From 2e8c9b35c2e916f17759379ae466ef2ed99ff02f Mon Sep 17 00:00:00 2001 From: Ugonna Akali Date: Thu, 25 Sep 2025 14:15:24 -0700 Subject: [PATCH 01/11] ROPC deprecation --- msal/__main__.py | 11 ++++++++--- msal/application.py | 7 ++++++- sample/username_password_sample.py | 1 + tests/broker-test.py | 2 ++ tests/test_account_source.py | 1 + tests/test_application.py | 2 ++ tests/test_ccs.py | 1 + tests/test_e2e.py | 2 ++ 8 files changed, 23 insertions(+), 4 deletions(-) diff --git a/msal/__main__.py b/msal/__main__.py index 4107fd89..a7d26a59 100644 --- a/msal/__main__.py +++ b/msal/__main__.py @@ -10,7 +10,7 @@ Usage 2: Build an all-in-one executable file for bug bash. shiv -e msal.__main__._main -o msaltest-on-os-name.pyz . """ -import base64, getpass, json, logging, sys, os, atexit, msal +import base64, getpass, json, logging, sys, os, atexit, msal, warnings _token_cache_filename = "msal_cache.bin" global_cache = msal.SerializableTokenCache() @@ -149,7 +149,13 @@ def _acquire_token_interactive(app, scopes=None, data=None): return result def _acquire_token_by_username_password(app): - """acquire_token_by_username_password() - See constraints here: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows#constraints-for-ropc""" + """ + [Deprecated] This API is deprecated and will be removed in a future release. Use a more secure flow instead. + Migration guide: https://aka.ms/msal-ropc-migration + + acquire_token_by_username_password() - See constraints here: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows#constraints-for-ropc + """ + warnings.warn("This API has been deprecated, please use a more secure flow. See https://aka.ms/msal-ropc-migration for migration guidance", DeprecationWarning) print_json(app.acquire_token_by_username_password( _input("username: "), getpass.getpass("password: "), scopes=_input_scopes())) @@ -322,7 +328,6 @@ def _main(): _acquire_pop_token_interactive, ] if isinstance(app, msal.PublicClientApplication) else [] ) + [ - _acquire_token_by_username_password, _remove_account, ] + ([ _acquire_token_for_client, diff --git a/msal/application.py b/msal/application.py index c58678ca..5db754d8 100644 --- a/msal/application.py +++ b/msal/application.py @@ -1815,7 +1815,11 @@ def acquire_token_by_username_password( # because this ROPC won't work with MSA account anyway. auth_scheme=None, **kwargs): - """Gets a token for a given resource via user credentials. + """ + [Deprecated] This API is deprecated and will be removed in a future release. Use a more secure flow instead. + Migration guide: https://aka.ms/msal-ropc-migration + + Gets a token for a given resource via user credentials. See this page for constraints of Username Password Flow. https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication @@ -1841,6 +1845,7 @@ def acquire_token_by_username_password( - A successful response would contain "access_token" key, - an error response would contain "error" and usually "error_description". """ + warnings.warn("This API has been deprecated, please use a more secure flow. See https://aka.ms/msal-ropc-migration for migration guidance", DeprecationWarning) claims = _merge_claims_challenge_and_capabilities( self._client_capabilities, claims_challenge) if self._enable_broker and sys.platform in ("win32", "darwin"): diff --git a/sample/username_password_sample.py b/sample/username_password_sample.py index 661d2db2..35a0509c 100644 --- a/sample/username_password_sample.py +++ b/sample/username_password_sample.py @@ -69,6 +69,7 @@ def acquire_and_use_token(): logging.info("No suitable token exists in cache. Let's get a new one from AAD.") # See this page for constraints of Username Password Flow. # https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication + result = global_app.acquire_token result = global_app.acquire_token_by_username_password( os.getenv("USERNAME"), password, scopes=scopes) diff --git a/tests/broker-test.py b/tests/broker-test.py index 8c2d5503..b2bcc379 100644 --- a/tests/broker-test.py +++ b/tests/broker-test.py @@ -15,6 +15,7 @@ 4. Run this test by `python broker-test.py` and make sure all the tests passed. """ +import unittest import msal import getpass import os @@ -67,6 +68,7 @@ def interactive_and_silent(scopes, auth_scheme, data, expected_token_type): ) _assert(result, expected_token_type) +@unittest.skip("ROPC API has been deprecated and thus these