You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MSAL Python has long been supporting "Subject Name / Issuer authentication" (defined here https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/60) with this API:
Recently, MSAL team's lab infrastructure requires "Subject Name / Issuer authentication" (defined here https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/60), otherwise the test automation will fail.
So, this PR adds SNI to the pfx code path, using this API.
ConfidentialClientApplication("client_id", client_credential={
"public_certificate": True, # The cert will be read from .pfx"private_key_pfx_path": "/path/to/cert.pfx",
}, ...)
All the other MSALs use the naming x5c or sendX5C. The name "public certificate" is difficult to understand, especially as it is a "bool".
I get that it's for consistency with the other API.
The x5c is an overly shortened naming style only observed in JWT, which is exotic to people who are unfamiliar with JWT or OAuth2; MSAL shall ideally abstract those details away from app developer.
By definition, the x5c is a container that "... contains the X.509 public key certificate ...", so, public_certificate sounds about right. Conceptually, it also feels logical that "if you want eSTS to authenticate your app based on your public cert's subject name & issuer, then please provide that public cert"; that is better than "if you want ..., use param x5c even though you don't know whether x5c means a drone".
That being said, given that x5c is used on multiple MSALs, it probably won't harm if MSAL Python also introduces a boolean x5c=True as an alias for public_certificate=True. The latter is going to stay because we have to continue support the public_certificate="--- BEGIN CERTIFICATE --- ... PEM format" usage, so the MSAL Python community already knows and expects public_certificate.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
MSAL Python has long been supporting "Subject Name / Issuer authentication" (defined here
https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/60) with this API:but MSAL Python did not use it in MSAL's own test environment.
MSAL Python supports using client certificate in .pfx format since version 1.29, and started using it in the test automation.
Recently, MSAL team's lab infrastructure requires "Subject Name / Issuer authentication" (defined here
https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/60), otherwise the test automation will fail.So, this PR adds SNI to the pfx code path, using this API.
This new API will be released in MSAL Python 1.30.0. Docs are staged here.