "none":
@@ -2140,7 +2165,7 @@ def acquire_token_interactive(
             return self._acquire_token_by_cloud_shell(scopes, data=data)
         claims = _merge_claims_challenge_and_capabilities(
             self._client_capabilities, claims_challenge)
-        if self._enable_broker:
+        if self._enable_broker and (sys.platform in ("win32", "darwin") or not is_ssh_cert_or_pop_request):
             if parent_window_handle is None:
                 raise ValueError(
                     "parent_window_handle is required when you opted into using broker. "
@@ -2165,7 +2190,9 @@ def acquire_token_interactive(
                 )
             return self._process_broker_response(response, scopes, data)
 
-        if auth_scheme:
+        if isinstance(auth_scheme, msal.auth_scheme.PopAuthScheme) and sys.platform == "linux":
+            raise ValueError("POP is not supported on Linux")
+        elif auth_scheme:
             raise ValueError(self._AUTH_SCHEME_UNSUPPORTED)
         on_before_launching_ui(ui="browser")
         telemetry_context = self._build_telemetry_context(

msal/broker.py

@@ -27,6 +27,7 @@
     min_ver = {
         "win32": "1.20",
         "darwin": "1.31",
+        "linux": "1.32",
     }.get(sys.platform)
     if min_ver:
         raise ImportError(

sample/interactive_sample.py

@@ -47,7 +47,8 @@
     oidc_authority=os.getenv('OIDC_AUTHORITY'),  # For External ID with custom domain
     #enable_broker_on_windows=True,  # Opted in. You will be guided to meet the prerequisites, if your app hasn't already
     #enable_broker_on_mac=True,  # Opted in. You will be guided to meet the prerequisites, if your app hasn't already
-
+    #enable_broker_on_linux=True,  # Opted in. You will be guided to meet the prerequisites, if your app hasn't already
+    #enable_broker_on_wsl=True,  # Opted in. You will be guided to meet the prerequisites, if your app hasn't already
     token_cache=global_token_cache,  # Let this app (re)use an existing token cache.
         # If absent, ClientApplication will create its own empty token cache
     )

setup.cfg

@@ -62,9 +62,11 @@ broker =
     # most existing MSAL Python apps do not have the redirect_uri needed by broker.
     #
     # We need pymsalruntime.CallbackData introduced in PyMsalRuntime 0.14
-    pymsalruntime>=0.14,<0.18; python_version>='3.6' and platform_system=='Windows'
+    pymsalruntime>=0.14,<0.19; python_version>='3.6' and platform_system=='Windows'
     # On Mac, PyMsalRuntime 0.17+ is expected to support SSH cert and ROPC
-    pymsalruntime>=0.17,<0.18; python_version>='3.8' and platform_system=='Darwin'
+    pymsalruntime>=0.17,<0.19; python_version>='3.8' and platform_system=='Darwin'
+    # PyMsalRuntime 0.18+ is expected to support broker on Linux
+    pymsalruntime>=0.18,<0.19; python_version>='3.8' and platform_system=='Linux'
 
 [options.packages.find]
 exclude =

tests/broker-test.py

@@ -39,7 +39,10 @@
     _AZURE_CLI,
     authority="https://login.microsoftonline.com/organizations",
     enable_broker_on_mac=True,
-    enable_broker_on_windows=True)
+    enable_broker_on_windows=True,
+    enable_broker_on_linux=True,
+    enable_broker_on_wsl=True,
+    )
 
 def interactive_and_silent(scopes, auth_scheme, data, expected_token_type):
     print("An account picker shall be pop up, possibly behind this console. Continue from there.")

tests/test_e2e.py

@@ -193,6 +193,7 @@ def _build_app(cls,
                 http_client=http_client or MinimalHttpClient(),
                 enable_broker_on_windows=_PYMSALRUNTIME_INSTALLED,
                 enable_broker_on_mac=_PYMSALRUNTIME_INSTALLED,
+                enable_broker_on_linux=_PYMSALRUNTIME_INSTALLED,
                 )
 
     def _test_username_password(self,