- Update to version 1.35.0b1
* The managed identity code path no longer has a dependency on the
socket.getfqdn(). No API change is needed. Existing MSAL-powered
apps will automatically pick up this new behavior.
* This version of MSAL Python will pick up PyMsalRuntime 0.20.*.
No API change is needed. Existing MSAL-powered apps will
automatically pick up this new behavior.
* The thumbprint name-value pair in the client_credential parameter
becomes optional now. See API docs for usage.
* ROPC deprecation by @Ugonnaak1 in (#855)
* Test case for token response scope differing from token request
scope by @rayluo in (#856)
* Update pymsalruntime version range to handle the latest 0.20.0 release
by @DharshanBJ in (#858)
* Document how to enable sha256 for client credential by @rayluo in (#833)
* Remove the reliance on getfqdn() by @rayluo in (#859)
* Thumbprint for certificate made optional by @vi7us in (#835)
* Support Python 3.14 by @rayluo in (#861)
* Explicitly remove issuer from the OIDC discovery response
by @rayluo in (#863)
* Suppress CodeQL warning by @bgavrilMS in (#867)
- Override upstream version with 1.35.0~b1
OBS-URL: https://build.opensuse.org/request/show/1331561
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:azure/python-msal?expand=0&rev=66
- Update to version 1.34.0
* ManagedIdentityClient(..., client_capabilities=["cp1"]).\
acquire_token_for_client(..., claims_challenge="...")
by @rayluo in (#791)
* Update deprecated TokenCache API usage by @pvaneck in (#805)
* Enable broker support on Linux for WSL by @DharshanBJ in (#766)
* Fix username/password validation in broker test
by @emmanuel-ferdman in (#807)
* Merge release 1.32.3 back to dev branch by @rayluo in (#816)
* Add dependency management suggestions by @rayluo in (#819)
* Remind developers about http_cache's unstable format
by @rayluo in (#821)
* Properly throw MsalServiceError exception by @rayluo in (#820)
* Improve test cases to test header-less response by @rayluo in (#822)
* Upgrade dependency by @rayluo in (#824)
* Linux broker needs a specific redirect_uri by @rayluo in (#826)
* MSAL Python 1.33.0b1 release by @rayluo in (#827)
* Use lowercase environment value during searching
by @rayluo in (#831)
* Add claims challenge parameter in initiate_device_flow
by @ashok672 in (#839)
* MSAL Python 1.33.0 by @rayluo in (#841)
* Declare support for Python 3.13 by @rayluo in (#851)
- Remove temporary version override
OBS-URL: https://build.opensuse.org/request/show/1313026
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:azure/python-msal?expand=0&rev=64
- Update to version 1.33.0b1
* ManagedIdentityClient(..., client_capabilities=["cp1"]).\
acquire_token_for_client(..., claims_challenge="...")
by @rayluo in (#791)
* Update deprecated TokenCache API usage by @pvaneck in (#805)
* Enable broker support on Linux for WSL by @DharshanBJ in (#766)
* Fix username/password validation in broker test
by @emmanuel-ferdman in (#807)
* Merge release 1.32.3 back to dev branch by @rayluo in (#816)
* Add dependency management suggestions by @rayluo in (#819)
* Remind developers about http_cache's unstable format by @rayluo in (#821)
* Properly throw MsalServiceError exception by @rayluo in (#820)
* Improve test cases to test header-less response by @rayluo in (#822)
* Upgrade dependency by @rayluo in (#824)
* Linux broker needs a specific redirect_uri by @rayluo in (#826)
* MSAL Python 1.33.0b1 release by @rayluo in (#827)
- Override upstream version with 1.33.0~b1
OBS-URL: https://build.opensuse.org/request/show/1291414
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:azure/python-msal?expand=0&rev=57
- Update to version 1.32.0
* Refactor to allow adding new field into cache key
and/or content by @rayluo in (#751)
* Warning when obsolete msal-extensions is detected
by @rayluo in (#752)
* Add msal_cache.bin to .gitignore by @DharshanBJ in (#753)
* MSAL will use env var MSAL_FORCE_REGION by default
by @rayluo in (#756)
* Allow MI endpoint changing through environment variable
by @jimdigriz in (#754)
* Revert "allow MI endpoint changing through environment
variable" by @rayluo in (#769)
* Fix document for using SystemAssigned managed identity
by @jiasli in (#764)
* Suppress a false positive CodeQL alarm by @rayluo in (#783)
* Pass Sku and Ver to MsalRuntime by @Ugonnaak1 in (#786)
