Support ISO8601-ish formats for expires_on in Managed Identity
#900
+55
−4
Azure Pipelines / AzureAD.microsoft-authentication-library-for-python (2708)
failed
Apr 11, 2026 in 4m 35s
Build #20260411.2 had test failures
Details
- Failed: 36 (0.81%)
- Passed: 4,050 (91.34%)
- Other: 348 (7.85%)
- Total: 4,434
Annotations
Check failure on line 514 in Build log
azure-pipelines / AzureAD.microsoft-authentication-library-for-python (2708)
Build log #L514
3 test(s) failed, 369 test(s) collected.
Check failure on line 776 in Build log
azure-pipelines / AzureAD.microsoft-authentication-library-for-python (2708)
Build log #L776
Bash exited with code '1'.
Check failure on line 19 in Build log
azure-pipelines / AzureAD.microsoft-authentication-library-for-python (2708)
Build log #L19
There are one or more test failures detected in result files. Detailed summary of published test results can be viewed in the Tests tab.
Check failure on line 514 in Build log
azure-pipelines / AzureAD.microsoft-authentication-library-for-python (2708)
Build log #L514
3 test(s) failed, 369 test(s) collected.
azure-pipelines / AzureAD.microsoft-authentication-library-for-python (2708)
tests/test_e2e.py::WorldWideRegionalEndpointTestCase::test_cca_obo_should_bypass_regional_endpoint_therefore_still_work
self = <tests.test_e2e.WorldWideRegionalEndpointTestCase testMethod=test_cca_obo_should_bypass_regional_endpoint_therefore_still_work>
def test_cca_obo_should_bypass_regional_endpoint_therefore_still_work(self):
"""We test OBO because it is implemented in sub class ConfidentialClientApplication.
Regional endpoint does not directly support OBO, but MSAL should automatically
bypass regional endpoint for OBO calls.
"""
user = get_user_config(UserSecrets.PUBLIC_CLOUD)
password = get_user_password(user)
web_api_app = get_app_config(AppSecrets.WEB_API_CLIENT)
# Step 1: PCA gets token for user to access the WebAPI
config_pca = {
"authority": "https://login.microsoftonline.com/organizations",
"client_id": web_api_app.app_id,
"username": user.upn,
"password": password,
"scope": ["api://%s/access_as_user" % web_api_app.app_id],
}
# Step 2: WebAPI (CCA) exchanges the token via OBO for Graph access
config_cca = {
"authority": user.authority,
"client_id": web_api_app.app_id,
"client_secret": get_secret(web_api_app.client_secret, vault="msal_team"),
"scope": ["https://graph.microsoft.com/.default"],
"username": user.upn,
}
> self._test_acquire_token_obo(
config_pca, config_cca,
azure_region=self.region,
http_client=MinimalHttpClient(timeout=self.timeout),
)
tests/test_e2e.py:1266:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
tests/test_e2e.py:624: in _test_acquire_token_obo
self.assertIsNotNone(assertion, "First app failed to get AT. {}".format(
E AssertionError: unexpectedly None : First app failed to get AT. {
E "error": "invalid_grant",
E "error_description": "AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '23c64cd8-21e4-41dd-9756-ab9e2c23f58c'. Trace ID: 758ba65e-0117-4d96-a11c-0857078b3a00 Correlation ID: 98392c62-06aa-4b88-ab72-c8b30cde847e Timestamp: 2026-04-11 19:42:56Z",
E "error_codes": [
E 50079
E ],
E "timestamp": "2026-04-11 19:42:56Z",
E "trace_id": "758ba65e-0117-4d96-a11c-0857078b3a00",
E "correlation_id": "98392c62-06aa-4b88-ab72-c8b30cde847e",
E "error_uri": "https://login.microsoftonline.com/error?code=50079",
E "suberror": "basic_action"
E }Raw output
/opt/hostedtoolcache/Python/3.10.20/x64/lib/python3.10/unittest/case.py:675: AssertionError: unexpectedly None : First app failed to get AT. {
Check failure on line 1 in tests/test_e2e_manual.py::WorldWideTestCase::test_acquire_token_obo
azure-pipelines / AzureAD.microsoft-authentication-library-for-python (2708)
tests/test_e2e_manual.py::WorldWideTestCase::test_acquire_token_obo
self = <tests.test_e2e.WorldWideTestCase testMethod=test_acquire_token_obo>
def test_acquire_token_obo(self):
"""Test On-Behalf-Of flow.
