Merge pull request #229 from AzureAD/release-1.2.3

Release 1.2.3

README.md

@@ -1,3 +1,19 @@
+---
+
+This library, ADAL for Python, will no longer receive new feature improvements. Instead, use the new library
+[MSAL for Python](https://github.com/AzureAD/microsoft-authentication-library-for-python).
+
+* If you are starting a new project, you can get started with the
+  [MSAL Python docs](https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki)
+  for details about the scenarios, usage, and relevant concepts.
+* If your application is using the previous ADAL Python library, you can follow this
+  [migration guide](https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-python-adal-msal)
+  to update to MSAL Python.
+* Existing applications relying on ADAL Python will continue to work.
+
+---
+
+
 # Microsoft Azure Active Directory Authentication Library (ADAL) for Python
 
  `master` branch    | `dev` branch    | Reference Docs

adal/__init__.py

@@ -27,7 +27,7 @@
 
 # pylint: disable=wrong-import-position
 
-__version__ = '1.2.2'
+__version__ = '1.2.3'
 
 import logging
 

adal/authentication_context.py

@@ -243,9 +243,21 @@ def acquire_token_with_client_certificate(self, resource, client_id,
         :param str client_id: The OAuth client id of the calling application.
         :param str certificate: A PEM encoded certificate private key.
         :param str thumbprint: hex encoded thumbprint of the certificate.
-        :param public_certificate(optional): if not None, it will be sent to the service for subject name
+        :param str public_certificate(optional): if not None, it will be sent to the service for subject name
             and issuer based authentication, which is to support cert auto rolls. The value must match the
             certificate private key parameter.
+
+            Per `specs <https://tools.ietf.org/html/rfc7515#section-4.1.6>`_,
+            "the certificate containing
+            the public key corresponding to the key used to digitally sign the
+            JWS MUST be the first certificate.  This MAY be followed by
+            additional certificates, with each subsequent certificate being the
+            one used to certify the previous one."
+            However, your certificate's issuer may use a different order.
+            So, if your attempt ends up with an error AADSTS700027 -
+            "The provided signature value did not match the expected signature value",
+            you may try use only the leaf cert (in PEM/str format) instead.
+
         :returns: dict with several keys, include "accessToken".
         '''
         def token_func(self):

adal/authentication_parameters.py

@@ -53,7 +53,7 @@ def __init__(self, authorization_uri, resource):
 # The 401 challenge is a standard defined in RFC6750, which is based in part on RFC2617.
 # The challenge has the following form.
 # WWW-Authenticate : Bearer
-#     authorization_uri="https://login.windows.net/mytenant.com/oauth2/authorize",
+#     authorization_uri="https://login.microsoftonline.com/mytenant.com/oauth2/authorize",
 #     Resource_id="00000002-0000-0000-c000-000000000000"
 
 # This regex is used to validate the structure of the challenge header.

adal/authority.py

@@ -63,10 +63,9 @@ def url(self):
         return self._url.geturl()
 
     def _whitelisted(self): # testing if self._url.hostname is a dsts whitelisted domain
-        for domain in AADConstants.WHITELISTED_DOMAINS:
-            if self._url.hostname.endswith(domain):
-                return True
-        return False
+        # Add dSTS domains to whitelist based on based on domain
+        # https://microsoft.sharepoint.com/teams/AzureSecurityCompliance/Security/SitePages/dSTS%20Fundamentals.aspx
+        return ".dsts." in self._url.hostname
 
     def _validate_authority_url(self):
 

adal/constants.py

@@ -208,24 +208,14 @@ class HttpError(object):
 
 class AADConstants(object):
 
