Skip to content

Deprecate decode_id_token and stop validating ID tokens (#911)#943

Open
4gust wants to merge 1 commit into
devfrom
4gust/deprecate-id-token-validation
Open

Deprecate decode_id_token and stop validating ID tokens (#911)#943
4gust wants to merge 1 commit into
devfrom
4gust/deprecate-id-token-validation

Conversation

@4gust

@4gust 4gust commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

MSAL should not perform any ID token validation. Per OpenID Connect, an ID token obtained via direct communication with the token endpoint (how MSAL retrieves tokens) does not need client-side validation, and MSAL does not manage sessions, so it should not check exp/iss/aud.

  • Add non-validating _decode_id_token_claims() and use it on the retrieval path (Client._obtain_token and TokenCache) so no iss/aud/exp/nbf checks run
  • Deprecate the public decode_id_token() function and Client.decode_id_token() method with a DeprecationWarning
  • Keep nonce and max_age/auth_time auth-code-flow replay protections
  • Update docstrings that claimed the SDK validates the ID token
  • Update tests accordingly

MSAL should not perform any ID token validation. Per OpenID Connect, an ID
token obtained via direct communication with the token endpoint (how MSAL
retrieves tokens) does not need client-side validation, and MSAL does not
manage sessions, so it should not check exp/iss/aud.

- Add non-validating _decode_id_token_claims() and use it on the retrieval
  path (Client._obtain_token and TokenCache) so no iss/aud/exp/nbf checks run
- Deprecate the public decode_id_token() function and Client.decode_id_token()
  method with a DeprecationWarning
- Keep nonce and max_age/auth_time auth-code-flow replay protections
- Update docstrings that claimed the SDK validates the ID token
- Update tests accordingly

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 14, 2026 16:01
@4gust 4gust requested a review from a team as a code owner July 14, 2026 16:01

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates MSAL’s ID token handling to stop performing ID token validation during token acquisition/caching, while deprecating the public decode_id_token() API and adjusting tests accordingly.

Changes:

  • Add a non-validating internal _decode_id_token_claims() and use it in token acquisition (Client._obtain_token) and token caching (TokenCache).
  • Deprecate decode_id_token() and Client.decode_id_token() with DeprecationWarning, and update unit tests to assert the warning behavior.
  • Ensure retrieval paths only decode claims (no iss/aud/exp/nbf checks) while leaving replay protections to the auth-code-flow logic that consumes id_token_claims.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
msal/oauth2cli/oidc.py Introduces non-validating claim decode helper; deprecates legacy ID token validation APIs; switches token acquisition to populate id_token_claims via non-validating decode.
msal/token_cache.py Stops validating ID tokens when extracting claims for caching/account parsing; uses non-validating decode helper instead.
tests/test_oidc.py Updates tests to expect deprecation warnings from decode_id_token() and adds coverage asserting the internal helper does not validate expired tokens.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread msal/oauth2cli/oidc.py
Comment on lines +110 to +113
warnings.warn(
"decode_id_token() is deprecated. MSAL does not validate the ID token. "
"Use the id_token_claims returned alongside the token instead.",
DeprecationWarning)
Comment thread msal/oauth2cli/oidc.py
Comment on lines +98 to +104
.. deprecated:: 1.38.0
MSAL no longer validates the ID token, because the SDK should not
perform any ID token validation
(`issue #911 <https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/911>`_).
To simply decode an ID token's claims, use the ``id_token_claims`` that
MSAL already returns alongside each token, or decode the token yourself.

Comment thread msal/oauth2cli/oidc.py
Comment on lines +191 to +193
.. deprecated:: 1.38.0
MSAL no longer validates the ID token. See :func:`~decode_id_token`.
"""
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants