how to get v2 type token using msal python
I am trying to get a v2 type token using the msal library for python
my code is as in below
global_app = msal.ClientApplication(
os.getenv('CLIENT_ID'),
authority=os.getenv('AUTHORITY'), # For Entra ID or External ID
oidc_authority=os.getenv('OIDC_AUTHORITY'), # For External ID with custom domain
client_credential=os.getenv('CLIENT_SECRET') or None, # Treat empty string as None
token_cache=global_token_cache, # Let this app (re)use an existing token cache.
# If absent, ClientApplication will create its own empty token cache
)
result = global_app.acquire_token_by_username_password(
os.getenv("USERNAME"), password, scopes=scopes)
Additionally i have tried to set and unset the scopes as User.Read.
I have also set the accesstokentype in the Azure manifests to v2.
However when i run the above, i still get the token with issuer as https://sts.... which is different from my issue which is of the type https://login.microsoftonline.com/{TENANT}
I need assistance in getting the correct v2 token back
Note that, User.Read is Microsoft Graph permission for which version 2.0 tokens are not yet supported. Refer this MS Q&A by Sivakumar-MSFT.
I registered one application and set accessTokenAcceptedVersion in Azure Manifest to v2 as below:
When I decoded the token generated with User.Read scope, its version is 1.0 :
To get v2 type token, you need to create new custom scope by exposing an API like this:
Make sure to add this custom scope in API permissions tab and grant admin consent to it as below:
Now, generate the token by changing scope parameter to custom scope value in your python code:
import msal
from dotenv import load_dotenv
import os
load_dotenv()
client_id = os.getenv('CLIENT_ID')
authority = os.getenv('AUTHORITY')
oidc_authority = os.getenv('OIDC_AUTHORITY')
client_secret = os.getenv('CLIENT_SECRET') or None
username = os.getenv("USERNAME")
password = os.getenv("PASSWORD")
scopes = ["api://appId/custom.read"]
global_app = msal.ClientApplication(
client_id,
authority=authority,
client_credential=client_secret,
token_cache=None
)
result = global_app.acquire_token_by_username_password(
username=username,
password=password,
scopes=scopes
)
if "access_token" in result:
print("Access token:", result["access_token"])
else:
print("Failed to acquire token.")
print(result.get("error"))
print(result.get("error_description"))
Response:
To confirm that, I decoded the token in jwt.ms website where token generated with version 2.0 successfully as below:
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?