Skip to content

yggdrasil.http_.authorization.msal

msal

MSAL-backed authentication helpers for requests sessions.

MSALAuth

MSALAuth(
    tenant_id: Optional[str] = ...,
    client_id: Optional[str] = ...,
    client_secret: Optional[str] = ...,
    authority: Optional[str] = ...,
    scopes: object = ...,
    expiry_skew_seconds: int = 30,
)

Bases: Authorization

Configuration and token cache for MSAL client credential flows.

Singleton-by-config: two callers building an :class:MSALAuth with the same (tenant_id, client_id, client_secret, authority, scopes) receive the same instance — and therefore share one MSAL application, one access token, one in-flight refresh. The first refresh() pays the token round-trip; every subsequent caller on that config reuses the cached token until it expires. Pickle round-trips inside the same process collapse to the live singleton via :meth:__getnewargs__; cross-process unpickle rebuilds the MSAL handle (_auth_app) lazily on first use.

auth_app property

auth_app: ConfidentialClientApplication | PublicClientApplication

Lazily create MSAL client.

  • If client_secret is set: ConfidentialClientApplication (app-to-app).
  • Else: PublicClientApplication (interactive/device code/etc).

seconds_to_expiry property

seconds_to_expiry: float

Positive means still valid, negative means expired.

scope property writable

scope: str | None

Scopes as a space-joined string (or None).

refresh

refresh(force: bool = False) -> 'MSALAuth'

Acquire/refresh token for confidential client flow.

Serialized per-instance: two callers sharing the singleton won't both hit AAD when the token expires — the second waits on the lock and re-checks the cache before deciding to mint.