Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Add SHA256 certificate thumbprint support with authority-based selection#873

Draft
Copilot wants to merge 9 commits into
dev from
copilot/add-support-sha256-thumbprint
Draft

Add SHA256 certificate thumbprint support with authority-based selection #873
Copilot wants to merge 9 commits into
dev from
copilot/add-support-sha256-thumbprint

Conversation

Copilot AI commented Feb 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Adds thumbprint_sha256 parameter to enable modern SHA256 certificate authentication alongside legacy SHA1 support.

Changes

Core Implementation (msal/application.py, msal/authority.py)

  • Accept thumbprint_sha256 in client_credential dictionary
  • Added _is_oidc flag to Authority class to distinguish OIDC generic authorities from B2C/CIAM
  • Selection logic when both thumbprints provided:
    • AAD/B2C/CIAM authorities → SHA256 (PS256 algorithm)
    • ADFS/OIDC generic/dSTS authorities → SHA1 (RS256 algorithm)
  • Simplified logic: use_sha256 = not authority.is_adfs and not is_oidc
  • Works with any AAD cloud (known, sovereign, private) without dependency on WELL_KNOWN_AUTHORITY_HOSTS

Authority Classification

  • ADFS: authority.is_adfs → SHA1
  • B2C: authority._is_b2c (not OIDC) → SHA256
  • CIAM: authority._is_b2c (not OIDC) → SHA256
  • OIDC generic: authority._is_oidc → SHA1
  • dSTS: Path starts with /dstsv2, treated as OIDC → SHA1
  • AAD: Everything else (including sovereign/private clouds) → SHA256

Tests (tests/test_optional_thumbprint.py)

  • 23 comprehensive test cases covering all authority types
  • Tests for single thumbprint scenarios (SHA1-only and SHA256-only) across all authority types
  • Tests for dual thumbprint scenarios with authority-based selection
  • Verify both algorithm selection and thumbprint values
  • Test Coverage Matrix:
    • AAD (known & unknown/sovereign): SHA1-only, SHA256-only, both thumbprints, certificate-only
    • ADFS: SHA1-only, SHA256-only, both thumbprints, certificate-only
    • B2C: SHA1-only, SHA256-only, both thumbprints
    • CIAM: SHA1-only, SHA256-only, both thumbprints
    • OIDC generic: SHA1-only, SHA256-only, both thumbprints
    • dSTS: SHA1-only, SHA256-only, both thumbprints
  • All 23 tests passing

Usage

# SHA256 only (modern)
client_credential = {
 "private_key": private_key_pem,
 "thumbprint_sha256": "abc123..."
}
# Both provided - uses SHA256 for AAD/B2C/CIAM, SHA1 for ADFS/OIDC/dSTS
client_credential = {
 "private_key": private_key_pem,
 "thumbprint": "def456...", # SHA1
 "thumbprint_sha256": "abc123..." # SHA256
}

Backward compatible - existing thumbprint (SHA1) usage unchanged.

Original prompt

This section details on the original issue you should resolve

<issue_title>[Feature Request] Add support for SHA256 certificate thumbprint similar to SHA1</issue_title>
<issue_description>### MSAL client type

Confidential

Problem Statement

{
 "private_key": "<private_key_pem_bytes>",
 "thumbprint": "<sha1_thumbprint_hex_string>"
+ "thumbprint_sha256": "<sha2_thumbprint_hex_string>" 
}

Spec is:

But anyway, so the spec would be

if only thumbprint is defined - use it
if only thumbprint_sha256 is defined - use it
if both are defined - use sha2 for AAD authorities (including b2c, ciam), use sha1 for ADFS and generic authorities