* Try to suppress another verify=False by @rayluo in (#788)
* Supports dSTS by ClientApplication(..., authority=
"https://...example.com/dstsv2/...") by @rayluo in (#772)
* Add test case to show that OBO supports SP by @rayluo in (#481)
* Enable Issue-Sentinel to scan for similar issues by @DharshanBJ in (#790)
* Support pod identity by @rayluo in (#795)
* Scope to resource by @rayluo in (#785)
OBS-URL: https://build.opensuse.org/request/show/1254060
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:azure/python-msal?expand=0&rev=53
- Update to version 1.30.0
* New feature: Support Subject Name/Issuer authentication when using
.pfx certificate file. Documentation available in one of the recent
purple boxes here. (#718)
* New feature: Automatically use SHA256 and PSS padding when using
.pfx certificate on non-ADFS, non-OIDC authorities. (#722)
* New feature: Expose refresh_on (if any) to fresh or cached response,
so that caller may choose to proactively call acquire_token_silent()
early. (#723)
* Bugfix for token cache search. MSAL 1.27+ customers please upgrade
to MSAL 1.30+. (#717)
OBS-URL: https://build.opensuse.org/request/show/1190661
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:azure/python-msal?expand=0&rev=45
- Update to version 1.29.0
* New feature: Supports Managed Identity for Azure VM, App Service
(including Azure Functions, Azure Automation), Service Fabric,
Azure Machine Learning, Arc, etc.. Comes with a sample, its
configuration via ENV VAR, and its API documentation.
(#58, #480, #634, #674)
* New feature: Support reading ConfidentialClientApplication's
cert from a pfx file (#684, #699)
* New feature: TokenCache class has a new search() method which will
return a generator of tokens. The old find() method still exists and
returns a list, but MSAL 1.27+ will not call find() anymore. (#693, #644)
* Change: Re-enable the username password flow to go through broker,
if available. (#712)
- from version 1.28.1
* Change: pip install msal[broker] will now pick up the latest PyMsalRuntime
0.16.x which contains a bugfix for being run as administrator. This release
fixes#707.
OBS-URL: https://build.opensuse.org/request/show/1186312
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:azure/python-msal?expand=0&rev=43
- Update to version 1.28.0
* New feature: PublicClientApplication and ConfidentialClientApplication
have a new oidc_authority parameter that can be used to specify authority
of any generic OpenID Connect authority, typically the customized domain
for CIAM. (#676, #678)
* Dropping Python 2.7
- from version 1.27.0
* New feature: remove_tokens_for_client() will remove tokens acquired
by acquire_token_for_client() (#640, #650, #666)
* Performance: Throughput of token-cache-hit happy path is roughly 2x faster (#644)
* Adjustment: MSAL no longer attempts to validate an ID token's time (#656, #657)
* Adjustment: Bump upstream broker dependency to 0.14.x
* Improvement: Better chance to remove accounts from broker (#651)
* Improvement: Cleaner console output when the http local server
is visited in https protocol (#546)
* Improvement: Reduce a bare except clause (#667)
OBS-URL: https://build.opensuse.org/request/show/1166290
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:azure/python-msal?expand=0&rev=41
- Switch package to modern Python Stack on SLE-15
+ Use Python 3.11 on SLE-15 by default
+ Add Obsoletes for old python3 package on SLE-15
+ Drop support for older Python versions
- Switch build system from setuptools to pyproject.toml
+ Add python-pip and python-wheel to BuildRequires
+ Replace %python_build with %pyproject_wheel
+ Replace %python_install with %pyproject_install
+ Update name for dist directory in %files section
OBS-URL: https://build.opensuse.org/request/show/1164951
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:azure/python-msal?expand=0&rev=39
- Update to version 1.25.0
+ Deprecation: allow_broker will be replaced by enable_broker_on_windows (#613)
+ Bugfix: Device Code Flow (and Username Password Flow) and its subsequent silent
request will automatically bypass broker and succeed. (#569)
+ Enhancement: acquire_token_interactive() supports running inside Docker
+ Observability: Successful token response will contain a new token_source field
to indicate where the token was obtained from: identity_provider, cache or broker.
