MSAL Python 1.18.0

(The MSAL Python 1.18.0b1 has been stable in last 2 weeks, and we are now shipping it as 1.18.0)

• New feature: Optional initiate_auth_code_flow(..., response_mode="form_post") to allow the auth code being delivered to your app by form post, which is considered even more secure. (#396, #469)
• New feature: acquire_token_interactive(..., prompt="none") can obtain some tokens from within Cloud Shell, without any prompt. (#420)

MSAL Python 1.18.0b1

• New feature: Optional initiate_auth_code_flow(..., response_mode="form_post") to allow the auth code being delivered to your app by form post, which is considered even more secure. (#396, #469)
• New feature: acquire_token_interactive(..., prompt="none") can obtain some tokens from within Cloud Shell, without any prompt. (#420)

MSAL Python 1.17.0

• New: Define some Cloud Instance constants and the usage pattern of using them (#221, #433)
• Enhancement: Lazy-load dependencies so that the start-up and run time will usually be faster. (#423, #454)
• Enhancement: Bubble up token refresh exceptions (#431, #434)
• Enhancement: Documents a simpler http_cache usage pattern (#439)
• Enhancement: Expose authority discovery error for troubleshooting (#443)
• Enhancement: Actionable exception message when local machine time error is detected (#446, #449, #453)
• Enhancement: Actionable exception message when username password flow encounters errors with ADFS (#456, #458)

MSAL Python 1.16.0

• New feature: Introducing a new http_cache parameter, whose documentation is available by searching http_cache (dict) from our API Reference Doc (Implementation #407). If an app utilizes this feature, it will also address #80 & #334.
• Improvement: Prevent concurrent interactive flows listening on same port when running on Windows (#427)
• Improvement: Detecting Region/Regional Endpoint from env var. Also ensure the entire regional endpoint behavior needs to opt in. (#425)

MSAL Python 1.15.0

• New feature: Now both initiate_auth_code_flow() and acquire_token_interactive() accept a new optional parameter max_age which is the allowable elapsed time in seconds since the last time the End-User was actively authenticated. If the elapsed time is greater than this value, Microsoft identity platform will actively re-authenticate the End-User. (#381, #389)
• Improvement: MSAL will now automatically utilize a backup authentication system, to provide better resiliency. (#376, #395, #409)
• Improvement: Previously, acquire_token_interactive() was not able to be aborted by CTRL+C when running on Windows. It is now fixed. (#393, #404)
• Bugfix: The http cache feature shipped in #379 came with an unexpected side effect to slow down the Device Code Flow. Now fixed. (#408, #410)
• Change: Adopting cryptography 35.0.0 (#414)

MSAL Python 1.14.0

UPDATE: There was a bug in this version, being fixed in subsequent 1.15.0. We recommend everyone to upgrade to msal>=1.15.0,<2.

There is no API-level change in this MSAL release. So, all existing apps do not need any code changes. Just upgrade, and your app will gain the following behaviors.

• Behavior Change: By default, MSAL Python will launch Edge browser when running on Linux, when Edge is installed on current desktop. (#388)
• Behavior Change: MSAL Python will use an in-memory http-level cache. This would improve the latency in normal cases, and improve responsiveness for invalid requests and outage. (#159, #379)
• Behavior Change: MSAL Python will no longer use env var REGION_NAME as the Azure region name. (#394, #382)
• Bugfix: MSAL Python will no longer throw exception when your app excludes the profile scope. (#387, #390)

MSAL Python 1.13.0

• New feature: MSAL supports a confidential client being authenticated by a pre-signed assertion. Usage:

  cca = ConfidentialClientApplication(
      ...,
      client_credential={"client_assertion": "...a JWT with claims aud, exp, iss, jti, nbf, and sub..."},
      ...)

  This can be useful for where the signing takes place externally for example using Azure Key Vault (AKV).
  AKV sample included (#161, #271).

• Improvement: Skip unnecessary and repetitive region detection. (#372, #373)

MSAL Python 1.12.0

• New feature: MSAL Python supports ConfidentialClientApplication(..., azure_region=...). If your app is deployed in Azure, you can use this new feature to pin a region. (#295, #358)
• New feature: Historically MSAL Python attempts to acquire a Refresh Token (RT) by default. Since this version, MSAL Python supports ConfidentialClientApplication(..., excluse_scopes=["offline_access"]) to opt out of RT (#207, #361)
  UPDATE: There was a minor bug in this feature, which has been fixed now. We recommended all customers upgrading to msal>=1.14.0,<2.
• Improvement: acquire_token_interactive(...) can also trigger browser when running inside WSL (8d86917)
• Adjustment: get_accounts(...) would automatically combine equivalent accounts, so that your account selector widget could be easier to use (#349)
• Document: MSAL Python has long been accepting acquire_token_interactive(..., prompt="create"), now we officially documented it. (#356, #360)

MSAL 1.11.0

• Enhancement: ConfidentialClientApplication also supports acquire_token_by_username_password() now. (#294, #344)
• Enhancement: PublicClientApplication's acquire_token_interactive() also supports WSL Ubuntu 18.04 (#332, #333)
• Enhancement: Enable a retry once behavior on connection error. (But this is only available from the default http client. If your app supplies your customized http_client via MSAL constructors, it is your http_client's job to decide whether retry.) (#326)
• Enhancement: MSAL improves the internal telemetry mechanism. (#137, #175, #329, #345)
• Bugfix: Better compatibility on handling SAML token when using acquire_token_by_username_password() with ADFS. (#336)

MSAL Python 1.10.0

• Enhancement: Proactive access token (AT) refreshing. Previously, an AT is either valid or expired. If an AT expires and your network happens to have a glitch, your app wouldn't be able to auth. Now, MSAL Python attempts to refresh some AT (typically long-lived AT) half way towards their expiration, and silently ignores the error and retries next time, so that your app would be more resilient. All these happen automatically, without any code change to your app. (#176, #312, #320)
• Adjustment: MSAL Python will keep RT in token cache even when its usage encounters an "invalid_grant" error, so that the RT would likely still be used by other requests. (#314, #315)