Use secrets.choice() instead of random.sample() for PKCE, nonce, and state generation

[Copilot]

random.sample() uses a deterministic PRNG unsuitable for security-sensitive values. PKCE code verifiers, OAuth state parameters, and OIDC nonces require cryptographically strong randomness.

Changes

• msal/oauth2cli/oauth2.py: Replace import random with import secrets; update PKCE code verifier and OAuth state generation
• msal/oauth2cli/oidc.py: Replace import random with import secrets; update nonce generation

# Before
verifier = "".join(random.sample(string.ascii_letters + string.digits + "-._~", length))
"state": state or "".join(random.sample(string.ascii_letters, 16))
nonce = "".join(random.sample(string.ascii_letters, 16))

# After
verifier = "".join(secrets.choice(string.ascii_letters + string.digits + "-._~") for _ in range(length))
"state": state or "".join(secrets.choice(string.ascii_letters) for _ in range(16))
nonce = "".join(secrets.choice(string.ascii_letters) for _ in range(16))

Note: random.sample() also samples without replacement, artificially constraining the output space. secrets.choice() allows repeated characters, increasing entropy for the same output length.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• login.microsoftonline.com
  • Triggering command: /usr/bin/python python -m pytest tests/ -x -q --ignore=tests/test_e2e.py --ignore=tests/test_benchmark.py --ignore=tests/test_e2e_manual.py (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Feature] Improve Random generator</issue_title>
<issue_description>Improve the random generator - random.sample() function to secrets.choice() to provide more randomness

</issue_description>

<agent_instructions>Look at PKCE, nonce and state generation.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes [Feature] Improve Random generator #888

---

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

[Copilot]

Pull request overview

This PR improves the security of OAuth/OIDC ephemeral value generation by switching from random.sample() (deterministic PRNG and no-replacement sampling) to secrets.choice() for PKCE code verifiers, OAuth state, and OIDC nonces.

Changes:

• Update PKCE code verifier generation to use secrets.choice() per character (supports full RFC7636 length range without no-replacement constraints).
• Update OAuth state generation to use secrets.choice().
• Update OIDC nonce generation to use secrets.choice().

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
msal/oauth2cli/oauth2.py	Uses secrets.choice() for PKCE verifier and OAuth state generation, removing reliance on random.sample().
msal/oauth2cli/oidc.py	Uses secrets.choice() for OIDC nonce generation, removing reliance on random.sample().

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[bgavrilMS]

@copilot resolve the merge conflicts in this pull request

[bgavrilMS]

@copilot resolve the merge conflicts in this pull request

[Copilot]

@copilot resolve the merge conflicts in this pull request

Merged main into the branch to resolve conflicts (commit fbfa160). The only conflict was .travis.yml (present in main but not in this branch), which was resolved by keeping the version from main. The secrets.choice() security changes remain intact.

[Copilot]

@copilot resolve the merge conflicts in this pull request

The merge conflicts were already resolved in commit fbfa160. The branch is up to date with main — no remaining conflicts.

[bgavrilMS]

@copilot - the branch still has conficts and now shows 53 commits!!! Can you revert the last changes and try to do a rebase instead.

[Copilot]

@copilot - the branch still has conficts and now shows 53 commits!!! Can you revert the last changes and try to do a rebase instead.

I've rebased the branch cleanly to a single commit on top of the current main (2 files, 5 lines changed — only the secrets.choice() fixes). However, the push tool available to me only does regular (non-force) pushes, so it cannot overwrite the existing merge commit on the remote.

To apply the clean state, please run these commands:

git fetch origin
git checkout copilot/improve-random-generator
git reset --hard origin/main
# Apply the 3 security changes:
sed -i 's/^import random$/import secrets/' msal/oauth2cli/oauth2.py
sed -i 's/^import random$/import secrets/' msal/oauth2cli/oidc.py
# In msal/oauth2cli/oauth2.py line ~278: replace random.sample(...) with secrets.choice(...) for _ in range(length)
# In msal/oauth2cli/oauth2.py line ~476: replace random.sample(string.ascii_letters, 16) with secrets.choice(...) for _ in range(16)
# In msal/oauth2cli/oidc.py line ~241: replace random.sample(string.ascii_letters, 16) with secrets.choice(...) for _ in range(16)
git commit -am "Replace random.sample() with secrets.choice() for PKCE, nonce, and state generation"
git push --force-with-lease origin copilot/improve-random-generator

Alternatively, the full diff is exactly what's shown in the PR description — only msal/oauth2cli/oauth2.py and msal/oauth2cli/oidc.py need the 5-line change. The current branch content (code-wise) is already correct; it's only the branch history that needs cleanup via force push.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.