Proposed solution

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 5 commits February 10, 2026 13:04 
...lection
Co-authored-by: bgavrilMS <12273384+bgavrilMS@users.noreply.github.com>
Co-authored-by: bgavrilMS <12273384+bgavrilMS@users.noreply.github.com>
Co-authored-by: bgavrilMS <12273384+bgavrilMS@users.noreply.github.com>
Co-authored-by: bgavrilMS <12273384+bgavrilMS@users.noreply.github.com>
Co-authored-by: bgavrilMS <12273384+bgavrilMS@users.noreply.github.com>
Copilot AI changed the title (削除) [WIP] Add support for SHA256 certificate thumbprint (削除ここまで) (追記) Add SHA256 certificate thumbprint support with authority-based selection (追記ここまで) Feb 10, 2026
Copilot AI requested a review from bgavrilMS February 10, 2026 13:13

Copy link
Copy Markdown
Member

@copilot Ok. this is not good. Let's start over. Start by analyzing the tests for various types of authority. You should be able to identify examples for: adfs, ciam, b2c and a "generic' authority. Find these and show them to me

Copilot AI commented Feb 14, 2026

Copy link
Copy Markdown
Contributor Author

@copilot Ok. this is not good. Let's start over. Start by analyzing the tests for various types of authority. You should be able to identify examples for: adfs, ciam, b2c and a "generic' authority. Fi...

I've analyzed the test files and found examples of each authority type:

Authority Type Examples from Tests

1. ADFS Authority

  • URL Pattern: https://contoso.com/adfs
  • Examples in tests:
    • tests/test_authority.py:249: "https://contoso.com/adfs"
    • tests/test_application.py:821: "https://contoso.com/adfs"
  • Characteristics: Tenant path segment is "adfs" (case-insensitive)

2. B2C Authority

  • URL Pattern: https://<tenant>.b2clogin.com/<tenant>/<policy>
  • Examples in tests:
    • tests/test_authority.py:258: "https://login.b2clogin.com/contoso/b2c_policy"
    • tests/test_application.py:830: "https://contoso.b2clogin.com/contoso/policy"
  • Characteristics: Host ends with .b2clogin.com (or other WELL_KNOWN_B2C_HOSTS: .b2clogin.cn, .b2clogin.us, .b2clogin.de)

3. CIAM Authority

  • URL Pattern: https://<tenant>.ciamlogin.com or https://<tenant>.ciamlogin.com/<path>
  • Examples in tests:
    • tests/test_authority.py:90: "https://contoso.ciamlogin.com"
    • tests/test_authority.py:96: "https://contoso.ciamlogin.com/anything"
  • Characteristics: Host ends with .ciamlogin.com

4. Generic/Private Cloud Authority

  • URL Pattern: Any custom domain not matching AAD/B2C/CIAM/ADFS patterns
  • Examples in tests:
    • tests/test_authority.py:269: "https://private.cloud/foo" (labeled as "Private Cloud")
    • tests/test_authority.py:67: "https://example.com/tenant_doesnt_matter_in_this_case"
    • tests/test_authority.py:241: "https://contoso.com/common" (with validate_authority=False)
  • Characteristics: Not in WELL_KNOWN_AUTHORITY_HOSTS, not ADFS, not B2C/CIAM

5. AAD Authority (for reference)

  • URL Pattern: https://<known-host>/<tenant>
  • Known hosts (from msal/authority.py:18-23):
    • login.microsoftonline.com (WORLD_WIDE/AZURE_PUBLIC)
    • login.chinacloudapi.cn (AZURE_CHINA)
    • login-us.microsoftonline.com
    • login.microsoftonline.us (AZURE_US_GOVERNMENT)
  • Example: "https://login.microsoftonline.com/common"

Let me know what adjustments you'd like me to make based on these findings.

Copy link
Copy Markdown
Member

@copilot For generic authority, see the public API oidc_authority. This represents a generic OIDC complain authority.

Ok, so now you know all the authority types: adfs, b2c, ciam, oidc generic authority. Everything else is an AAD authority.

Note that the library does not know all the authority hosts, i.e. clouds. You can only use the clasification above to know.

Reimplement the solution using that clasification. Also try to reduce code duplication when it comes to authority types.

