yggdrasil.http_.authorization.msal¶
msal ¶
MSAL-backed authentication helpers for requests sessions.
MSALAuth ¶
MSALAuth(
tenant_id: Optional[str] = ...,
client_id: Optional[str] = ...,
client_secret: Optional[str] = ...,
authority: Optional[str] = ...,
scopes: object = ...,
expiry_skew_seconds: int = 30,
)
Bases: Authorization
Configuration and token cache for MSAL client credential flows.
Singleton-by-config: two callers building an :class:MSALAuth with
the same (tenant_id, client_id, client_secret, authority, scopes)
receive the same instance — and therefore share one MSAL
application, one access token, one in-flight refresh. The first
refresh() pays the token round-trip; every subsequent caller on
that config reuses the cached token until it expires. Pickle
round-trips inside the same process collapse to the live singleton
via :meth:__getnewargs__; cross-process unpickle rebuilds the MSAL
handle (_auth_app) lazily on first use.
auth_app
property
¶
Lazily create MSAL client.
- If client_secret is set: ConfidentialClientApplication (app-to-app).
- Else: PublicClientApplication (interactive/device code/etc).
seconds_to_expiry
property
¶
Positive means still valid, negative means expired.
refresh ¶
Acquire/refresh token for confidential client flow.
Serialized per-instance: two callers sharing the singleton won't both hit AAD when the token expires — the second waits on the lock and re-checks the cache before deciding to mint.