Update dependency msal to v1.28.0 [SECURITY] - autoclosed #562
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==1.16.0->==1.28.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2024-35255
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
Release Notes
AzureAD/microsoft-authentication-library-for-python (msal)
v1.28.0: MSAL Python 1.28.0Compare Source
PublicClientApplicationandConfidentialClientApplicationhave a newoidc_authorityparameter that can be used to specify authority of any generic OpenID Connect authority, typically the customized domain for CIAM. (#676, #678)v1.27.0: MSAL Python 1.27.0Compare Source
What's Changed
Release Notes:
remove_tokens_for_client()will remove tokens acquired byacquire_token_for_client()(#640, #650, #666)exceptclause (#667)Note:
1.27.0b2requires more beta testing, so they did NOT make it to1.27.0. If you want to beta test1.27.0b2, follow its own instruction.New Contributors
Full Changelog: AzureAD/microsoft-authentication-library-for-python@1.26.0...1.27.0
v1.26.0: MSAL Python 1.26.0Compare Source
v1.25.0: MSAL Python 1.25.0Compare Source
allow_brokerwill be replaced byenable_broker_on_windows(#613)acquire_token_interactive()supports running inside Dockertoken_sourcefield to indicate where the token was obtained from:identity_provider,cacheorbroker. (#610)v1.24.1: MSAL Python 1.24.1Compare Source
Includes minor adjustments on handling acquire_token_interactive(). The scope of the issue being addressed was limited to a short-lived sign-in attempt. The potential misuse vector complexity was high, therefore it is unlikely to be reproduced in standard usage scenarios; however, out of abundance of caution, this fix is shipped to align ourselves with Microsoft's policy of secure-by-default.
v1.24.0: MSAL Python 1.24.0Compare Source
msal_telemetrykey available in MSAL's acquire token response, currently observed when broker is enabled. Its content and format are opaque to caller. This telemetry blob allows participating apps to collect them via telemetry, and it may help future troubleshooting. (#575)enable_pii_logparameter is added intoClientApplicationconstructor. When enabled, the broker component may include PII (Personal Identifiable Information) in logs. This may help troubleshooting. (#568, #590)v1.23.0: MSAL Python 1.23.0Compare Source
Improvements:
acquire_token_for_client()will automatically look up tokens from cache (#577). (But all otheracquire_token_...()methods still require an explicitacquire_token_silent()in order to utilize token cache.)v1.22.0: MSAL Python 1.22.0Compare Source
New feature:
Known issue:
The following issues were discovered after this version's release: #563
v1.21.0: MSAL Python 1.21.0Compare Source
The API in this new version remains the same as the previous version.
Enhancements:
Known issue:
The following issues were discovered after this version's release: #563
v1.20.0: MSAL Python 1.20.0Compare Source
New feature:
If your app uses MSAL's
acquire_token_interactive(), you can now opt in to use broker on Windows platform to achieve Single-Sign-On (SSO) and also obtain more secure tokens, all without switching the log-in experience to a browser. See details in this online doc, and try it out from this sample. (#451, #415)For example, after utilizing this new feature, a command-line (CLI) app's login experience would look like this:
Known issue:
The following issues were discovered after this version's release: #563
v1.19.0: MSAL Python 1.19.0Compare Source
ClientApplication(..., instance_discovery=False)parameter to turn off MSAL's Instance Discovery behavior. See more details in its full documentation. Also, ADFS authority will no longer trigger Instance Discovery. (#496)v1.18.0: MSAL Python 1.18.0Compare Source
(The MSAL Python 1.18.0b1 has been stable in last 2 weeks, and we are now shipping it as 1.18.0)
initiate_auth_code_flow(..., response_mode="form_post")to allow the auth code being delivered to your app by form post, which is considered even more secure. (#396, #469)acquire_token_interactive(..., prompt="none")can obtain some tokens from within Cloud Shell, without any prompt. (#420)v1.17.0: MSAL Python 1.17.0Compare Source
http_cacheusage pattern (#439)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.