MSAL Python 1.20.0b1

New feature:

If your app uses MSAL's acquire_token_interactive(), you can now opt in to use broker on Windows platform to achieve Single-Sign-On (SSO) and also obtain more secure tokens, all without switching the log-in experience to a browser. See details in this online doc, and try it out from this sample. (#451, #415)

For example, after utilizing this new feature, a command-line (CLI) app's login experience would look like this:

MSAL Python 1.18.0

(The MSAL Python 1.18.0b1 has been stable in last 2 weeks, and we are now shipping it as 1.18.0)

• New feature: Optional initiate_auth_code_flow(..., response_mode="form_post") to allow the auth code being delivered to your app by form post, which is considered even more secure. (#396, #469)
• New feature: acquire_token_interactive(..., prompt="none") can obtain some tokens from within Cloud Shell, without any prompt. (#420)

MSAL Python 1.18.0b1

• New feature: Optional initiate_auth_code_flow(..., response_mode="form_post") to allow the auth code being delivered to your app by form post, which is considered even more secure. (#396, #469)
• New feature: acquire_token_interactive(..., prompt="none") can obtain some tokens from within Cloud Shell, without any prompt. (#420)

MSAL Python 1.17.0

• New: Define some Cloud Instance constants and the usage pattern of using them (#221, #433)
• Enhancement: Lazy-load dependencies so that the start-up and run time will usually be faster. (#423, #454)
• Enhancement: Bubble up token refresh exceptions (#431, #434)
• Enhancement: Documents a simpler http_cache usage pattern (#439)
• Enhancement: Expose authority discovery error for troubleshooting (#443)
• Enhancement: Actionable exception message when local machine time error is detected (#446, #449, #453)
• Enhancement: Actionable exception message when username password flow encounters errors with ADFS (#456, #458)

MSAL Python 1.16.0

• New feature: Introducing a new http_cache parameter, whose documentation is available by searching http_cache (dict) from our API Reference Doc (Implementation #407). If an app utilizes this feature, it will also address #80 & #334.
• Improvement: Prevent concurrent interactive flows listening on same port when running on Windows (#427)
• Improvement: Detecting Region/Regional Endpoint from env var. Also ensure the entire regional endpoint behavior needs to opt in. (#425)

MSAL Python 1.15.0

• New feature: Now both initiate_auth_code_flow() and acquire_token_interactive() accept a new optional parameter max_age which is the allowable elapsed time in seconds since the last time the End-User was actively authenticated. If the elapsed time is greater than this value, Microsoft identity platform will actively re-authenticate the End-User. (#381, #389)
• Improvement: MSAL will now automatically utilize a backup authentication system, to provide better resiliency. (#376, #395, #409)
• Improvement: Previously, acquire_token_interactive() was not able to be aborted by CTRL+C when running on Windows. It is now fixed. (#393, #404)
• Bugfix: The http cache feature shipped in #379 came with an unexpected side effect to slow down the Device Code Flow. Now fixed. (#408, #410)
• Change: Adopting cryptography 35.0.0 (#414)

MSAL Python 1.14.0

UPDATE: There was a bug in this version, being fixed in subsequent 1.15.0. We recommend everyone to upgrade to msal>=1.15.0,<2.

There is no API-level change in this MSAL release. So, all existing apps do not need any code changes. Just upgrade, and your app will gain the following behaviors.

• Behavior Change: By default, MSAL Python will launch Edge browser when running on Linux, when Edge is installed on current desktop. (#388)
• Behavior Change: MSAL Python will use an in-memory http-level cache. This would improve the latency in normal cases, and improve responsiveness for invalid requests and outage. (#159, #379)
• Behavior Change: MSAL Python will no longer use env var REGION_NAME as the Azure region name. (#394, #382)
• Bugfix: MSAL Python will no longer throw exception when your app excludes the profile scope. (#387, #390)

MSAL Python 1.13.0

• New feature: MSAL supports a confidential client being authenticated by a pre-signed assertion. Usage:

  cca = ConfidentialClientApplication(
      ...,
      client_credential={"client_assertion": "...a JWT with claims aud, exp, iss, jti, nbf, and sub..."},
      ...)

  This can be useful for where the signing takes place externally for example using Azure Key Vault (AKV).
  AKV sample included (#161, #271).

• Improvement: Skip unnecessary and repetitive region detection. (#372, #373)

MSAL Python 1.12.0

• New feature: MSAL Python supports ConfidentialClientApplication(..., azure_region=...). If your app is deployed in Azure, you can use this new feature to pin a region. (#295, #358)
• New feature: Historically MSAL Python attempts to acquire a Refresh Token (RT) by default. Since this version, MSAL Python supports ConfidentialClientApplication(..., excluse_scopes=["offline_access"]) to opt out of RT (#207, #361)
  UPDATE: There was a minor bug in this feature, which has been fixed now. We recommended all customers upgrading to msal>=1.14.0,<2.
• Improvement: acquire_token_interactive(...) can also trigger browser when running inside WSL (8d86917)
• Adjustment: get_accounts(...) would automatically combine equivalent accounts, so that your account selector widget could be easier to use (#349)
• Document: MSAL Python has long been accepting acquire_token_interactive(..., prompt="create"), now we officially documented it. (#356, #360)

MSAL 1.11.0

• Enhancement: ConfidentialClientApplication also supports acquire_token_by_username_password() now. (#294, #344)
• Enhancement: PublicClientApplication's acquire_token_interactive() also supports WSL Ubuntu 18.04 (#332, #333)
• Enhancement: Enable a retry once behavior on connection error. (But this is only available from the default http client. If your app supplies your customized http_client via MSAL constructors, it is your http_client's job to decide whether retry.) (#326)
• Enhancement: MSAL improves the internal telemetry mechanism. (#137, #175, #329, #345)
• Bugfix: Better compatibility on handling SAML token when using acquire_token_by_username_password() with ADFS. (#336)