(#610)
OBS-URL: https://build.opensuse.org/request/show/1128530
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:azure/python-msal?expand=0&rev=33
- Update to version 1.24.1
+ Includes minor adjustments on handling acquire_token_interactive().
The scope of the issue being addressed was limited to a short-lived
sign-in attempt. The potential misuse vector complexity was high,
therefore it is unlikely to be reproduced in standard usage scenarios;
however, out of abundance of caution, this fix is shipped to align
ourselves with Microsoft's policy of secure-by-default.
- from version 1.24.0
+ Enhancement: There may be a new msal_telemetry key available in MSAL's
acquire token response, currently observed when broker is enabled. Its
content and format are opaque to caller. This telemetry blob allows
participating apps to collect them via telemetry, and it may help
future troubleshooting. (#575)
+ Enhancement: A new enable_pii_log parameter is added into ClientApplication
constructor. When enabled, the broker component may include PII (Personal
Identifiable Information) in logs. This may help troubleshooting. (#568, #590)
- Remove temporary version override
OBS-URL: https://build.opensuse.org/request/show/1116418
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:azure/python-msal?expand=0&rev=31
- Update to version 1.20.0
+ New feature: If your app uses MSAL's acquire_token_interactive(), you can
now opt in to use broker on Windows platform to achieve Single-Sign-On (SSO)
and also obtain more secure tokens, all without switching the log-in experience
to a browser. See details in this online doc, and try it out from this sample.
(#451, #415)
- from version 1.19.0
+ New feature: A new ClientApplication(..., instance_discovery=False) parameter
to turn off MSAL's Instance Discovery behavior. See more details in its full
documentation. Also, ADFS authority will no longer trigger Instance Discovery. (#496)
+ Enhancement: Use provided authority port when building the tenant discovery endpoint (#484)
+ Bugfix: Fix a regression in regional endpoint which affects MSAL Python 1.14+ (#485)
+ Enhancement: Tolerate home_account_id to be None
- from version 1.18.0
+ New feature: Optional initiate_auth_code_flow(..., response_mode="form_post")
to allow the auth code being delivered to your app by form post, which is
considered even more secure. (#396, #469)
+ New feature: acquire_token_interactive(..., prompt="none") can obtain some
tokens from within Cloud Shell, without any prompt. (#420)
OBS-URL: https://build.opensuse.org/request/show/1010424
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:azure/python-msal?expand=0&rev=22
- Update to version 1.17.0
+ New: Define some Cloud Instance constants and the usage
pattern of using them (#221, #433)
+ Enhancement: Lazy-load dependencies so that the start-up
and run time will usually be faster. (#423, #454)
+ Enhancement: Bubble up token refresh exceptions (#431, #434)
+ Enhancement: Documents a simpler http_cache usage pattern (#439)
+ Enhancement: Expose authority discovery error for troubleshooting (#443)
+ Enhancement: Actionable exception message when local machine
time error is detected (#446, #449, #453)
+ Enhancement: Actionable exception message when username
password flow encounters errors with ADFS (#456, #458)
OBS-URL: https://build.opensuse.org/request/show/967331
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:azure/python-msal?expand=0&rev=18
- Update to version 1.16.0
+ New feature: Introducing a new http_cache parameter, whose documentation
is available by searching http_cache (dict) from our API Reference Doc
(Implementation #407). If an app utilizes this feature, it will also
address #80 & #334.
