{Core} Only apply allow_broker to PublicClientApplication (Azure#…

…26482)
BandaruDheeraj · Nov 3, 2023 · 89c25cb · 89c25cb
1 parent adb019d
commit 89c25cb
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/src/azure-cli-core/azure/cli/core/auth/identity.py b/src/azure-cli-core/azure/cli/core/auth/identity.py
@@ -85,7 +85,7 @@ def __init__(self, authority, tenant_id=None, client_id=None, encrypt=False, use
 
     @property
     def _msal_app_kwargs(self):
-        """kwargs for creating UserCredential or ServicePrincipalCredential.
+        """kwargs for creating ClientApplication (including its subclass ConfidentialClientApplication).
         MSAL token cache and HTTP cache are lazily created.
         """
         if not Identity._msal_token_cache:
@@ -98,18 +98,23 @@ def _msal_app_kwargs(self):
             "authority": self._msal_authority,
             "token_cache": Identity._msal_token_cache,
             "http_cache": Identity._msal_http_cache,
-            "allow_broker": self._allow_broker,
             # CP1 means we can handle claims challenges (CAE)
             "client_capabilities": None if "AZURE_IDENTITY_DISABLE_CP1" in os.environ else ["CP1"]
         }
 
+    @property
+    def _msal_public_app_kwargs(self):
+        """kwargs for creating PublicClientApplication."""
+        # allow_broker can only be used on PublicClientApplication.
+        return {**self._msal_app_kwargs, "allow_broker": self._allow_broker}
+
     @property
     def _msal_app(self):
         """A PublicClientApplication instance for user login/logout.
         The instance is lazily created.
         """
         if not self._msal_app_instance:
-            self._msal_app_instance = PublicClientApplication(self.client_id, **self._msal_app_kwargs)
+            self._msal_app_instance = PublicClientApplication(self.client_id, **self._msal_public_app_kwargs)
         return self._msal_app_instance
 
     def _load_msal_token_cache(self):
@@ -222,7 +227,7 @@ def get_user(self, user=None):
         return accounts
 
     def get_user_credential(self, username):
-        return UserCredential(self.client_id, username, **self._msal_app_kwargs)
+        return UserCredential(self.client_id, username, **self._msal_public_app_kwargs)
 
     def get_service_principal_credential(self, client_id):
         entry = self._service_principal_store.load_entry(client_id, self.tenant_id)