tests are no longer needed") def test_broker_username_password(scopes, expected_token_type): print("Testing broker username password flows by using accounts in local .env") username = os.getenv("BROKER_TEST_ACCOUNT") or input("Input test account for broker test: ") diff --git a/tests/test_account_source.py b/tests/test_account_source.py index 7b449ef3..ac3b567f 100644 --- a/tests/test_account_source.py +++ b/tests/test_account_source.py @@ -52,6 +52,7 @@ def test_device_flow_and_its_silent_call_should_bypass_broker(self, _, mocked_br mocked_broker_ats.assert_not_called() self.assertEqual(result["token_source"], "identity_provider") + @unittest.skip("ROPC API has been deprecated and thus these tests are no longer needed") def test_ropc_flow_and_its_silent_call_should_invoke_broker(self, _, mocked_broker_ats): with patch("msal.broker._signin_silently", return_value=dict(TOKEN_RESPONSE, _account_id="placeholder")): result = self.app.acquire_token_by_username_password( diff --git a/tests/test_application.py b/tests/test_application.py index 16e512c4..f3c7f592 100644 --- a/tests/test_application.py +++ b/tests/test_application.py @@ -575,6 +575,7 @@ def mock_post(url, headers=None, *args, **kwargs): self.assertEqual(result[self.app._TOKEN_SOURCE], self.app._TOKEN_SOURCE_IDP) self.assertEqual(at, result.get("access_token")) + @unittest.skip("ROPC API has been deprecated and thus these tests are no longer needed") def test_acquire_token_by_username_password(self): at = "this is an access token" def mock_post(url, headers=None, *args, **kwargs): @@ -706,6 +707,7 @@ def test_organizations_authority_should_emit_warning(self): @patch(_OIDC_DISCOVERY, new=_OIDC_DISCOVERY_MOCK) class TestRemoveTokensForClient(unittest.TestCase): + @unittest.skip("ROPC API has been deprecated and thus these tests are no longer needed") def test_remove_tokens_for_client_should_remove_client_tokens_only(self): at_for_user = "AT for user" cca = msal.ConfidentialClientApplication( diff --git a/tests/test_ccs.py b/tests/test_ccs.py index 8b801773..79a60438 100644 --- a/tests/test_ccs.py +++ b/tests/test_ccs.py @@ -60,6 +60,7 @@ def test_acquire_token_silent(self): mocked_method.call_args[1].get("headers", {}).get('X-AnchorMailbox'), "CSS routing info should be derived from home_account_id") + @unittest.skip("ROPC API has been deprecated and thus these tests are no longer needed") def test_acquire_token_by_username_password(self): app = msal.ClientApplication("client_id") username = "johndoe@contoso.com" diff --git a/tests/test_e2e.py b/tests/test_e2e.py index 65b90aa2..de243559 100644 --- a/tests/test_e2e.py +++ b/tests/test_e2e.py @@ -197,6 +197,7 @@ def _build_app(cls, enable_broker_on_wsl=_PYMSALRUNTIME_INSTALLED, ) + @unittest.skip("ROPC API has been deprecated and thus these tests are no longer needed") def _test_username_password(self, authority=None, client_id=None, username=None, password=None, scope=None, oidc_authority=None, @@ -644,6 +645,7 @@ def _test_acquire_token_by_auth_code_flow( username, result["id_token_claims"]["preferred_username"])) self.assertCacheWorksForUser(result, scope, username=None) + @unittest.skip("ROPC API has been deprecated and thus these tests are no longer needed") def _test_acquire_token_obo(self, config_pca, config_cca, azure_region=None, # Regional endpoint does not really support OBO. # Here we just test regional apps won't adversely break OBO From f107a15825622bb823a681f32effa070a7b446a0 Mon Sep 17 00:00:00 2001 From: Ugonna Akali Date: Thu, 25 Sep 2025 16:03:05 -0700 Subject: [PATCH 02/11] sample edit --- sample/username_password_sample.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sample/username_password_sample.py b/sample/username_password_sample.py index 35a0509c..8b4fd7ed 100644 --- a/sample/username_password_sample.py +++ b/sample/username_password_sample.py @@ -67,9 +67,9 @@ def acquire_and_use_token(): if not result: logging.info("No suitable token exists in cache. Let's get a new one from AAD.") + logging.info("This flow has been deprecated") # See this page for constraints of Username Password Flow. # https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication - result = global_app.acquire_token result = global_app.acquire_token_by_username_password( os.getenv("USERNAME"), password, scopes=scopes) From d79cba10f07b6f6e7d02669d9b2a7e23d3b7e193 Mon Sep 17 00:00:00 2001 From: Ugonna Akali Date: Fri, 26 Sep 2025 12:24:13 -0700 Subject: [PATCH 03/11] reenable e2e tests --- tests/test_e2e.