[azure-identity] `CertificateCredential` passes `private_key` to MSAL with incorrect type - Githubissues

Azure / azure-sdk-for-python

This repository is for active development of the Azure SDK for Python. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/python/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-python.

MIT License

4.53k stars 2.76k forks source link

[azure-identity] `CertificateCredential` passes `private_key` to MSAL with incorrect type #36578

Open jiasli opened 1 month ago

jiasli commented 1 month ago

Package Name: azure-identity
Package Version:
Operating System:
Python Version:

Describe the bug When CertificateCredential builds the client_credential dict and passes it to MSAL, it sets private_key as bytes:

https://github.com/Azure/azure-sdk-for-python/blob/07d10639d7e47f4852eaeb74aef5d569db499d6e/sdk/identity/azure-identity/azure/identity/_credentials/certificate.py#L169

But in MSAL's document, private_key should be a str:

https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/3279f045dc573d8408ddcdf3565e8b16247627be/msal/application.py#L257

                        "private_key": "...-----BEGIN PRIVATE KEY-----... in PEM format",

Its underlying jwt.encode also requires key as str:

It is fortunate that jwt.encode is smart enough to support key as bytes: https://github.com/jpadilla/pyjwt/blob/527fec277e8215a197f8facd3778b359043704ef/jwt/algorithms.py#L336, but this is undocumented behavior and may break unexpectedly.

Expected behavior azure-identity should strictly follow MSAL's documentation to invoke MSAL.

github-actions[bot] commented 1 month ago

Thank you for your feedback. Tagging and routing to the team member best able to assist.