Flow:
1. PCA acquires token for user to access the WebAPI (scope: api://<app_id>/access_as_user)
2. WebAPI (CCA) uses that token as assertion to get token for downstream service (Graph)
"""
user = get_user_config(UserSecrets.PUBLIC_CLOUD)
password = get_user_password(user)
web_api_app = get_app_config(AppSecrets.WEB_API_CLIENT)
# Step 1: PCA gets token for user to access the WebAPI
# Note: Java test uses "organizations" authority for PCA
config_pca = {
"authority": "https://login.microsoftonline.com/organizations",
"client_id": web_api_app.app_id,
"username": user.upn,
"password": password,
"scope": ["api://%s/access_as_user" % web_api_app.app_id],
}
# Step 2: WebAPI (CCA) exchanges the token via OBO for Graph access
# Note: web_api_app.client_secret contains the Key Vault secret name,
# which we pass to get_secret() to retrieve the actual secret value.
config_cca = {
"authority": user.authority, # Tenant-specific authority
"client_id": web_api_app.app_id,
"client_secret": get_secret(web_api_app.client_secret, vault="msal_team"),
"scope": ["https://graph.microsoft.com/.default"],
"username": user.upn,
}
> self._test_acquire_token_obo(config_pca, config_cca)
tests/test_e2e.py:933:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
tests/test_e2e.py:624: in _test_acquire_token_obo
self.assertIsNotNone(assertion, "First app failed to get AT. {}".format(
E AssertionError: unexpectedly None : First app failed to get AT. {
E "error": "invalid_grant",
E "error_description": "AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '23c64cd8-21e4-41dd-9756-ab9e2c23f58c'. Trace ID: 0e49ca13-4b75-4dcd-9a6a-2d67cafc2600 Correlation ID: ada56675-ea5d-445c-b721-587579e31e36 Timestamp: 2026-04-11 19:43:02Z",
E "error_codes": [
E 50079
E ],
E "timestamp": "2026-04-11 19:43:02Z",
E "trace_id": "0e49ca13-4b75-4dcd-9a6a-2d67cafc2600",
E "correlation_id": "ada56675-ea5d-445c-b721-587579e31e36",
E "error_uri": "https://login.microsoftonline.com/error?code=50079",
E "suberror": "basic_action"
E }Raw output
/opt/hostedtoolcache/Python/3.10.20/x64/lib/python3.10/unittest/case.py:675: AssertionError: unexpectedly None : First app failed to get AT. {
Check failure on line 1 in test_acquire_token_obo
azure-pipelines / AzureAD.microsoft-authentication-library-for-python (2708)
test_acquire_token_obo
AssertionError: unexpectedly None : First app failed to get AT. {
"error": "invalid_grant",
"error_description": "AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '23c64cd8-21e4-41dd-9756-ab9e2c23f58c'. Trace ID: 064d7889-f5ad-48dc-b161-831255a44700 Correlation ID: 57137692-9262-48df-8f14-e30fa4ab8ce2 Timestamp: 2026-04-11 19:42:38Z",
"error_codes": [
50079
],
"timestamp": "2026-04-11 19:42:38Z",
"trace_id": "064d7889-f5ad-48dc-b161-831255a44700",
"correlation_id": "57137692-9262-48df-8f14-e30fa4ab8ce2",
"error_uri": "https://login.microsoftonline.com/error?code=50079",
"suberror": "basic_action"
}Raw output
self = <tests.test_e2e.WorldWideTestCase testMethod=test_acquire_token_obo>
def test_acquire_token_obo(self):
"""Test On-Behalf-Of flow.
Flow:
1. PCA acquires token for user to access the WebAPI (scope: api://<app_id>/access_as_user)
2. WebAPI (CCA) uses that token as assertion to get token for downstream service (Graph)
"""
user = get_user_config(UserSecrets.PUBLIC_CLOUD)
password = get_user_password(user)
web_api_app = get_app_config(AppSecrets.WEB_API_CLIENT)