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/tests/test_e2e.py b/tests/test_e2e.py index de243559..65b90aa2 100644 --- a/tests/test_e2e.py +++ b/tests/test_e2e.py @@ -197,7 +197,6 @@ def _build_app(cls, enable_broker_on_wsl=_PYMSALRUNTIME_INSTALLED, ) - @unittest.skip("ROPC API has been deprecated and thus these tests are no longer needed") def _test_username_password(self, authority=None, client_id=None, username=None, password=None, scope=None, oidc_authority=None, @@ -645,7 +644,6 @@ def _test_acquire_token_by_auth_code_flow( username, result["id_token_claims"]["preferred_username"])) self.assertCacheWorksForUser(result, scope, username=None) - @unittest.skip("ROPC API has been deprecated and thus these tests are no longer needed") def _test_acquire_token_obo(self, config_pca, config_cca, azure_region=None, # Regional endpoint does not really support OBO. # Here we just test regional apps won't adversely break OBO From 6cae42984b07868aad8a116da671db90be151b5e Mon Sep 17 00:00:00 2001 From: Ugonna Akali Date: Fri, 26 Sep 2025 16:43:23 -0700 Subject: [PATCH 04/11] reenable tests --- msal/__main__.py | 4 ++-- msal/application.py | 8 ++++++-- sample/username_password_sample.py | 1 - tests/broker-test.py | 5 +---- tests/test_account_source.py | 1 - tests/test_application.py | 2 -- tests/test_ccs.py | 1 - 7 files changed, 9 insertions(+), 13 deletions(-) diff --git a/msal/__main__.py b/msal/__main__.py index a7d26a59..526d084d 100644 --- a/msal/__main__.py +++ b/msal/__main__.py @@ -150,12 +150,11 @@ def _acquire_token_interactive(app, scopes=None, data=None): def _acquire_token_by_username_password(app): """ - [Deprecated] This API is deprecated and will be removed in a future release. Use a more secure flow instead. + [Deprecated] This API is deprecated for PublicClientApplication(PCA) flows and will be removed in a future release. Use a more secure flow instead. Migration guide: https://aka.ms/msal-ropc-migration acquire_token_by_username_password() - See constraints here: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows#constraints-for-ropc """ - warnings.warn("This API has been deprecated, please use a more secure flow. See https://aka.ms/msal-ropc-migration for migration guidance", DeprecationWarning) print_json(app.acquire_token_by_username_password( _input("username: "), getpass.getpass("password: "), scopes=_input_scopes())) @@ -328,6 +327,7 @@ def _main(): _acquire_pop_token_interactive, ] if isinstance(app, msal.PublicClientApplication) else [] ) + [ + _acquire_token_by_username_password, _remove_account, ] + ([ _acquire_token_for_client, diff --git a/msal/application.py b/msal/application.py index 5db754d8..7f717351 100644 --- a/msal/application.py +++ b/msal/application.py @@ -1816,7 +1816,7 @@ def acquire_token_by_username_password( auth_scheme=None, **kwargs): """ - [Deprecated] This API is deprecated and will be removed in a future release. Use a more secure flow instead. + [Deprecated] This API is deprecated for PublicClientApplication(PCA) flows and will be removed in a future release. Use a more secure flow instead. Migration guide: https://aka.ms/msal-ropc-migration Gets a token for a given resource via user credentials. @@ -1845,7 +1845,11 @@ def acquire_token_by_username_password( - A successful response would contain "access_token" key, - an error response would contain "error" and usually "error_description". """ - warnings.warn("This API has been deprecated, please use a more secure flow. See https://aka.ms/msal-ropc-migration for migration guidance", DeprecationWarning) + is_confidential_app = self.client_credential or isinstance( + self, ConfidentialClientApplication) + if not is_confidential_app: + warnings.warn("This API has been deprecated for PCA flows, please use a more secure flow. " \ + "See https://aka.ms/msal-ropc-migration for migration guidance", DeprecationWarning) claims = _merge_claims_challenge_and_capabilities( self._client_capabilities, claims_challenge) if self._enable_broker and sys.platform in ("win32", "darwin"): diff --git a/sample/username_password_sample.py b/sample/username_password_sample.py index 8b4fd7ed..661d2db2 100644 --- a/sample/username_password_sample.py +++ b/sample/username_password_sample.py @@ -67,7 +67,6 @@ def