Replace random.sample() with secrets.choice() for PKCE, nonce, and state generation

Copilot · bgavrilMS · Copilot · commit bd8754bb03d7 · 2026-03-19T22:16:36.000Z
Co-authored-by: bgavrilMS &lt;12273384+bgavrilMS@users.noreply.github.com&gt;
diff --git a/msal/oauth2cli/oauth2.py b/msal/oauth2cli/oauth2.py
@@ -13,7 +13,7 @@
 import base64
 import sys
 import functools
-import random
+import secrets
 import string
 import hashlib
 
@@ -278,7 +278,7 @@ def _scope_set(scope):
 def _generate_pkce_code_verifier(length=43):
     assert 43 <= length <= 128
     verifier = "".join(  # https://tools.ietf.org/html/rfc7636#section-4.1
-        random.sample(string.ascii_letters + string.digits + "-._~", length))
+        secrets.choice(string.ascii_letters + string.digits + "-._~") for _ in range(length))
     code_challenge = (
         # https://tools.ietf.org/html/rfc7636#section-4.2
         base64.urlsafe_b64encode(hashlib.sha256(verifier.encode("ascii")).digest())
@@ -488,7 +488,7 @@ def initiate_auth_code_flow(
             raise ValueError('response_type="token ..." is not allowed')
         pkce = _generate_pkce_code_verifier()
         flow = {  # These data are required by obtain_token_by_auth_code_flow()
-            "state": state or "".join(random.sample(string.ascii_letters, 16)),
+            "state": state or "".join(secrets.choice(string.ascii_letters) for _ in range(16)),
             "redirect_uri": redirect_uri,
             "scope": scope,
             }
diff --git a/msal/oauth2cli/oidc.py b/msal/oauth2cli/oidc.py
@@ -1,7 +1,7 @@
 import json
 import base64
 import time
-import random
+import secrets
 import string
 import warnings
 import hashlib
@@ -238,7 +238,7 @@ def initiate_auth_code_flow(
             # Here we just automatically add it. If the caller do not want id_token,
             # they should simply go with oauth2.Client.
             _scope.append("openid")
-        nonce = "".join(random.sample(string.ascii_letters, 16))
+        nonce = "".join(secrets.choice(string.ascii_letters) for _ in range(16))
         flow = super(Client, self).initiate_auth_code_flow(
             scope=_scope, nonce=_nonce_hash(nonce), **kwargs)
         flow["nonce"] = nonce