+ Improvement: Prevent concurrent interactive flows listening on same port
when running on Windows (#427)
+ Improvement: Detecting Regional Endpoint from env var. Also ensure the
entire regional endpoint behavior needs to opt in. (#425)
- from version 1.15.0
+ New feature: Now both initiate_auth_code_flow() and acquire_token_interactive()
accept a new optional parameter max_age which is the allowable elapsed time
in seconds since the last time the End-User was actively authenticated. If
the elapsed time is greater than this value, Microsoft identity platform
will actively re-authenticate the End-User. (#381, #389)
+ Improvement: MSAL will now automatically utilize a backup authentication
system, to provide better resiliency. (#376, #395, #409)
+ Improvement: Previously, acquire_token_interactive() was not able to be aborted
by CTRL+C when running on Windows. It is now fixed. (#393, #404)
+ Bugfix: The http cache feature shipped in #379 came with an unexpected side
effect to slow down the Device Code Flow. Now fixed. (#408, #410)
+ Change: Adopting cryptography 35.0.0 (#414)
- from version 1.14.0
UPDATE: There was a bug in this version, being fixed in subsequent
1.15.0. We recommend everyone to upgrade to msal>=1.15.0,<2.
There is no API-level change in this MSAL release. So, all existing
apps do not need any code changes. Just upgrade, and your app will
gain the following behaviors.
+ Behavior Change: By default, MSAL Python will launch Edge browser when
running on Linux, when Edge is installed on current desktop. (#388)
OBS-URL: https://build.opensuse.org/request/show/928758
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:azure/python-msal?expand=0&rev=17
- Update to version 1.12.0
+ New feature: MSAL Python supports ConfidentialClientApplication(..., azure_region=...).
If your app is deployed in Azure, you can use this new feature to pin a region.
(#295, #358)
+ New feature: Historically MSAL Python attempts to acquire a Refresh Token (RT) by
default. Since this version, MSAL Python supports ConfidentialClientApplication(...,
excluse_scopes=["offline_access"]) to opt out of RT (#207, #361)
+ Improvement: acquire_token_interactive(...) can also trigger browser when
running inside WSL (8d86917)
+ Adjustment: get_accounts(...) would automatically combine equivalent accounts,
so that your account selector widget could be easier to use (#349)
+ Document: MSAL Python has long been accepting acquire_token_interactive(..., prompt="create"),
now we officially documented it. (#356, #360)
- from version 1.11.0
+ Enhancement: ConfidentialClientApplication also supports
acquire_token_by_username_password() now. (#294, #344)
+ Enhancement: PublicClientApplication's acquire_token_interactive() also supports WSL Ubuntu
18.04 (#332, #333)
+ Enhancement: Enable a retry once behavior on connection error. (But this is only available
from the default http client. If your app supplies your customized http_client via MSAL
constructors, it is your http_client's job to decide whether retry.) (#326)
+ Enhancement: MSAL improves the internal telemetry mechanism. (#137, #175, #329, #345)
+ Bugfix: Better compatibility on handling SAML token when using
acquire_token_by_username_password() with ADFS. (#336)
OBS-URL: https://build.opensuse.org/request/show/903080
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:azure/python-msal?expand=0&rev=16
- Update to version 1.10.0
+ Enhancement: Proactive access token (AT) refreshing. Previously, an AT is
either valid or expired. If an AT expires and your network happens to have
a glitch, your app wouldn't be able to auth. Now, MSAL Python attempts to
refresh some AT (typically long-lived AT) half way towards their expiration,
and silently ignores the error and retries next time, so that your app would
be more resilient. All these happen automatically, without any code change
to your app. (#176, #312, #320)
+ Adjustment: MSAL Python will keep RT in token cache even when its usage
encounters an "invalid_grant" error, so that the RT would likely still
be used by other requests. (#314, #315)
- from version 1.9.0
+ Enhancement: Starting from this version, MSAL will be compatible with both
PyJWT 1.x and PyJWT 2.x (#293, #296)
+ Enhancement: Better support for upcoming Azure CLI's SSH extension (#300, #298)
+ Enhancement: Better deprecation message for get_authorization_request_url()
and acquire_token_by_authorization_code(). (#301, #303)
+ Enhancement: Better exception message when using incorrect case in client_id.
(#304, #307)
+ Other improvements.