 

- Add _is_oidc flag to Authority class to distinguish OIDC generic authorities
- Simplify thumbprint selection logic: use SHA256 for all except ADFS and OIDC
- Authority classification now:
 * ADFS: authority.is_adfs → SHA1
 * B2C: authority._is_b2c (not OIDC) → SHA256
 * CIAM: authority._is_b2c (not OIDC) → SHA256
 * OIDC generic: authority._is_oidc → SHA1
 * AAD: everything else → SHA256
- Update tests to reflect new classification
- Add test for unknown AAD authority (sovereign cloud)
Co-authored-by: bgavrilMS <12273384+bgavrilMS@users.noreply.github.com>

Copilot AI commented Feb 14, 2026

Copy link
Copy Markdown
Contributor Author

@copilot For generic authority, see the public API oidc_authority. This represents a generic OIDC complain authority.

Ok, so now you know all the authority types: adfs, b2c, ciam, oidc generic aut...

Reimplemented using the correct authority classification. Commit 0a8d2be.

Authority Classification:

  • ADFS: authority.is_adfs → SHA1
  • B2C: authority._is_b2c (and not OIDC) → SHA256
  • CIAM: authority._is_b2c (and not OIDC) → SHA256
  • OIDC generic: authority._is_oidc → SHA1
  • AAD: everything else (including unknown clouds) → SHA256

Changes:

  • Added _is_oidc flag to Authority class
  • Simplified logic to: use_sha256 = not authority.is_adfs and not is_oidc
  • No dependency on WELL_KNOWN_AUTHORITY_HOSTS
  • Works with any AAD cloud (sovereign, private, etc.)
  • All 12 tests passing

Copy link
Copy Markdown
Member

@copilot There is one more authority - dSTS. Use SHA1 for that.

 

- Update comments to explicitly mention dSTS as part of OIDC generic
- Add test for dSTS authority to verify SHA1 is used
- dSTS is already handled correctly as it's treated as OIDC authority
- All 13 tests passing
Co-authored-by: bgavrilMS <12273384+bgavrilMS@users.noreply.github.com>

Copilot AI commented Feb 14, 2026

Copy link
Copy Markdown
Contributor Author

@copilot There is one more authority - dSTS. Use SHA1 for that.

Added dSTS support. Commit a9fb14e.

dSTS is already handled correctly - it's automatically treated as an OIDC authority (path starts with /dstsv2), which means it gets _is_oidc = True and uses SHA1.

Updated comments to explicitly mention dSTS and added test test_pem_with_both_thumbprints_dsts_uses_sha1 to verify behavior. All 13 tests passing.

Copy link
Copy Markdown
Member

@copilot Can you identify unit tests that look at all these types of authorities?

Copilot AI commented Feb 17, 2026

Copy link
Copy Markdown
Contributor Author

@copilot Can you identify unit tests that look at all these types of authorities?

Unit tests covering all authority types:

CIAM Authority

  • tests/test_authority.py::TestCiamAuthority
    • test_path_less_authority_should_work (line 89)
    • test_authority_with_path_should_be_used_as_is (line 95)

OIDC Generic Authority

  • tests/test_authority.py::OidcAuthorityTestCase
    • test_authority_obj_should_do_oidc_discovery_and_skip_instance_discovery (line 118)
    • test_application_obj_should_do_oidc_discovery_and_skip_instance_discovery (line 127)

dSTS Authority

  • tests/test_authority.py::DstsAuthorityTestCase (inherits from OidcAuthorityTestCase)
    • test_application_obj_should_accept_dsts_url_as_an_authority (line 153)
    • Plus inherited tests from OidcAuthorityTestCase

ADFS Authority

  • tests/test_authority.py::TestAuthorityInternalHelperUserRealmDiscovery
    • test_by_default_adfs_should_skip_validation_and_instance_metadata (line 246)
  • tests/test_application.py::TestBroker
    • test_should_fallback_to_non_broker_when_using_adfs (line 818)

