🎠Extract Microsoft OAuth tokens using Playwright browser automation.
To install msauth-browser, you can use pip, pip3 or pipx. Either from pypi repository or from GitHub source. Prefer using pipx, since it install Python applications in isolated virtual environments.
From PyPI
pipx install msauth-browserpip install msauth-browserpip install "git+https://github.com/n3rada/msauth-browser"pipx install "git+https://github.com/n3rada/msauth-browser"Ensure chromium playwright browser is available:
playwright install chromiumIf installed with pipx:
- Windows PowerShell
$env:NODE_TLS_REJECT_UNAUTHORIZED = "0"
& "$env:USERPROFILE\pipx\venvs\msauth-browser\Scripts\playwright.exe" install chromiummsauth-browser--prt-cookie <JWT>: Use anx-ms-RefreshTokenCredentialPRT cookie for SSO-based login.--headless: Run Playwright in headless mode.
msauth-browser --headless --prt-cookie "<x-ms-RefreshTokenCredential>"The PRT cookie is officially x-ms-RefreshTokenCredential and it is a JSON Web Token (JWT). The actual Primary Refresh Token (PRT) is encapsulated within the refresh_token, which is encrypted by a key under the control of Entra ID, rendering its contents opaque.
It can be used as a cookie wired to login.microsoftonline.com domain in order to use-it to authenticate to the service while skiping credential prompts.
Microsoft first-party apps have hardcoded, pre-approved scopes.
You cannot simply add ChannelMessage.Read.All to the scope parameter of the Teams application, the request will fail.
Why not microsoft-authentication-library-for-python (MSAL)?
One major limitation is that it requires localhost redirect URIs.
It also does not support integrating PRT cookies.
- Drop a JSON file into
msauth_browser/configs/. - Provide the required fields:
nameclient_idredirect_uridefault_scopes(array of scopes) — optional; if omitted or empty, the tool defaults toopenidandoffline_access.
- Optionally include a
slugfield; otherwise the filename (without extension) becomes the lookup key.