-    WORLD_WIDE_AUTHORITY = 'login.windows.net'
+    WORLD_WIDE_AUTHORITY = 'login.microsoftonline.com'
     WELL_KNOWN_AUTHORITY_HOSTS = [
         'login.windows.net',
         'login.microsoftonline.com',
         'login.chinacloudapi.cn',
-        'login-us.microsoftonline.com',
         'login.microsoftonline.us',
         'login.microsoftonline.de',
         ]
-    WHITELISTED_DOMAINS = [
-        # Define dSTS domains whitelist based on its Supported Environments & National Clouds list here
-        # https://microsoft.sharepoint.com/teams/AzureSecurityCompliance/Security/SitePages/dSTS%20Fundamentals.aspx
-        'dsts.core.windows.net',
-        'dsts.core.chinacloudapi.cn',  
-        'dsts.core.cloudapi.de', 
-        'dsts.core.usgovcloudapi.net',  
-        'dsts.core.azure-test.net',
-        ]
     INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE = 'https://{authorize_host}/common/discovery/instance?authorization_endpoint={authorize_endpoint}&api-version=1.0' # pylint: disable=invalid-name
     AUTHORIZE_ENDPOINT_PATH = '/oauth2/authorize'
     TOKEN_ENDPOINT_PATH = '/oauth2/token'

adal/log.py

@@ -151,7 +151,7 @@ def scrub_pii(arg_dict, padding="..."):
         "redirect_uri",
 
         # Unintuitively, the following can contain PII
-        "user_realm_url",  # e.g. https://login.windows.net/common/UserRealm/{username}
+        "user_realm_url",  # e.g. https://login.microsoftonline.com/common/UserRealm/{username}
         ])
     return {k: padding if k.lower() in pii else arg_dict[k] for k in arg_dict}
 

docs/source/index.rst

@@ -6,6 +6,20 @@
 .. This file is also inspired by
    https://pythonhosted.org/an_example_pypi_project/sphinx.html#full-code-example
 
+.. note::
+   This library, ADAL for Python, will no longer receive new feature improvement. Its successor,
+   `MSAL for Python <https://github.com/AzureAD/microsoft-authentication-library-for-python>`_,
+   are now generally available.
+
+   * If you are starting a new project, you can get started with the
+     `MSAL Python docs <https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki>`_
+     for details about the scenarios, usage, and relevant concepts.
+   * If your application is using the previous ADAL Python library, you can follow this
+     `migration guide <https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-python-adal-msal>`_
+     to update to MSAL Python.
+   * Existing applications relying on ADAL Python will continue to work.
+
+
 Welcome to ADAL Python's documentation!
 =======================================
 

sample/website_sample.py

@@ -49,7 +49,7 @@
     raise ValueError('Please provide parameter file with account information.')
 
 PORT = 8088
-TEMPLATE_AUTHZ_URL = ('https://login.windows.net/{}/oauth2/authorize?'+
+TEMPLATE_AUTHZ_URL = ('https://login.microsoftonline.com/{}/oauth2/authorize?'+
                       'response_type=code&client_id={}&redirect_uri={}&'+
                       'state={}&resource={}')
 GRAPH_RESOURCE = '00000002-0000-0000-c000-000000000000'

tests/config_sample.py

@@ -42,7 +42,7 @@
     "password" : "None",
     "tenant" : "XXXXXXXX.onmicrosoft.com",
 
-    "authorityHostUrl" : "https://login.windows.net",
+    "authorityHostUrl" : "https://login.microsoftonline.com",
 }
 
 ACQUIRE_TOKEN_WITH_CLIENT_CREDENTIALS = {

tests/test_api_version.py

@@ -44,7 +44,7 @@ def test_api_version_default_value(self):
         with warnings.catch_warnings(record=True) as caught_warnings:
             warnings.simplefilter("always")
             context = adal.AuthenticationContext(
-                "https://login.windows.net/tenant")
+                "https://login.microsoftonline.com/tenant")
             self.assertEqual(context._call_context['api_version'], None)
             self.assertEqual(len(caught_warnings), 0)
             if len(caught_warnings) == 1:
@@ -57,7 +57,7 @@ def test_explicitly_turn_off_api_version(self):
         with warnings.catch_warnings(record=True) as caught_warnings:
             warnings.simplefilter("always")
             context = adal.AuthenticationContext(
-                "https://login.windows.net/tenant", api_version=None)
+                "https://login.microsoftonline.com/tenant", api_version=None)
             self.assertEqual(context._call_context['api_version'], None)
             self.assertEqual(len(caught_warnings), 0)
 