OBS-URL: https://build.opensuse.org/request/show/881908
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:azure/python-msal?expand=0&rev=14
- Update to version 1.8.0
+ New feature: A new extra_scopes_to_consent parameter is introduced
to the acquire_token_interactive(...) API (#212, #286)
+ Adjustment to previous version 1.7.0: Lazy import webbrowser module
only when necessary (#287, #288)
- from version 1.7.0
+ New feature: A new initiate_auth_code_flow() & acquire_token_by_auth_code_flow()
API, which automatically provides PKCE protection for you (#276, #255).
(You are recommended to use these 2 new APIs to replace the previous
get_authorization_request_url() and acquire_token_by_authorization_code().)
+ New feature: A new acquire_token_interactive() (#138, #260, #282), comes with
a sample (#283)
+ Bugfix: Now MSAL Python can properly access those Refresh Tokens which were
keyed slightly differently by different apps. (#279, #280)
OBS-URL: https://build.opensuse.org/request/show/862389
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:azure/python-msal?expand=0&rev=12
- Update to version 1.6.0
+ New Feature: ```ConfidentialClientApplication``` accepts private
key encrypted by a passphrase. (#232, #270)
+ Enhancement: Provides different exception and messages while
encountering transient error during tenant discovery (#263, #269)
- from version 1.5.1
+ Bugfix: We now cache tokens by specified environment, not by OIDC Discovery.
This won't matter most of the time, but it can be needed when your tenant is
in transitional state while migrating to a different cloud. (#247)
+ Bugfix: We now make sure one app's sign-out operation would be successful even
when another app is acquiring token from cache at the same time. (#258, #262)
- Update Requires from setup.py
OBS-URL: https://build.opensuse.org/request/show/848335
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:azure/python-msal?expand=0&rev=8
- Update to version 1.4.3
+ Bugfix: A side effect in previous release prevented reading some
tokens from a different authority alias (#235, #236)
- from version 1.4.2
+ Bugfix: Changed case of messageID in WS-Trust Requests (#228 , #230 )
+ Bugfix: Removed content-type header sent in request to Mex endpoint (#226 , #227 )
+ Bugfix: Bypasses cache lookup for authority alias if no refresh token found (#223, #225 )
- from version 1.4.1
+ Reverts Application Initializer will not send network requests
introduced in MSAL Python 1.4.0 (#205, #216, #187)
- from version 1.4.0
+ Enhancement: Application initializer will not send network requests. (#205, #187)
+ Enhancement: Improved handling of errors in ADAL to MSAL token migration scenario. (#209, #208)
+ Added changelog in PYPI (#203, #202)
+ Other readme and reference docs adjustments (#200, #197)
OBS-URL: https://build.opensuse.org/request/show/830775
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:azure/python-msal?expand=0&rev=5
- Update to version 1.3.0
+ New feature: class ```ClientApplication``` accepts a new optional parameter
```http_client```. You can provide your own HTTP client to have different
behavior. (#169) Please refer to API Reference doc.
+ New feature: method ```get_authorization_request_url()``` accepts a new optional
parameter ```domain_hint```. (#158, #181)
Please refer to API Reference doc.
+ New feature: A new method ```acquire_token_by_refresh_token()``` to help migrating
refresh tokens from elsewhere to MSAL Python. (#193)
Its usage is demonstrated in this sample.
- from version 1.2.0
+ New ```nonce``` parameter is provided in ```both get_authorization_request_url(..., nonce=...)```
and ```acquire_token_by_authorization_code(..., nonce=...)``` method, so
that you can use them to mitigate replay attacks, per OIDC specs. (#128, #173).
- from version 1.1.0
+ New ```acquire_token_silent_with_error(...)``` method to expose conditional
access error classifications (#143, closes#57).
+ App developers can opt in to provide their app's name and version for Microsoft
Telemetry, so that we can understand your usage pattern and serve you better.
(#136closes#130)
+ Internally,
* Collect anonymous telemetry data to help us improve MSAL Python (#103)
* Test cases cover ADFS 2019 on-premise scenarios (#142, closes#132)
* Switched to our latest lab apis for better test infrastructure (#108, #133, #134, #135)
OBS-URL: https://build.opensuse.org/request/show/815251
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:azure/python-msal?expand=0&rev=3