acquire_and_use_token(): if not result: logging.info("No suitable token exists in cache. Let's get a new one from AAD.") - logging.info("This flow has been deprecated") # See this page for constraints of Username Password Flow. # https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication result = global_app.acquire_token_by_username_password( diff --git a/tests/broker-test.py b/tests/broker-test.py index b2bcc379..01f13f3c 100644 --- a/tests/broker-test.py +++ b/tests/broker-test.py @@ -15,10 +15,10 @@ 4. Run this test by `python broker-test.py` and make sure all the tests passed. """ -import unittest import msal import getpass import os +import warnings try: from dotenv import load_dotenv # Use this only in local dev machine load_dotenv() # take environment variables from .env. @@ -68,7 +68,6 @@ def interactive_and_silent(scopes, auth_scheme, data, expected_token_type): ) _assert(result, expected_token_type) -@unittest.skip("ROPC API has been deprecated and thus these tests are no longer needed") def test_broker_username_password(scopes, expected_token_type): print("Testing broker username password flows by using accounts in local .env") username = os.getenv("BROKER_TEST_ACCOUNT") or input("Input test account for broker test: ") @@ -76,12 +75,10 @@ def test_broker_username_password(scopes, expected_token_type): assert username and password, "You need to provide a test account and its password" result = pca.acquire_token_by_username_password(username, password, scopes) _assert(result, expected_token_type) - assert result.get("token_source") == "broker" print("Username password test succeeds.") def _assert(result, expected_token_type): assert result.get("access_token"), f"We should obtain a token. Got {result} instead." - assert result.get("token_source") == "broker", "Token should be obtained via broker" assert result.get("token_type").lower() == expected_token_type.lower(), f"{expected_token_type} not found" for i in range(2): # Mimic Azure CLI's issue report diff --git a/tests/test_account_source.py b/tests/test_account_source.py index ac3b567f..7b449ef3 100644 --- a/tests/test_account_source.py +++ b/tests/test_account_source.py @@ -52,7 +52,6 @@ def test_device_flow_and_its_silent_call_should_bypass_broker(self, _, mocked_br mocked_broker_ats.assert_not_called() self.assertEqual(result["token_source"], "identity_provider") - @unittest.skip("ROPC API has been deprecated and thus these tests are no longer needed") def test_ropc_flow_and_its_silent_call_should_invoke_broker(self, _, mocked_broker_ats): with patch("msal.broker._signin_silently", return_value=dict(TOKEN_RESPONSE, _account_id="placeholder")): result = self.app.acquire_token_by_username_password( diff --git a/tests/test_application.py b/tests/test_application.py index f3c7f592..16e512c4 100644 --- a/tests/test_application.py +++ b/tests/test_application.py @@ -575,7 +575,6 @@ def mock_post(url, headers=None, *args, **kwargs): self.assertEqual(result[self.app._TOKEN_SOURCE], self.app._TOKEN_SOURCE_IDP) self.assertEqual(at, result.get("access_token")) - @unittest.skip("ROPC API has been deprecated and thus these tests are no longer needed") def test_acquire_token_by_username_password(self): at = "this is an access token" def mock_post(url, headers=None, *args, **kwargs): @@ -707,7 +706,6 @@ def test_organizations_authority_should_emit_warning(self): @patch(_OIDC_DISCOVERY, new=_OIDC_DISCOVERY_MOCK) class TestRemoveTokensForClient(unittest.TestCase): - @unittest.skip("ROPC API has been deprecated and thus these tests are no longer needed") def test_remove_tokens_for_client_should_remove_client_tokens_only(self): at_for_user = "AT for user" cca = msal.ConfidentialClientApplication( diff --git a/tests/test_ccs.py b/tests/test_ccs.py index 79a60438..8b801773 100644 --- a/tests/test_ccs.py +++ b/tests/test_ccs.py @@ -60,7 +60,6 @@ def test_acquire_token_silent(self): mocked_method.call_args[1].get("headers", {}).get('X-AnchorMailbox'), "CSS routing info should be derived from home_account_id") - @unittest.skip("ROPC API has been deprecated and thus these tests are no longer needed") def test_acquire_token_by_username_password(self): app = msal.ClientApplication("client_id") username = "johndoe@contoso.com" From 0961248219b25efa30435e6e830d9b035771b21c Mon Sep 17 00:00:00 2001 From: Ugonna Akali Date: Fri, 26 Sep 2025 16:46:08 -0700 Subject: [PATCH 05/11] edit --- tests/broker-test.