Deprecate response_mode parameter, better messages and more robust test

Author: ashok672

msal/application.py

@@ -258,7 +258,7 @@ def __init__(
             client_credential=None, authority=None, validate_authority=True,
             token_cache=None,
             http_client=None,
-            verify=True, proxies=None, timeout=None,
+            verify=False, proxies=None, timeout=None,
             client_claims=None, app_name=None, app_version=None,
             client_capabilities=None,
             azure_region=None,  # Note: We choose to add this param in this base class,
@@ -920,6 +920,9 @@ def initiate_auth_code_flow(
             ):
         """Initiate an auth code flow.
 
+        .. deprecated::
+            The response_mode parameter is deprecated and will be removed in a future version.
+
         Later when the response reaches your redirect_uri,
         you can use :func:`~acquire_token_by_auth_code_flow()`
         to complete the authentication/authorization.
@@ -960,18 +963,10 @@ def initiate_auth_code_flow(
             New in version 1.15.
 
         :param str response_mode:
-            OPTIONAL. Specifies the method with which response parameters should be returned.
-            The default value is equivalent to ``query``, which is still secure enough in MSAL Python
-            (because MSAL Python does not transfer tokens via query parameter in the first place).
-            For even better security, we recommend using the value ``form_post``.
-            In "form_post" mode, response parameters
-            will be encoded as HTML form values that are transmitted via the HTTP POST method and
-            encoded in the body using the application/x-www-form-urlencoded format.
-            Valid values can be either "form_post" for HTTP POST to callback URI or
-            "query" (the default) for HTTP GET with parameters encoded in query string.
-            More information on possible values
-            `here <https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseModes>`
-            and `here <https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html#FormPostResponseMode>`
+            .. deprecated::
+                This parameter is deprecated and will be removed in a future version.
+                The response_mode is always set to ``form_post`` for security reasons,
+                regardless of the value provided. Do not use this parameter.
 
         :return:
             The auth code flow. It is a dict in this form::
@@ -991,6 +986,13 @@ def initiate_auth_code_flow(
             3. and then relay this dict and subsequent auth response to
                :func:`~acquire_token_by_auth_code_flow()`.
         """
+        if response_mode is not None:
+            import warnings
+            warnings.warn(
+                "The 'response_mode' parameter is deprecated and will be removed in a future version. "
+                "Response mode is always 'form_post' for security reasons.",
+                DeprecationWarning,
+                stacklevel=2)
         client = _ClientWithCcsRoutingInfo(
             {"authorization_endpoint": self.authority.authorization_endpoint},
             self.client_id,

msal/oauth2cli/authcode.py

@@ -347,9 +347,11 @@ def _get_auth_response(self, result, auth_uri=None, timeout=None, state=None,
                     auth_uri_callback(_uri)
 
         self._server.success_template = Template(success_template or
-            "Authentication completed. You can close this window now.")
+            "Authentication complete. You can return to the application. Please close this browser tab. "
+            "For your security: Do not share the contents of this page, the address bar, or take screenshots.")
         self._server.error_template = Template(error_template or
-            "Authentication failed. $error: $error_description. ($error_uri)")
+            "Authentication failed. $error: $error_description. ($error_uri) "
+            "For your security: Do not share the contents of this page, the address bar, or take screenshots.")
 
         self._server.timeout = timeout  # Otherwise its handle_timeout() won't work
         self._server.auth_response = {}  # Shared with _AuthCodeHandler

