Implement remove_tokens_for_client()

[rayluo]

Based on this understanding, here comes this (evil?) PR, which will resolve #640 and resolve #650

[jiasli]

here comes this (evil?) PR

Interestingly, 666 is a positive/luckily number in Chinese, expressing "good" and "proficient": https://en.wikipedia.org/wiki/666_(number).

[yonzhan]

[celebrate] Yong Zhang reacted to your message:

…

________________________________ From: Jiashuo Li ***@***.***> Sent: Wednesday, March 20, 2024 12:55:06 AM To: AzureAD/microsoft-authentication-library-for-python ***@***.***> Cc: Subscribed ***@***.***> Subject: Re: [AzureAD/microsoft-authentication-library-for-python] Implement remove_tokens_for_client() (PR #666) here comes this (evil?<https://en.wikipedia.org/wiki/Number_of_the_beast>) PR Interestingly, 666 is a positive/luckily number in Chinese, expressing "good" and "proficient": https://en.wikipedia.org/wiki/666_(number). — Reply to this email directly, view it on GitHub<#666 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AM4LM2FYOGKXKGF6VSXGH6TYZDM6VAVCNFSM6AAAAABDFNEKNWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBYGQ3TGMRXGE>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[jiasli]

The implementation is not complete. After running remove_tokens_for_client(), the ghost of the service principal still lingers in AppMetadata:

{
    "AccessToken": {},
    "AppMetadata": {
        "appmetadata-login.microsoftonline.com-a7003d8c-e50f-4371-91a6-ef37bba4ab23": {
            "client_id": "a7003d8c-e50f-4371-91a6-ef37bba4ab23",
            "environment": "login.microsoftonline.com"
        }
    }
}

[jiasli]

Luckily realm (tenant) is not used in query. This makes the functionality align with az logout which only takes a --username, but not --tenant.

This means all access tokens for a service principal from all tenants will be removed. However, this brings up another question: what if I only want to remove the access token for a service principal in a specific tenant?

[jiasli]

What if I lose track of service principals client IDs? How do I purge all service principals' access tokens, while keeping users' access tokens?

[rayluo]

What if I lose track of service principals client IDs? How do I purge all service principals' access tokens, ...?

Hmm, MSAL's ClientApplication always requires client_id as its required parameter. This question sounds as strange as "what if I forgot my local Windows username, how do I purge all users' content from the current PC?". Is there a legit scenario for that? That being said, I suppose you can do format c: or its equivalent rm ~/.azure/msal_token_cache.json if desirable.

How do I purge all service principals' access tokens, while keeping users' access tokens?

You would have to create different ClientApplication objects with different token cache persistence files, so that you may be able to delete some of those files.

[rayluo]

The implementation is not complete. After running remove_tokens_for_client(), the ghost of the service principal still lingers in AppMetadata:

{
    "AccessToken": {},
    "AppMetadata": {
        "appmetadata-login.microsoftonline.com-a7003d8c-e50f-4371-91a6-ef37bba4ab23": {
            "client_id": "a7003d8c-e50f-4371-91a6-ef37bba4ab23",
            "environment": "login.microsoftonline.com"
        }
    }
}

The residue of AppMetadata is technically not an incomplete implementation. The AppMetadata was meant to be persisted forever, because (1) they would be used to remember whether an app belongs to a "family" (although that characteristic does not necessarily apply to service principal); (2) they contain no sensitive tokens anyway.

[jiasli]

This question sounds as strange as "what if I forgot my local Windows username, how do I purge all users' content from the current PC?".

This is possible for user accounts logged into MSAL as users can be retrieved with ClientApplication.get_accounts():

microsoft-authentication-library-for-python/msal/application.py

Line 1162 in 3279f04

def get_accounts(self, username=None):

Azure CLI has a logout_all_users() which removes all users, but logout_service_principal() is currently incomplete due to no equivalent of ClientApplication.get_accounts().

[jiasli]

although that characteristic does not necessarily apply to service principal

I agree the client ID for user authentication (such as Azure CLI's client ID) is not sensitive, but some users may treat service principal's client ID as sensitive date and want it to be "obliviated".