B2C Authority

  • tests/test_authority.py::TestAuthorityInternalHelperUserRealmDiscovery
    • test_by_default_b2c_should_skip_validation_and_instance_metadata (line 254)
  • tests/test_application.py::TestBroker
    • test_should_fallback_to_non_broker_when_using_b2c (line 827)

AAD Authority (standard/known hosts)

  • tests/test_authority.py::TestAuthority
    • Multiple tests using known hosts like login.microsoftonline.com

Multiple Authority Types

  • tests/test_authority.py::TestAuthorityInternalHelperUserRealmDiscovery
    • test_turning_off_instance_discovery_should_work_for_all_kinds_of_clouds (line 263)
      • Tests AAD, ADFS, B2C, and Private Cloud in one test

Copy link
Copy Markdown
Member

@copilot Can you enhance the tests here for SHA256?

 

- Add SHA256-only tests for all authority types (AAD, B2C, CIAM, ADFS, OIDC, dSTS)
- Add SHA1-only tests for all authority types
- Verify single thumbprint behavior across all authority types
- Increased test count from 13 to 23 tests
- All tests passing
Co-authored-by: bgavrilMS <12273384+bgavrilMS@users.noreply.github.com>

Copilot AI commented Feb 17, 2026

Copy link
Copy Markdown
Contributor Author

@copilot Can you enhance the tests here for SHA256?

Enhanced SHA256 tests with comprehensive coverage. Commit 40dfa91.

Added 10 new tests (13 → 23 total):

SHA256-only tests for all authority types:

  • B2C, CIAM, ADFS, OIDC generic, dSTS
  • Verifies SHA256 is used when it's the only thumbprint provided

SHA1-only tests for all authority types:

  • B2C, CIAM, ADFS, OIDC generic, dSTS
  • Verifies SHA1 is used when it's the only thumbprint provided

Tests now cover every authority type with:

  1. Single thumbprint (SHA1 only)
  2. Single thumbprint (SHA256 only)
  3. Both thumbprints (authority-based selection)

All 23 tests passing ✅

@pvaneck pvaneck left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Verified with Azure/azure-sdk-for-python#44990 and am able to pass in thumbprint_sha256 for certificate-based authentication. Confirmed that PS256 and x5t#S256 are in the headers.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds support for supplying a SHA-256 certificate thumbprint (thumbprint_sha256) in client_credential, with authority-aware selection logic to choose SHA-256 (PS256) vs SHA-1 (RS256) when both thumbprints are available.

Changes:

  • Extend ConfidentialClientApplication certificate credential handling to accept thumbprint_sha256 and select SHA-1 vs SHA-256 based on authority type.
  • Add an internal _is_oidc flag to Authority to distinguish generic OIDC/dSTS authorities from Entra/B2C/CIAM.
  • Expand unit tests to cover SHA1-only, SHA256-only, and dual-thumbprint selection across authority types.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
msal/application.py Accepts thumbprint_sha256, updates error messaging, and adds authority-based SHA1/SHA256 selection logic when building JWT assertions.
msal/authority.py Introduces _is_oidc flag to classify generic OIDC/dSTS authorities vs Entra authorities.
tests/test_optional_thumbprint.py Adds a comprehensive test matrix for SHA1/SHA256 thumbprint inputs and authority-based selection behavior.
Comments suppressed due to low confidence (1)

tests/test_optional_thumbprint.py:34

  • _setup_mocks() returns a plain Mock() authority without initializing boolean flags like _is_oidc/_is_b2c. Because Mock attributes are truthy when accessed, forgetting to explicitly set these in a test can silently flip authority classification (e.g., getattr(authority, '_is_oidc', False) returning a truthy Mock). Consider setting sensible defaults (e.g., _is_oidc=False, _is_b2c=False) in _setup_mocks() to make tests more robust and closer to real Authority instances.
 def _setup_mocks(self, mock_authority_class, authority="https://login.microsoftonline.com/common"):
 """Helper to setup Authority mock"""
 # Setup Authority mock
 mock_authority = Mock()
 mock_authority.is_adfs = "adfs" in authority.lower()

