msgraph DeviceFlow selecting wrong scope (#471)

* DeviceCode Flow ignores user and selects wrong scope * only require client secret on ClientSecret flow
2026-03-10 00:31:27 +00:00 · 2024-02-20 00:54:16 +01:00
parent d512b9f60e
commit d2145b71ba
2 changed files with 11 additions and 8 deletions
--- a/parsedmarc/cli.py
+++ b/parsedmarc/cli.py
@@ -593,6 +593,10 @@ def _main():
                    logger.critical("password setting missing from the "
                                    "msgraph config section")
                    exit(-1)
+            
+            if opts.graph_auth_method == AuthMethod.DeviceCode.name:
+                if "user" in graph_config:
+                        opts.graph_user = graph_config["user"]

            if opts.graph_auth_method != AuthMethod.UsernamePassword.name:
                if "tenant_id" in graph_config:
@@ -602,12 +606,13 @@ def _main():
                                    "msgraph config section")
                    exit(-1)

-            if "client_secret" in graph_config:
-                opts.graph_client_secret = graph_config["client_secret"]
-            else:
-                logger.critical("client_secret setting missing from the "
-                                "msgraph config section")
-                exit(-1)
+            if opts.graph_auth_method == AuthMethod.ClientSecret.name:
+                if "client_secret" in graph_config:
+                    opts.graph_client_secret = graph_config["client_secret"]
+                else:
+                    logger.critical("client_secret setting missing from the "
+                                    "msgraph config section")
+                    exit(-1)

            if "client_id" in graph_config:
                opts.graph_client_id = graph_config["client_id"]
--- a/parsedmarc/mail/graph.py
+++ b/parsedmarc/mail/graph.py
@@ -50,7 +50,6 @@ def _generate_credential(auth_method: str, token_path: Path, **kwargs):
    if auth_method == AuthMethod.DeviceCode.name:
        credential = DeviceCodeCredential(
            client_id=kwargs['client_id'],
-            client_secret=kwargs['client_secret'],
            disable_automatic_authentication=True,
            tenant_id=kwargs['tenant_id'],
            **_get_cache_args(
@@ -60,7 +59,6 @@ def _generate_credential(auth_method: str, token_path: Path, **kwargs):
    elif auth_method == AuthMethod.UsernamePassword.name:
        credential = UsernamePasswordCredential(
            client_id=kwargs['client_id'],
-            client_credential=kwargs['client_secret'],
            disable_automatic_authentication=True,
            username=kwargs['username'],
            password=kwargs['password'],