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/broker-test.py b/tests/broker-test.py index 01f13f3c..8c2d5503 100644 --- a/tests/broker-test.py +++ b/tests/broker-test.py @@ -18,7 +18,6 @@ import msal import getpass import os -import warnings try: from dotenv import load_dotenv # Use this only in local dev machine load_dotenv() # take environment variables from .env. @@ -75,10 +74,12 @@ def test_broker_username_password(scopes, expected_token_type): assert username and password, "You need to provide a test account and its password" result = pca.acquire_token_by_username_password(username, password, scopes) _assert(result, expected_token_type) + assert result.get("token_source") == "broker" print("Username password test succeeds.") def _assert(result, expected_token_type): assert result.get("access_token"), f"We should obtain a token. Got {result} instead." + assert result.get("token_source") == "broker", "Token should be obtained via broker" assert result.get("token_type").lower() == expected_token_type.lower(), f"{expected_token_type} not found" for i in range(2): # Mimic Azure CLI's issue report From ff79ee2c33d220a1fb854b146041a23fc42ae704 Mon Sep 17 00:00:00 2001 From: Ugonna Akali Date: Fri, 26 Sep 2025 16:57:08 -0700 Subject: [PATCH 06/11] remove import --- msal/__main__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/msal/__main__.py b/msal/__main__.py index 526d084d..7f3d0ef5 100644 --- a/msal/__main__.py +++ b/msal/__main__.py @@ -10,7 +10,7 @@ Usage 2: Build an all-in-one executable file for bug bash. shiv -e msal.__main__._main -o msaltest-on-os-name.pyz . """ -import base64, getpass, json, logging, sys, os, atexit, msal, warnings +import base64, getpass, json, logging, sys, os, atexit, msal _token_cache_filename = "msal_cache.bin" global_cache = msal.SerializableTokenCache() From 4b4c97e004baacdba773bb8d6166da6e53fa8465 Mon Sep 17 00:00:00 2001 From: Ugonna Akali <137432604+Ugonnaak1@users.noreply.github.com> Date: Mon, 29 Sep 2025 09:02:11 -0700 Subject: [PATCH 07/11] fix wording Co-authored-by: Bogdan Gavril --- msal/application.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/msal/application.py b/msal/application.py index 7f717351..cb6e34ec 100644 --- a/msal/application.py +++ b/msal/application.py @@ -1848,7 +1848,7 @@ def acquire_token_by_username_password( is_confidential_app = self.client_credential or isinstance( self, ConfidentialClientApplication) if not is_confidential_app: - warnings.warn("This API has been deprecated for PCA flows, please use a more secure flow. " \ + warnings.warn("This API has been deprecated for public client flows, please use a more secure flow. " \ "See https://aka.ms/msal-ropc-migration for migration guidance", DeprecationWarning) claims = _merge_claims_challenge_and_capabilities( self._client_capabilities, claims_challenge) From 4798680018ba5ca1f9e325c1239ffba971312caf Mon Sep 17 00:00:00 2001 From: Ugonna Akali Date: Mon, 29 Sep 2025 22:29:08 -0700 Subject: [PATCH 08/11] edits --- msal/__main__.py | 7 +------ msal/application.py | 15 ++++++++------- 2 files changed, 9 insertions(+), 13 deletions(-) diff --git a/msal/__main__.py b/msal/__main__.py index 7f3d0ef5..4107fd89 100644 --- a/msal/__main__.py +++ b/msal/__main__.py @@ -149,12 +149,7 @@ def _acquire_token_interactive(app, scopes=None, data=None): return result def _acquire_token_by_username_password(app): - """ - [Deprecated] This API is deprecated for PublicClientApplication(PCA) flows and will be removed in a future release. Use a more secure flow instead. - Migration guide: https://aka.ms/msal-ropc-migration - - acquire_token_by_username_password() - See constraints here: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows#constraints-for-ropc - """ + """acquire_token_by_username_password() - See constraints here: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows#constraints-for-ropc""" print_json(app.acquire_token_by_username_password( _input("username: "), getpass.getpass("password: "), scopes=_input_scopes())) diff --git a/msal/application.py b/msal/application.py index cb6e34ec..32b73240 100644 --- a/msal/application.py +++ b/msal/application.py @@ -1815,11 +1815,7 @@ def acquire_token_by_username_password( # because this ROPC won't work with MSA account anyway. auth_scheme=None, **kwargs): - """ - [Deprecated] This API is deprecated