From d2145b71ba040da97ea7857edf23e6cdc81fde35 Mon Sep 17 00:00:00 2001
From: Brassn <48657890+Brassn@users.noreply.github.com>
Date: Tue, 20 Feb 2024 00:54:16 +0100
Subject: [PATCH] msgraph DeviceFlow selecting wrong scope (#471)

* DeviceCode Flow ignores user and selects wrong scope

* only require client secret on ClientSecret flow
---
 parsedmarc/cli.py        | 17 +++++++++++------
 parsedmarc/mail/graph.py |  2 --
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/parsedmarc/cli.py b/parsedmarc/cli.py
index 3b31bd3..d08f4e8 100644
--- a/parsedmarc/cli.py
+++ b/parsedmarc/cli.py
@@ -593,6 +593,10 @@ def _main():
                     logger.critical("password setting missing from the "
                                     "msgraph config section")
                     exit(-1)
+            
+            if opts.graph_auth_method == AuthMethod.DeviceCode.name:
+                if "user" in graph_config:
+                        opts.graph_user = graph_config["user"]
 
             if opts.graph_auth_method != AuthMethod.UsernamePassword.name:
                 if "tenant_id" in graph_config:
@@ -602,12 +606,13 @@ def _main():
                                     "msgraph config section")
                     exit(-1)
 
-            if "client_secret" in graph_config:
-                opts.graph_client_secret = graph_config["client_secret"]
-            else:
-                logger.critical("client_secret setting missing from the "
-                                "msgraph config section")
-                exit(-1)
+            if opts.graph_auth_method == AuthMethod.ClientSecret.name:
+                if "client_secret" in graph_config:
+                    opts.graph_client_secret = graph_config["client_secret"]
+                else:
+                    logger.critical("client_secret setting missing from the "
+                                    "msgraph config section")
+                    exit(-1)
 
             if "client_id" in graph_config:
                 opts.graph_client_id = graph_config["client_id"]
diff --git a/parsedmarc/mail/graph.py b/parsedmarc/mail/graph.py
index de565b2..f2fe299 100644
--- a/parsedmarc/mail/graph.py
+++ b/parsedmarc/mail/graph.py
@@ -50,7 +50,6 @@ def _generate_credential(auth_method: str, token_path: Path, **kwargs):
     if auth_method == AuthMethod.DeviceCode.name:
         credential = DeviceCodeCredential(
             client_id=kwargs['client_id'],
-            client_secret=kwargs['client_secret'],
             disable_automatic_authentication=True,
             tenant_id=kwargs['tenant_id'],
             **_get_cache_args(
@@ -60,7 +59,6 @@ def _generate_credential(auth_method: str, token_path: Path, **kwargs):
     elif auth_method == AuthMethod.UsernamePassword.name:
         credential = UsernamePasswordCredential(
             client_id=kwargs['client_id'],
-            client_credential=kwargs['client_secret'],
             disable_automatic_authentication=True,
             username=kwargs['username'],
             password=kwargs['password'],