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Comment thread msal/application.py
@@ -300,6 +300,10 @@ def __init__(
"Changed in version 1.35.0, if thumbprint is absent"
"and a public_certificate is present, MSAL will"
"automatically calculate an SHA-256 thumbprint instead.",

Copilot AI Mar 6, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The client_credential docstring currently says that when thumbprint is absent and public_certificate is present, MSAL will automatically calculate a SHA-256 thumbprint instead. With the updated authority-based selection (e.g., ADFS/OIDC/dSTS falling back to SHA-1 when both thumbprints are available), this wording is misleading—please clarify that MSAL may calculate both SHA-1 and SHA-256 thumbprints from the certificate and then choose based on authority type.

Suggested change
"automatically calculate an SHA-256 thumbprint instead.",
"calculate thumbprint(s) from the certificate (including SHA-256,"
"and SHA-1 where needed) and select which to use based on authority type.",

Copilot uses AI. Check for mistakes.
Comment thread msal/application.py
Comment on lines 302 to +303
"automatically calculate an SHA-256 thumbprint instead.",
"thumbprint_sha256": "An SHA-256 thumbprint (Added in version 1.35.0). "

Copilot AI Mar 6, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Grammar: use "A SHA-256 thumbprint" (not "An SHA-256 thumbprint"). Consider aligning wording with the existing "thumbprint" description too for consistency.

Suggested change
"automatically calculate an SHA-256 thumbprint instead.",
"thumbprint_sha256": "An SHA-256 thumbprint (Added in version 1.35.0). "
"automatically calculate a SHA-256 thumbprint instead.",
"thumbprint_sha256": "A SHA-256 thumbprint (Added in version 1.35.0). "

Copilot uses AI. Check for mistakes.
Comment thread msal/application.py
Comment on lines +854 to +860
# Authority classification:
# - ADFS: authority.is_adfs
# - B2C: authority._is_b2c (and not OIDC)
# - CIAM: authority._is_b2c (and not OIDC)
# - OIDC generic: authority._is_oidc (includes dSTS)
# - AAD: everything else
# Use SHA256 for AAD, B2C, CIAM; use SHA1 for ADFS, OIDC generic, and dSTS

Copilot AI Mar 6, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The inline "Authority classification" comment block mentions B2C/CIAM detection via authority._is_b2c (and not OIDC), but the actual selection logic only keys off authority.is_adfs and authority._is_oidc. To avoid future confusion, consider updating the comment to match the implemented conditions (and explain that B2C/CIAM are implicitly covered by "not ADFS and not OIDC").

Suggested change
# Authority classification:
# - ADFS: authority.is_adfs
# - B2C: authority._is_b2c (and not OIDC)
# - CIAM: authority._is_b2c (and not OIDC)
# - OIDC generic: authority._is_oidc (includes dSTS)
# - AAD: everything else
# Use SHA256 for AAD, B2C, CIAM; use SHA1 for ADFS, OIDC generic, and dSTS
# Authority classification (for thumbprint selection):
# - ADFS: authority.is_adfs is True
# - OIDC generic (including dSTS): authority._is_oidc is True
# - AAD, B2C, CIAM, and other Azure clouds: neither authority.is_adfs nor authority._is_oidc is True
#
# Use SHA256 for AAD/B2C/CIAM-like authorities; use SHA1 for ADFS and OIDC generic (including dSTS)

Copilot uses AI. Check for mistakes.

pvaneck commented Apr 13, 2026

Copy link
Copy Markdown
Contributor

@bgavrilMS Any other blockers for this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@bgavrilMS bgavrilMS Awaiting requested review from bgavrilMS
+1 more reviewer
@pvaneck pvaneck pvaneck approved these changes
Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature Request] Add support for SHA256 certificate thumbprint similar to SHA1

AltStyle によって変換されたページ (->オリジナル) /