tests/test_authority.py

@@ -60,7 +60,7 @@ class TestAuthority(unittest.TestCase):
     # discovery.
     nonHardCodedAuthority = 'https://login.doesntexist.com/' + cp['tenant']
     nonHardCodedAuthorizeEndpoint = nonHardCodedAuthority + '/oauth2/authorize'
-    dstsTestEndpoint = 'https://test-dsts.core.azure-test.net/dstsv2/common'
+    dstsTestEndpoint = 'https://test-dsts.dsts.core.azure-test.net/dstsv2/common'
 
 
     def setUp(self):
@@ -123,14 +123,13 @@ def performStaticInstanceDiscovery(self, authorityHost):
     def test_success_static_instance_discovery(self):
 
         self.performStaticInstanceDiscovery('login.microsoftonline.com')
-        self.performStaticInstanceDiscovery('login.windows.net')
         self.performStaticInstanceDiscovery('login.chinacloudapi.cn')
-        self.performStaticInstanceDiscovery('login-us.microsoftonline.com')
+        self.performStaticInstanceDiscovery('login.microsoftonline.us')
         self.performStaticInstanceDiscovery('test-dsts.dsts.core.windows.net')
         self.performStaticInstanceDiscovery('test-dsts.dsts.core.chinacloudapi.cn')
         self.performStaticInstanceDiscovery('test-dsts.dsts.core.cloudapi.de')
         self.performStaticInstanceDiscovery('test-dsts.dsts.core.usgovcloudapi.net')
-        self.performStaticInstanceDiscovery('test-dsts.core.azure-test.net')
+        self.performStaticInstanceDiscovery('test-dsts.dsts.core.azure-test.net')
 
 
     @httpretty.activate

tests/test_self_signed_jwt.py

@@ -56,7 +56,7 @@ class TestSelfSignedJwt(unittest.TestCase):
     expectedJwtWithPublicCert = cp['expectedJwtWithPublicCert']
 
     unexpectedJwt = 'unexpectedJwt'
-    testAuthority = Authority('https://login.windows.net/naturalcauses.com', False)
+    testAuthority = Authority('https://login.microsoftonline.com/naturalcauses.com', False)
     testClientId = 'd6835713-b745-48d1-bb62-7a8248477d35'
     testCert = cp['cert']
     testPublicCert=cp['publicCert']

tests/test_user_realm.py

@@ -52,7 +52,7 @@
 class TestUserRealm(unittest.TestCase):
 
     def setUp(self):
-        self.authority = 'https://login.windows.net'
+        self.authority = 'https://login.microsoftonline.com'
         self.user = 'test@federatedtenant-com'
 
         user_realm_path = cp['userRealmPathTemplate'].replace('<user>', quote(self.user, safe='~()*!.\''))

tests/util.py

@@ -122,13 +122,13 @@
     'clientId': 'clien&&???tId',
     'clientSecret': 'clientSecret*&^(?&',
     'resource': '00000002-0000-0000-c000-000000000000',
-    'evoEndpoint': 'https://login.windows.net/',
+    'evoEndpoint': 'https://login.microsoftonline.com/',
     'username': '[email protected]',
     'password': '<password>',
     'authorityHosts': {
-        'global': 'login.windows.net',
+        'global': 'login.microsoftonline.com',
         'china': 'login.chinacloudapi.cn',
-        'gov': 'login-us.microsoftonline.com'
+        'gov': 'login.microsoftonline.us'
     }
 }