Change ATTEMPT_REGION_DISCOVERY to boolean, to facilitate the runtime opt-in/opt-out

Author: rayluo

msal/application.py

@@ -109,7 +109,7 @@ class ClientApplication(object):
     GET_ACCOUNTS_ID = "902"
     REMOVE_ACCOUNT_ID = "903"
 
-    ATTEMPT_REGION_DISCOVERY = "TryAutoDetect"
+    ATTEMPT_REGION_DISCOVERY = True  # "TryAutoDetect"
 
     def __init__(
             self, client_id,
@@ -242,7 +242,8 @@ def __init__(
                (However MSAL Python does not support managed identity,
                so this one does not apply.)
 
-            3. An app authenticated by Subject Name/Issuer (SNI).
+            3. An app authenticated by
+               `Subject Name/Issuer (SNI) <https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/60>`_.
 
             4. An app which already onboard to the region's allow-list.
 
@@ -258,10 +259,22 @@ def __init__(
 
             An app running inside Azure Functions and Azure VM can use a special keyword
             ``ClientApplication.ATTEMPT_REGION_DISCOVERY`` to auto-detect region.
-            (Attempting this on a non-VM could hang indefinitely.
-            Make sure you configure a short timeout,
-            or provide a custom http_client which has a short timeout.
-            That way, the latency would be under your control.)
+
+            .. note::
+
+                Setting ``azure_region`` to non-``None`` for an app running
+                outside of Azure Function/VM could hang indefinitely.
+
+                You should consider opting in/out region behavior on-demand,
+                by loading ``azure_region=None`` or ``azure_region="westus"``
+                or ``azure_region=True`` (which means opt-in and auto-detect)
+                from your per-deployment configuration, and then do
+                ``app = ConfidentialClientApplication(..., azure_region=azure_region)``.
+
+                Alternatively, you can configure a short timeout,
+                or provide a custom http_client which has a short timeout.
+                That way, the latency would be under your control,
+                but still less performant than opting out of region feature.
         """
         self.client_id = client_id
         self.client_credential = client_credential

msal/region.py

@@ -29,7 +29,12 @@ def _detect_region_of_azure_vm(http_client):
         )
     logger.info(
         "Connecting to IMDS {}. "
-        "You may want to use a shorter timeout on your http_client".format(url))
+        "It may take a while if you are running outside of Azure. "
+        "You should consider opting in/out region behavior on-demand, "
+        'by loading a boolean flag "is_deployed_in_azure" '
+        'from your per-deployment config and then do '
+        '"app = ConfidentialClientApplication(..., '
+        'azure_region=is_deployed_in_azure)"'.format(url))
     try:
         # https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=linux#instance-metadata
         resp = http_client.get(url, headers={"Metadata": "true"})

tests/test_e2e.py

@@ -750,15 +750,13 @@ class WorldWideRegionalEndpointTestCase(LabBasedTestCase):
     def test_acquire_token_for_client_should_hit_regional_endpoint(self):
         """This is the only grant supported by regional endpoint, for now"""
         self.app = get_lab_app(  # Regional endpoint only supports confidential client
-            ## Would fail the OIDC Discovery
-            #authority="https://westus2.login.microsoftonline.com/"
-            #    "72f988bf-86f1-41af-91ab-2d7cd011db47",  # Microsoft tenant ID
 
+            ## FWIW, the MSAL<1.12 versions could use this to achieve similar result
             #authority="https://westus.login.microsoft.com/microsoft.onmicrosoft.com",
             #validate_authority=False,
-
             authority="https://login.microsoftonline.com/microsoft.onmicrosoft.com",
             azure_region=self.region,  # Explicitly use this region, regardless of detection
+
             timeout=2,  # Short timeout makes this test case responsive on non-VM
             )
         scopes = ["https://graph.microsoft.com/.default"]