search

AzureAD / microsoft-authentication-library-for-python

Microsoft Authentication Library (MSAL) for Python makes it easy to authenticate to Microsoft Entra ID. General docs are available here https://learn.microsoft.com/entra/msal/python/ Stable APIs are documented here https://msal-python.readthedocs.io. Questions can be asked on www.stackoverflow.com with tag "msal" + "python".
https://stackoverflow.com/questions/tagged/azure-ad-msal+python
Other
754 stars 191 forks source link

[Feature Request] AAD client assertions should be computed using SHA 256 and an approved padding scheme #639

Open bgavrilMS opened 6 months ago

bgavrilMS commented 6 months ago

MSAL client type

Confidential

Problem Statement

When MSAL creates the client assertion, it uses PKCS1 padding for digital signature and SHA1 as x5t claim. These are old crypto algorithms and we need to move to newer versions. The STS is building support.

See ESTS work items :

https://identitydivision.visualstudio.com/Engineering/_workitems/edit/2655345 https://identitydivision.visualstudio.com/Engineering/_workitems/edit/2704466

Proposed solution

Use x5t#s256 and PSS padding when talking to ESTS, CIAM, B2C(?) but not with ADFS.

Original issue

https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4428

rayluo commented 6 months ago

When will MSALs need to support this? It seems the eSTS support is currently still in test slice?

Also, will this feature eventually be replaced by Managed Identity?

bgavrilMS commented 6 months ago

Should be in prod by end of Jan. I'm still following up with ADFS, B2C etc.

No, client credentials will not be replaced by Managed Identity. We do not force ppl to use Azure to benefit from Entra ID.