Update dependency msal to v1.28.0 [SECURITY] - autoclosed #562
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==1.16.0
->==1.28.0
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2024-35255
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
Release Notes
AzureAD/microsoft-authentication-library-for-python (msal)
v1.28.0
: MSAL Python 1.28.0Compare Source
PublicClientApplication
andConfidentialClientApplication
have a newoidc_authority
parameter that can be used to specify authority of any generic OpenID Connect authority, typically the customized domain for CIAM. (#676, #678)v1.27.0
: MSAL Python 1.27.0Compare Source
What's Changed
Release Notes:
remove_tokens_for_client()
will remove tokens acquired byacquire_token_for_client()
(#640, #650, #666)except
clause (#667)Note:
1.27.0b2
requires more beta testing, so they did NOT make it to1.27.0
. If you want to beta test1.27.0b2
, follow its own instruction.New Contributors
Full Changelog: AzureAD/microsoft-authentication-library-for-python@1.26.0...1.27.0
v1.26.0
: MSAL Python 1.26.0Compare Source
v1.25.0
: MSAL Python 1.25.0Compare Source
allow_broker
will be replaced byenable_broker_on_windows
(#613)acquire_token_interactive()
supports running inside Dockertoken_source
field to indicate where the token was obtained from:identity_provider
,cache
orbroker
. (#610)v1.24.1
: MSAL Python 1.24.1Compare Source
Includes minor adjustments on handling acquire_token_interactive(). The scope of the issue being addressed was limited to a short-lived sign-in attempt. The potential misuse vector complexity was high, therefore it is unlikely to be reproduced in standard usage scenarios; however, out of abundance of caution, this fix is shipped to align ourselves with Microsoft's policy of secure-by-default.
v1.24.0
: MSAL Python 1.24.0Compare Source
msal_telemetry
key available in MSAL's acquire token response, currently observed when broker is enabled. Its content and format are opaque to caller. This telemetry blob allows participating apps to collect them via telemetry, and it may help future troubleshooting. (#575)enable_pii_log
parameter is added intoClientApplication
constructor. When enabled, the broker component may include PII (Personal Identifiable Information) in logs. This may help troubleshooting. (#568, #590)v1.23.0
: MSAL Python 1.23.0Compare Source
Improvements:
acquire_token_for_client()
will automatically look up tokens from cache (#577). (But all otheracquire_token_...()
methods still require an explicitacquire_token_silent()
in order to utilize token cache.)v1.22.0
: MSAL Python 1.22.0Compare Source
New feature:
Known issue:
The following issues were discovered after this version's release: #563
v1.21.0
: MSAL Python 1.21.0Compare Source
The API in this new version remains the same as the previous version.
Enhancements:
Known issue:
The following issues were discovered after this version's release: #563
v1.20.0
: MSAL Python 1.20.0Compare Source
New feature:
If your app uses MSAL's
acquire_token_interactive()
, you can now opt in to use broker on Windows platform to achieve Single-Sign-On (SSO) and also obtain more secure tokens, all without switching the log-in experience to a browser. See details in this online doc, and try it out from this sample. (#451, #415)For example, after utilizing this new feature, a command-line (CLI) app's login experience would look like this:
Known issue:
The following issues were discovered after this version's release: #563
v1.19.0
: MSAL Python 1.19.0Compare Source
ClientApplication(..., instance_discovery=False)
parameter to turn off MSAL's Instance Discovery behavior. See more details in its full documentation. Also, ADFS authority will no longer trigger Instance Discovery. (#496)v1.18.0
: MSAL Python 1.18.0Compare Source
(The MSAL Python 1.18.0b1 has been stable in last 2 weeks, and we are now shipping it as 1.18.0)
initiate_auth_code_flow(..., response_mode="form_post")
to allow the auth code being delivered to your app by form post, which is considered even more secure. (#396, #469)acquire_token_interactive(..., prompt="none")
can obtain some tokens from within Cloud Shell, without any prompt. (#420)v1.17.0
: MSAL Python 1.17.0Compare Source
http_cache
usage pattern (#439)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.