# Step 1: PCA gets token for user to access the WebAPI
# Note: Java test uses "organizations" authority for PCA
config_pca = {
"authority": "https://login.microsoftonline.com/organizations",
"client_id": web_api_app.app_id,
"username": user.upn,
"password": password,
"scope": ["api://%s/access_as_user" % web_api_app.app_id],
}
# Step 2: WebAPI (CCA) exchanges the token via OBO for Graph access
# Note: web_api_app.client_secret contains the Key Vault secret name,
# which we pass to get_secret() to retrieve the actual secret value.
config_cca = {
"authority": user.authority, # Tenant-specific authority
"client_id": web_api_app.app_id,
"client_secret": get_secret(web_api_app.client_secret, vault="msal_team"),
"scope": ["https://graph.microsoft.com/.default"],
"username": user.upn,
}
> self._test_acquire_token_obo(config_pca, config_cca)
tests/test_e2e.py:933:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
tests/test_e2e.py:624: in _test_acquire_token_obo
self.assertIsNotNone(assertion, "First app failed to get AT. {}".format(
E AssertionError: unexpectedly None : First app failed to get AT. {
E "error": "invalid_grant",
E "error_description": "AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '23c64cd8-21e4-41dd-9756-ab9e2c23f58c'. Trace ID: 064d7889-f5ad-48dc-b161-831255a44700 Correlation ID: 57137692-9262-48df-8f14-e30fa4ab8ce2 Timestamp: 2026-04-11 19:42:38Z",
E "error_codes": [
E 50079
E ],
E "timestamp": "2026-04-11 19:42:38Z",
E "trace_id": "064d7889-f5ad-48dc-b161-831255a44700",
E "correlation_id": "57137692-9262-48df-8f14-e30fa4ab8ce2",
E "error_uri": "https://login.microsoftonline.com/error?code=50079",
E "suberror": "basic_action"
E }
Check failure on line 1 in tests/test_e2e.py::WorldWideTestCase::test_acquire_token_obo
azure-pipelines / AzureAD.microsoft-authentication-library-for-python (2708)
tests/test_e2e.py::WorldWideTestCase::test_acquire_token_obo
self = <tests.test_e2e.WorldWideTestCase testMethod=test_acquire_token_obo>
def test_acquire_token_obo(self):
"""Test On-Behalf-Of flow.
Flow:
1. PCA acquires token for user to access the WebAPI (scope: api://<app_id>/access_as_user)
2. WebAPI (CCA) uses that token as assertion to get token for downstream service (Graph)
"""
user = get_user_config(UserSecrets.PUBLIC_CLOUD)
password = get_user_password(user)
web_api_app = get_app_config(AppSecrets.WEB_API_CLIENT)
# Step 1: PCA gets token for user to access the WebAPI
# Note: Java test uses "organizations" authority for PCA
config_pca = {
"authority": "https://login.microsoftonline.com/organizations",
"client_id": web_api_app.app_id,
"username": user.upn,
"password": password,
"scope": ["api://%s/access_as_user" % web_api_app.app_id],
}
# Step 2: WebAPI (CCA) exchanges the token via OBO for Graph access
# Note: web_api_app.client_secret contains the Key Vault secret name,
# which we pass to get_secret() to retrieve the actual secret value.
config_cca = {
"authority": user.authority, # Tenant-specific authority
"client_id": web_api_app.app_id,
"client_secret": get_secret(web_api_app.client_secret, vault="msal_team"),
"scope": ["https://graph.microsoft.com/.default"],
"username": user.upn,
}
> self._test_acquire_token_obo(config_pca, config_cca)
tests/test_e2e.py:933:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
tests/test_e2e.py:624: in _test_acquire_token_obo
self.assertIsNotNone(assertion, "First app failed to get AT. {}".format(
E AssertionError: unexpectedly None : First app failed to get AT. {
E "error": "invalid_grant",
E "error_description": "AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '23c64cd8-21e4-41dd-9756-ab9e2c23f58c'. Trace ID: 064d7889-f5ad-48dc-b161-831255a44700 Correlation ID: 57137692-9262-48df-8f14-e30fa4ab8ce2 Timestamp: 2026-04-11 19:42:38Z",
E "error_codes": [
E 50079
E ],
E "timestamp": "2026-04-11 19:42:38Z",
E "trace_id": "064d7889-f5ad-48dc-b161-831255a44700",
E "correlation_id": "57137692-9262-48df-8f14-e30fa4ab8ce2",
E "error_uri": "https://login.microsoftonline.com/error?code=50079",
E "suberror": "basic_action"
E }Raw output
/opt/hostedtoolcache/Python/3.10.20/x64/lib/python3.10/unittest/case.py:675: AssertionError: unexpectedly None : First app failed to get AT. {
Loading