msal/oauth2cli/oauth2.py

@@ -181,9 +181,7 @@ def _build_auth_request_params(self, response_type, **kwargs):
         if 'response_mode' in kwargs and kwargs['response_mode'] != 'form_post':
             import warnings
             warnings.warn(
-                "response_mode='{}' is not supported for security reasons. "
-                "Using form_post instead. Query string transmission of authorization "
-                "codes is insecure and has been disabled.".format(kwargs['response_mode']),
+                "The 'response_mode' parameter will be overridden to 'form_post' for better security.",
                 UserWarning)
         params.update({k: v for k, v in kwargs.items() if k != 'response_mode'})  # Exclude response_mode from kwargs
         params = {k: v for k, v in params.items() if v is not None}  # clean up
@@ -476,6 +474,13 @@ def initiate_auth_code_flow(
             3. and then relay this dict and subsequent auth response to
                :func:`~obtain_token_by_auth_code_flow()`.
         """
+        if "response_mode" in kwargs:
+            import warnings
+            warnings.warn(
+                "The 'response_mode' parameter is deprecated and will be removed in a future version. "
+                "Response mode is always 'form_post' for security reasons.",
+                DeprecationWarning,
+                stacklevel=2)
         response_type = kwargs.pop("response_type", "code")  # Auth Code flow
             # Must be "code" when you are using Authorization Code Grant.
             # The "token" for Implicit Grant is not applicable thus not allowed.

tests/test_response_mode.py

@@ -1,4 +1,4 @@
-"""Tests for form_post response mode in authorization code flow"""
+"""Integration tests for form_post response mode in authorization code flow"""
 import unittest
 import warnings
 try:
@@ -7,10 +7,12 @@
     from urlparse import urlparse, parse_qs
 
 from msal.oauth2cli import Client
+from msal.oauth2cli.authcode import AuthCodeReceiver
+import requests
 
 
-class TestResponseMode(unittest.TestCase):
-    """Test response_mode parameter in authorization code flow"""
+class TestResponseModeIntegration(unittest.TestCase):
+    """Integration test for response_mode with end-to-end authentication flow"""
 
     def setUp(self):
         self.client = Client(
@@ -20,92 +22,103 @@ def setUp(self):
             },
             "test_client_id"
         )
-    
-    def test_default_response_mode_is_form_post(self):
-        """Test that response_mode defaults to form_post for security"""
-        flow = self.client.initiate_auth_code_flow(
-            scope=["openid", "profile"],
-            redirect_uri="http://localhost:8080"
-        )
-        
-        # Parse the auth_uri to check query parameters
-        parsed = urlparse(flow["auth_uri"])
-        params = parse_qs(parsed.query)
+
+    def _send_post_auth_response(self, port, **params):
+        """Helper to send POST auth response to the receiver"""
+        try:
+            from urllib.parse import urlencode
+        except ImportError:
+            from urllib import urlencode
 
-        # Verify response_mode is set to form_post
-        self.assertIn("response_mode", params)
-        self.assertEqual(params["response_mode"][0], "form_post")
+        response = requests.post(
+            "http://localhost:{}".format(port),
+            data=urlencode(params),
+            headers={"Content-Type": "application/x-www-form-urlencoded"}
+        )
+        return response
 
-    def test_explicit_query_mode_shows_security_warning(self):
-        """Test that attempting to use query mode raises a security warning"""
+    def test_query_mode_override_with_successful_post_authentication(self):
+        """
+        Comprehensive integration test: When response_mode='query' is set,
+        verify deprecation warning, override to form_post, and successful POST authentication.
+        """
+        # Part 1: Verify deprecation and override warnings
         with warnings.catch_warnings(record=True) as w:
             warnings.simplefilter("always")
             flow = self.client.initiate_auth_code_flow(
                 scope=["openid", "profile"],
                 redirect_uri="http://localhost:8080",
-                response_mode="query"
+                response_mode="query"  # Explicitly request query mode (should be overridden)
             )
 
-            # Verify a warning was raised
-            self.assertEqual(len(w), 1)
-            self.assertTrue(issubclass(w[0].category, Warning))
-            self.assertIn("security", str(w[0].message).lower())
-        
-        # Verify form_post is still enforced despite explicit query request
-        parsed = urlparse(flow["auth_uri"])
-        params = parse_qs(parsed.query)
-        self.assertEqual(params["response_mode"][0], "form_post")
-    
-    def test_explicit_fragment_mode_shows_security_warning(self):
-        """Test that attempting to use fragment mode raises a security warning"""
-        with warnings.catch_warnings(record=True) as w:
-            warnings.simplefilter("always")
-            flow = self.client.initiate_auth_code_flow(
-                scope=["openid", "profile"],
-                redirect_uri="http://localhost:8080",
-                response_mode="fragment"
-            )
+            # Verify deprecation warning
+            deprecation_warnings = [x for x in w if issubclass(x.category, DeprecationWarning)]
+            self.assertEqual(len(deprecation_warnings), 1, "Should have exactly one deprecation warning")
+            self.assertIn("deprecated", str(deprecation_warnings[0].message).lower())
 
