Skip to content

Document how to enable sha256 for client credential #833

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: dev
Choose a base branch
from
Open

Document how to enable sha256 for client credential #833

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8535c96
Document how to use sha256 for client credential
rayluo Jun 19, 2025
3093816
Consolidate 6 boxes into 4
rayluo Jun 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions msal/application.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -280,6 +280,9 @@ def __init__(

.. admonition:: Support using a certificate in X.509 (.pem) format

Deprecated because it uses SHA-1 thumbprint.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's deprecated, but does it still work for backwards compatibility? Should you note that?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My understanding of the term Deprecation is aligned with this answer:

Deprecated means that it is still in use, but only for historical purposes and it will be removed probably in the next big release. It is recommended that you do not use deprecated functions or features - even if they are present in the current library for example.

So, yes, it still works for backwards compatibility. If that is OK with you, I intend to not add a "it still works for backwards compatibility" statement to the docs here, otherwise we might need to retrofit the same sentence into maybe a dozen deprecated parameters here and there in our docs.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Robbie is right though. ADFS still uses this. So it's not fully deprecated.

The pfx solution is not yet fit for purpose, since it requires the cert to be on disk.

How about adding a thumbprintSha256 to the dictionary and adding a note that thumbprint is deprecated except for ADFS instead?

Internally, MSAL will choose thumbpritnSha256 if it is set, or fallback to thumbprint if it is not set.

Please use the .pfx option documented later in this page.

Feed in a dict in this form::

{
Expand All @@ -302,6 +305,9 @@ def __init__(
<https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/60>`_
is an approach to allow easier certificate rotation.

Deprecated because it uses SHA-1 thumbprint.
Please use the .pfx option documented later in this page.

*Added in version 0.5.0*::

{
Expand Down Expand Up @@ -338,6 +344,8 @@ def __init__(

.. admonition:: Supporting reading client certificates from PFX files

This usage will automatically use SHA-256 thumbprint of the certificate.

*Added in version 1.29.0*:
Feed in a dictionary containing the path to a PFX file::

Expand All @@ -352,6 +360,12 @@ def __init__(

.. admonition:: Support Subject Name/Issuer Auth with a cert in .pfx

`Subject Name/Issuer Auth
<https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/60>`_
is an approach to allow easier certificate rotation.

This usage will automatically use SHA-256 thumbprint of the certificate.

*Added in version 1.30.0*:
If your .pfx file contains both the private key and public cert,
you can opt in for Subject Name/Issuer Auth like this::
Expand Down