for PublicClientApplication(PCA) flows and will be removed in a future release. Use a more secure flow instead. - Migration guide: https://aka.ms/msal-ropc-migration - - Gets a token for a given resource via user credentials. + """Gets a token for a given resource via user credentials. See this page for constraints of Username Password Flow. https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication @@ -1844,12 +1840,17 @@ def acquire_token_by_username_password( - A successful response would contain "access_token" key, - an error response would contain "error" and usually "error_description". + + [Deprecated] This API is deprecated for public client flows and will be removed in a future release. + Use a more secure flow instead. + Migration guide: https://aka.ms/msal-ropc-migration + """ is_confidential_app = self.client_credential or isinstance( self, ConfidentialClientApplication) if not is_confidential_app: - warnings.warn("This API has been deprecated for public client flows, please use a more secure flow. " \ - "See https://aka.ms/msal-ropc-migration for migration guidance", DeprecationWarning) + warnings.warn("""This API has been deprecated, please use a more secure flow. + See https://aka.ms/msal-ropc-migration for migration guidance""", DeprecationWarning) claims = _merge_claims_challenge_and_capabilities( self._client_capabilities, claims_challenge) if self._enable_broker and sys.platform in ("win32", "darwin"): From 2ac9057b33f8293c1a83522583fccb6dacc6d7d7 Mon Sep 17 00:00:00 2001 From: Ugonna Akali Date: Tue, 30 Sep 2025 09:32:12 -0700 Subject: [PATCH 09/11] add comment --- msal/application.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/msal/application.py b/msal/application.py index 32b73240..43ee72c7 100644 --- a/msal/application.py +++ b/msal/application.py @@ -1844,12 +1844,12 @@ def acquire_token_by_username_password( [Deprecated] This API is deprecated for public client flows and will be removed in a future release. Use a more secure flow instead. Migration guide: https://aka.ms/msal-ropc-migration - + """ is_confidential_app = self.client_credential or isinstance( self, ConfidentialClientApplication) if not is_confidential_app: - warnings.warn("""This API has been deprecated, please use a more secure flow. + warnings.warn("""This API has been deprecated for public client flows, please use a more secure flow. See https://aka.ms/msal-ropc-migration for migration guidance""", DeprecationWarning) claims = _merge_claims_challenge_and_capabilities( self._client_capabilities, claims_challenge) From 5e398c204cd8bfc3ff673b3f27ccd5bd9a9e201d Mon Sep 17 00:00:00 2001 From: Ugonna Akali Date: Tue, 30 Sep 2025 09:41:14 -0700 Subject: [PATCH 10/11] format --- msal/application.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/msal/application.py b/msal/application.py index 43ee72c7..2fe608c1 100644 --- a/msal/application.py +++ b/msal/application.py @@ -1850,7 +1850,7 @@ def acquire_token_by_username_password( self, ConfidentialClientApplication) if not is_confidential_app: warnings.warn("""This API has been deprecated for public client flows, please use a more secure flow. - See https://aka.ms/msal-ropc-migration for migration guidance""", DeprecationWarning) + See https://aka.ms/msal-ropc-migration for migration guidance""", DeprecationWarning) claims = _merge_claims_challenge_and_capabilities( self._client_capabilities, claims_challenge) if self._enable_broker and sys.platform in ("win32", "darwin"): From ff536b0b0793d89aa9a847bb2f1595236af6a79e Mon Sep 17 00:00:00 2001 From: Ugonna Akali Date: Tue, 30 Sep 2025 09:53:27 -0700 Subject: [PATCH 11/11] docstring changes --- msal/application.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/msal/application.py b/msal/application.py index 2fe608c1..b4371c63 100644 --- a/msal/application.py +++ b/msal/application.py @@ -1841,8 +1841,8 @@ def acquire_token_by_username_password( - A successful response would contain "access_token" key, - an error response would contain "error" and usually "error_description". - [Deprecated] This API is deprecated for public client flows and will be removed in a future release. - Use a more secure flow instead. + [Deprecated] This API is deprecated for public client flows and will be + removed in a future release. Use a more secure flow instead. Migration guide: https://aka.ms/msal-ropc-migration """