-            # Verify a warning was raised
-            self.assertEqual(len(w), 1)
-            self.assertIn("fragment", str(w[0].message))
+            # Verify override warning
+            user_warnings = [x for x in w if issubclass(x.category, UserWarning)]
+            self.assertEqual(len(user_warnings), 1, "Should have exactly one override warning")
+            self.assertIn("overridden", str(user_warnings[0].message).lower())
 
-        # Verify form_post is still enforced
+        # Part 2: Verify form_post is enforced in auth_uri
         parsed = urlparse(flow["auth_uri"])
         params = parse_qs(parsed.query)
-        self.assertEqual(params["response_mode"][0], "form_post")
-    
-    def test_build_auth_request_params_enforces_form_post(self):
-        """Test that _build_auth_request_params enforces form_post"""
-        params = self.client._build_auth_request_params(
-            response_type="code",
-            redirect_uri="http://localhost:8080",
-            scope=["openid", "profile"],
-            state="test_state"
-        )
-        
-        # Verify response_mode is form_post
         self.assertIn("response_mode", params)
-        self.assertEqual(params["response_mode"], "form_post")
+        self.assertEqual(params["response_mode"][0], "form_post",
+                        "response_mode should be overridden to form_post")
+        
+        # Part 3: Verify actual POST authentication works (form_post flow)
+        with AuthCodeReceiver() as receiver:
+            test_code = "test_auth_code_xyz"
+            test_state = "test_state_abc"
+            
+            receiver._scheduled_actions = [(
+                1,
+                lambda: self._send_post_auth_response(
+                    receiver.get_port(),
+                    code=test_code,
+                    state=test_state
+                )
+            )]
+            
+            result = receiver.get_auth_response(
+                timeout=3,
+                state=test_state,
+                success_template="Success: Got code $code",
+            )
+            
+            # Verify the POST request succeeded
+            self.assertIsNotNone(result, "POST authentication should succeed")
+            self.assertEqual(result.get("code"), test_code,
+                           "Should receive auth code via POST (form_post)")
+            self.assertEqual(result.get("state"), test_state,
+                           "Should receive correct state via POST")
 
-    def test_build_auth_request_params_ignores_explicit_query_mode(self):
-        """Test that _build_auth_request_params ignores explicit query mode"""
-        with warnings.catch_warnings(record=True) as w:
-            warnings.simplefilter("always")
-            params = self.client._build_auth_request_params(
-                response_type="code",
-                redirect_uri="http://localhost:8080",
-                scope=["openid", "profile"],
-                state="test_state",
-                response_mode="query"
+    def test_query_mode_get_request_rejected(self):
+        """
+        Verify that GET requests with auth code are rejected when form_post is enforced.
+        """
+        with AuthCodeReceiver() as receiver:
+            test_code = "test_auth_code_via_get"
+            
+            # Try to send auth code via GET (query string)
+            try:
+                from urllib.parse import urlencode
+            except ImportError:
+                from urllib import urlencode
+            
+            response = requests.get(
+                "http://localhost:{}?{}".format(
+                    receiver.get_port(),
+                    urlencode({"code": test_code, "state": "test"})
+                )
             )
 
-            # Verify warning was raised
-            self.assertGreater(len(w), 0)
-        
-        # Verify form_post is enforced despite explicit request
-        self.assertIn("response_mode", params)
-        self.assertEqual(params["response_mode"], "form_post")
+            # Verify the GET request is rejected
+            self.assertEqual(response.status_code, 400, "GET with auth code should be rejected")
+            self.assertIn("not supported", response.text.lower(),
+                         "Error message should indicate method not supported")
 
 
 if __name__ == '__main__':