Deprecate decode_id_token and stop validating ID tokens (#911)#943
Deprecate decode_id_token and stop validating ID tokens (#911)#9434gust wants to merge 2 commits into
Conversation
MSAL should not perform any ID token validation. Per OpenID Connect, an ID token obtained via direct communication with the token endpoint (how MSAL retrieves tokens) does not need client-side validation, and MSAL does not manage sessions, so it should not check exp/iss/aud. - Add non-validating _decode_id_token_claims() and use it on the retrieval path (Client._obtain_token and TokenCache) so no iss/aud/exp/nbf checks run - Deprecate the public decode_id_token() function and Client.decode_id_token() method with a DeprecationWarning - Keep nonce and max_age/auth_time auth-code-flow replay protections - Update docstrings that claimed the SDK validates the ID token - Update tests accordingly Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR updates MSAL’s ID token handling to stop performing ID token validation during token acquisition/caching, while deprecating the public decode_id_token() API and adjusting tests accordingly.
Changes:
- Add a non-validating internal
_decode_id_token_claims()and use it in token acquisition (Client._obtain_token) and token caching (TokenCache). - Deprecate
decode_id_token()andClient.decode_id_token()withDeprecationWarning, and update unit tests to assert the warning behavior. - Ensure retrieval paths only decode claims (no
iss/aud/exp/nbfchecks) while leaving replay protections to the auth-code-flow logic that consumesid_token_claims.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
msal/oauth2cli/oidc.py |
Introduces non-validating claim decode helper; deprecates legacy ID token validation APIs; switches token acquisition to populate id_token_claims via non-validating decode. |
msal/token_cache.py |
Stops validating ID tokens when extracting claims for caching/account parsing; uses non-validating decode helper instead. |
tests/test_oidc.py |
Updates tests to expect deprecation warnings from decode_id_token() and adds coverage asserting the internal helper does not validate expired tokens. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| warnings.warn( | ||
| "decode_id_token() is deprecated. MSAL does not validate the ID token. " | ||
| "Use the id_token_claims returned alongside the token instead.", | ||
| DeprecationWarning) |
There was a problem hiding this comment.
Fixed. Added stacklevel=2 and reworded the warning so it no longer implies this call is non-validating — it now clarifies that MSAL's token acquisition stopped validating while this legacy helper still performs some validation.
| .. deprecated:: 1.38.0 | ||
| MSAL no longer validates the ID token, because the SDK should not | ||
| perform any ID token validation | ||
| (`issue #911 <https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/911>`_). | ||
| To simply decode an ID token's claims, use the ``id_token_claims`` that | ||
| MSAL already returns alongside each token, or decode the token yourself. | ||
|
|
There was a problem hiding this comment.
Reworded the docstring to clarify that only token acquisition stopped validating while this legacy helper still validates some claims. On the version: 1.37.0 is already released (it's tagged), so 1.38.0 is the correct next release that introduces this deprecation — msal/sku.py just hasn't been bumped past the released 1.37.0 yet.
| .. deprecated:: 1.38.0 | ||
| MSAL no longer validates the ID token. See :func:`~decode_id_token`. | ||
| """ |
There was a problem hiding this comment.
Updated the method docstring to clarify it's kept for backward compatibility and still performs legacy validation. Same version note as above: 1.37.0 is already released, so 1.38.0 is the correct introducing release.
…view) - Add stacklevel=2 so the DeprecationWarning points at the caller's site - Reword warning and docstrings to avoid implying this legacy helper is non-validating; clarify that only token acquisition stopped validating while decode_id_token() still performs legacy validation Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
| .. deprecated:: 1.38.0 | ||
| MSAL's token acquisition no longer validates the ID token. This | ||
| method is kept for backward compatibility and still performs the | ||
| legacy validations. See :func:`~decode_id_token`. | ||
| """ |
MSAL should not perform any ID token validation. Per OpenID Connect, an ID token obtained via direct communication with the token endpoint (how MSAL retrieves tokens) does not need client-side validation, and MSAL does not manage sessions, so it should not check exp/iss/aud.