Description
Describe the bug
PublicClientApplication.initiate_device_flow doesn't explicitly support claims_challenge:
Passing a claims_challenge keyword argument will include it in **kwargs and pass it to the HTTP client:
microsoft-authentication-library-for-python/msal/oauth2cli/oauth2.py
Lines 326 to 329 in fff9855
causing failure
File "d:\cli\azure-cli\src\azure-cli-core\azure\cli\core\auth\identity.py", line 176, in login_with_device_code
flow = self._msal_app.initiate_device_flow(scopes, claims_challenge=claims_challenge)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\cli\py312\Lib\site-packages\msal\application.py", line 2341, in initiate_device_flow
flow = self.client.initiate_device_flow(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\cli\py312\Lib\site-packages\msal\oauth2cli\oauth2.py", line 326, in initiate_device_flow
resp = self._http_client.post(self.configuration[DAE],
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\cli\py312\Lib\site-packages\msal\individual_cache.py", line 273, in wrapper
value = function(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\cli\py312\Lib\site-packages\msal\individual_cache.py", line 273, in wrapper
value = function(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\cli\py312\Lib\site-packages\msal\throttled_http_client.py", line 96, in post
return NormalizedResponse(self.http_client.post(*args, **kwargs))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\cli\py312\Lib\site-packages\requests\sessions.py", line 637, in post
return self.request("POST", url, data=data, json=json, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: Session.request() got an unexpected keyword argument 'claims_challenge'
PublicClientApplication.acquire_token_by_device_flow explicitly supports claims_challenge:
but if claims_challenge is not passed to initiate_device_flow, MFA process will not be triggered during login and calling acquire_token_by_device_flow with claims_challenge fails:
File "d:\cli\azure-cli\src\azure-cli-core\azure\cli\core\auth\identity.py", line 186, in login_with_device_code
return check_result(result)
^^^^^^^^^^^^^^^^^^^^
File "d:\cli\azure-cli\src\azure-cli-core\azure\cli\core\auth\util.py", line 134, in check_result
aad_error_handler(result, **kwargs)
File "d:\cli\azure-cli\src\azure-cli-core\azure\cli\core\auth\util.py", line 53, in aad_error_handler
raise AuthenticationError(error_description, msal_error=error, recommendation=recommendation)
azure.cli.core.azclierror.AuthenticationError: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'. Trace ID: 9416cbef-6f2f-4bba-b99f-e41722113e00 Correlation ID: d657b456-40d3-4d39-ae98-4d2927752bb8 Timestamp: 2025-06-24 07:56:44Z
Expected behavior
Claims challenge should work in device code flow.
What you see instead
Claims challenge does not work in device code flow.