Deprecate decode_id_token and stop validating ID tokens (#911)#943
Open
4gust wants to merge 1 commit into
Open
Deprecate decode_id_token and stop validating ID tokens (#911)#9434gust wants to merge 1 commit into
4gust wants to merge 1 commit into
Conversation
MSAL should not perform any ID token validation. Per OpenID Connect, an ID token obtained via direct communication with the token endpoint (how MSAL retrieves tokens) does not need client-side validation, and MSAL does not manage sessions, so it should not check exp/iss/aud. - Add non-validating _decode_id_token_claims() and use it on the retrieval path (Client._obtain_token and TokenCache) so no iss/aud/exp/nbf checks run - Deprecate the public decode_id_token() function and Client.decode_id_token() method with a DeprecationWarning - Keep nonce and max_age/auth_time auth-code-flow replay protections - Update docstrings that claimed the SDK validates the ID token - Update tests accordingly Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates MSAL’s ID token handling to stop performing ID token validation during token acquisition/caching, while deprecating the public decode_id_token() API and adjusting tests accordingly.
Changes:
- Add a non-validating internal
_decode_id_token_claims()and use it in token acquisition (Client._obtain_token) and token caching (TokenCache). - Deprecate
decode_id_token()andClient.decode_id_token()withDeprecationWarning, and update unit tests to assert the warning behavior. - Ensure retrieval paths only decode claims (no
iss/aud/exp/nbfchecks) while leaving replay protections to the auth-code-flow logic that consumesid_token_claims.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
msal/oauth2cli/oidc.py |
Introduces non-validating claim decode helper; deprecates legacy ID token validation APIs; switches token acquisition to populate id_token_claims via non-validating decode. |
msal/token_cache.py |
Stops validating ID tokens when extracting claims for caching/account parsing; uses non-validating decode helper instead. |
tests/test_oidc.py |
Updates tests to expect deprecation warnings from decode_id_token() and adds coverage asserting the internal helper does not validate expired tokens. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+110
to
+113
| warnings.warn( | ||
| "decode_id_token() is deprecated. MSAL does not validate the ID token. " | ||
| "Use the id_token_claims returned alongside the token instead.", | ||
| DeprecationWarning) |
Comment on lines
+98
to
+104
| .. deprecated:: 1.38.0 | ||
| MSAL no longer validates the ID token, because the SDK should not | ||
| perform any ID token validation | ||
| (`issue #911 <https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/911>`_). | ||
| To simply decode an ID token's claims, use the ``id_token_claims`` that | ||
| MSAL already returns alongside each token, or decode the token yourself. | ||
|
|
Comment on lines
+191
to
+193
| .. deprecated:: 1.38.0 | ||
| MSAL no longer validates the ID token. See :func:`~decode_id_token`. | ||
| """ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
MSAL should not perform any ID token validation. Per OpenID Connect, an ID token obtained via direct communication with the token endpoint (how MSAL retrieves tokens) does not need client-side validation, and MSAL does not manage sessions, so it should not check exp/iss/aud.