diff --git a/msal/oauth2cli/oauth2.py b/msal/oauth2cli/oauth2.py index 680c1bc5..7e2adad8 100644 --- a/msal/oauth2cli/oauth2.py +++ b/msal/oauth2cli/oauth2.py @@ -13,7 +13,7 @@ import base64 import sys import functools -import random +import secrets import string import hashlib @@ -278,7 +278,7 @@ def _scope_set(scope): def _generate_pkce_code_verifier(length=43): assert 43 <= length <= 128 verifier = "".join( # https://tools.ietf.org/html/rfc7636#section-4.1 - random.sample(string.ascii_letters + string.digits + "-._~", length)) + secrets.choice(string.ascii_letters + string.digits + "-._~") for _ in range(length)) code_challenge = ( # https://tools.ietf.org/html/rfc7636#section-4.2 base64.urlsafe_b64encode(hashlib.sha256(verifier.encode("ascii")).digest()) @@ -488,7 +488,7 @@ def initiate_auth_code_flow( raise ValueError('response_type="token ..." is not allowed') pkce = _generate_pkce_code_verifier() flow = { # These data are required by obtain_token_by_auth_code_flow() - "state": state or "".join(random.sample(string.ascii_letters, 16)), + "state": state or "".join(secrets.choice(string.ascii_letters) for _ in range(16)), "redirect_uri": redirect_uri, "scope": scope, } diff --git a/msal/oauth2cli/oidc.py b/msal/oauth2cli/oidc.py index 01ee7894..1577c81a 100644 --- a/msal/oauth2cli/oidc.py +++ b/msal/oauth2cli/oidc.py @@ -1,7 +1,7 @@ import json import base64 import time -import random +import secrets import string import warnings import hashlib @@ -238,7 +238,7 @@ def initiate_auth_code_flow( # Here we just automatically add it. If the caller do not want id_token, # they should simply go with oauth2.Client. _scope.append("openid") - nonce = "".join(random.sample(string.ascii_letters, 16)) + nonce = "".join(secrets.choice(string.ascii_letters) for _ in range(16)) flow = super(Client, self).initiate_auth_code_flow( scope=_scope, nonce=_nonce_hash(nonce), **kwargs) flow["nonce"] = nonce