Microsoft Authentication Library (MSAL) for Python makes it easy to authenticate to Microsoft Entra ID. General docs are available here https://learn.microsoft.com/entra/msal/python/ Stable APIs are documented here https://msal-python.readthedocs.io. Questions can be asked on www.stackoverflow.com with tag "msal" + "python".
PublicClientApplication
and ConfidentialClientApplication
have a new oidc_authority
parameter that can be used to specify authority of any generic OpenID Connect authority, typically the customized domain for CIAM. (#676, #678)Release Notes:
remove_tokens_for_client()
will remove tokens acquired by acquire_token_for_client()
(#640, #650, #666)except
clause (#667)Note:
1.27.0b2
requires more beta testing, so they did NOT make it to 1.27.0
. If you want to beta test 1.27.0b2
, follow its own instruction.Full Changelog: https://github.com/AzureAD/microsoft-authentication-library-for-python/compare/1.26.0...1.27.0
This beta release is a preview for the broker-on-Mac support. You can install it by pip install msal==1.27.0b2
. Please refer to this staged API Reference Doc for how to opt into this new feature.
allow_broker
will be replaced by enable_broker_on_windows
(#613)acquire_token_interactive()
supports running inside Dockertoken_source
field to indicate where the token was obtained from: identity_provider
, cache
or broker
. (#610)Includes minor adjustments on handling acquire_token_interactive(). The scope of the issue being addressed was limited to a short-lived sign-in attempt. The potential misuse vector complexity was high, therefore it is unlikely to be reproduced in standard usage scenarios; however, out of abundance of caution, this fix is shipped to align ourselves with Microsoft's policy of secure-by-default.
Experimental: Building on top of 1.24.0b1 and includes some adjustment on handling acquire_token_interactive().
msal_telemetry
key available in MSAL's acquire token response, currently observed when broker is enabled. Its content and format are opaque to caller. This telemetry blob allows participating apps to collect them via telemetry, and it may help future troubleshooting. (#575)enable_pii_log
parameter is added into ClientApplication
constructor. When enabled, the broker component may include PII (Personal Identifiable Information) in logs. This may help troubleshooting. (#568, #590)Experimental: Surface msal telemetry as a long opaque string (#575). This behavior is useful if your app has your own telemetry mechanism and wants to also collect MSAL's telemetry.
Improvements:
acquire_token_for_client()
will automatically look up tokens from cache (#577). (But all other acquire_token_...()
methods still require an explicit acquire_token_silent()
in order to utilize token cache.)