Refactor: Use _is_oidc flag for proper authority classification

- Add _is_oidc flag to Authority class to distinguish OIDC generic authorities
- Simplify thumbprint selection logic: use SHA256 for all except ADFS and OIDC
- Authority classification now:
  * ADFS: authority.is_adfs → SHA1
  * B2C: authority._is_b2c (not OIDC) → SHA256
  * CIAM: authority._is_b2c (not OIDC) → SHA256
  * OIDC generic: authority._is_oidc → SHA1
  * AAD: everything else → SHA256
- Update tests to reflect new classification
- Add test for unknown AAD authority (sovereign cloud)

Co-authored-by: bgavrilMS <12273384+bgavrilMS@users.noreply.github.com>

Author: Copilot

msal/application.py

@@ -851,18 +851,19 @@ def _build_client(self, client_credential, authority, skip_regional_client=False
                 ):  # Then we treat the public_certificate value as PEM content
                     headers["x5c"] = extract_certs(client_credential['public_certificate'])
                 # Determine which thumbprint to use based on what's available and authority type
-                # Based on the feature requirement:
-                #   - If both thumbprints are provided, use SHA256 for AAD authorities
-                #     (including B2C, CIAM), and SHA1 for ADFS and generic authorities
+                # Authority classification:
+                #   - ADFS: authority.is_adfs
+                #   - B2C: authority._is_b2c (and not OIDC)
+                #   - CIAM: authority._is_b2c (and not OIDC)
+                #   - OIDC generic: authority._is_oidc
+                #   - AAD: everything else
+                # Use SHA256 for AAD, B2C, CIAM; use SHA1 for ADFS and OIDC generic
                 use_sha256 = False
                 if sha256_thumbprint and sha1_thumbprint:
                     # Both thumbprints provided - choose based on authority type
-                    # Use SHA256 for AAD (including B2C, CIAM), SHA1 for ADFS and generic
-                    from .authority import WELL_KNOWN_AUTHORITY_HOSTS
-                    is_known_aad = authority.instance in WELL_KNOWN_AUTHORITY_HOSTS
-                    is_b2c_or_ciam = getattr(authority, '_is_b2c', False)
-                    # Use SHA256 for known AAD, B2C, or CIAM; SHA1 for ADFS and generic
-                    use_sha256 = (is_known_aad or is_b2c_or_ciam) and not authority.is_adfs
+                    is_oidc = getattr(authority, '_is_oidc', False)
+                    # Use SHA1 for ADFS and OIDC generic; SHA256 for everything else (AAD, B2C, CIAM)
+                    use_sha256 = not authority.is_adfs and not is_oidc
                 elif sha256_thumbprint:
                     # Only SHA256 provided
                     use_sha256 = True

msal/authority.py

@@ -107,6 +107,7 @@ def _initialize_oidc_authority(self, oidc_authority_url):
         self._is_b2c = True  # Not exactly true, but
             # OIDC Authority was designed for CIAM which is the next gen of B2C.
             # Besides, application.py uses this to bypass broker.
+        self._is_oidc = True  # Track that this is a generic OIDC authority
         self._is_known_to_developer = True  # Not really relevant, but application.py uses this to bypass authority validation
         return oidc_authority_url + "/.well-known/openid-configuration"
 
@@ -126,6 +127,7 @@ def _initialize_entra_authority(
         self._is_b2c = any(
             self.instance.endswith("." + d) for d in WELL_KNOWN_B2C_HOSTS
             ) or (len(parts) == 3 and parts[2].lower().startswith("b2c_"))
+        self._is_oidc = False  # This is not a generic OIDC authority
         self._is_known_to_developer = self.is_adfs or self._is_b2c or not validate_authority
         is_known_to_microsoft = self.instance in WELL_KNOWN_AUTHORITY_HOSTS
         instance_discovery_endpoint = 'https://{}/common/discovery/instance'.format(  # Note: This URL seemingly returns V1 endpoint only

tests/test_optional_thumbprint.py

@@ -97,7 +97,8 @@ def test_pem_with_certificate_only_uses_sha256(
             self, mock_extract, mock_load_cert, mock_jwt_creator_class, mock_authority_class):
         """Test that providing only public_certificate (no thumbprint) uses SHA-256"""
         authority = "https://login.microsoftonline.com/common"
-        self._setup_mocks(mock_authority_class, authority)
+        mock_authority = self._setup_mocks(mock_authority_class, authority)
+        mock_authority._is_oidc = False  # AAD is not OIDC generic
         self._setup_certificate_mocks(mock_extract, mock_load_cert)
 
         # Create app with certificate credential WITHOUT thumbprint
@@ -243,7 +244,8 @@ def test_pem_with_both_thumbprints_aad_uses_sha256(
             self, mock_jwt_creator_class, mock_authority_class):
         """Test that with both thumbprints, AAD authority uses SHA-256"""
         authority = "https://login.microsoftonline.com/common"
-        self._setup_mocks(mock_authority_class, authority)
+        mock_authority = self._setup_mocks(mock_authority_class, authority)
+        mock_authority._is_oidc = False  # AAD is not OIDC generic
 
         # Create app with BOTH thumbprints for AAD
         app = ConfidentialClientApplication(
@@ -295,6 +297,7 @@ def test_pem_with_both_thumbprints_b2c_uses_sha256(
         authority = "https://contoso.b2clogin.com/contoso.onmicrosoft.com/B2C_1_susi"
         mock_authority = self._setup_mocks(mock_authority_class, authority)
         mock_authority._is_b2c = True  # Manually set _is_b2c to True for this B2C authority
+        mock_authority._is_oidc = False  # B2C is not OIDC generic
 
         # Create app with BOTH thumbprints for B2C
         app = ConfidentialClientApplication(
@@ -320,6 +323,8 @@ def test_pem_with_both_thumbprints_ciam_uses_sha256(
         """Test that with both thumbprints, CIAM authority uses SHA-256"""
         authority = "https://contoso.ciamlogin.com/contoso.onmicrosoft.com"
         mock_authority = self._setup_mocks(mock_authority_class, authority)
+        mock_authority._is_b2c = True  # CIAM sets _is_b2c to True
+        mock_authority._is_oidc = False  # CIAM is not OIDC generic
 
         # Create app with BOTH thumbprints for CIAM
         app = ConfidentialClientApplication(
@@ -342,15 +347,16 @@ def test_pem_with_both_thumbprints_ciam_uses_sha256(
 
     def test_pem_with_both_thumbprints_generic_uses_sha1(
             self, mock_jwt_creator_class, mock_authority_class):
-        """Test that with both thumbprints, generic authority uses SHA-1"""
-        authority = "https://custom.authority.com/tenant"
+        """Test that with both thumbprints, OIDC generic authority uses SHA-1"""
+        authority = "https://custom.oidc.authority.com/tenant"
         mock_authority = self._setup_mocks(mock_authority_class, authority)
 
-        # Set up as a generic authority (not ADFS, not B2C, not in known hosts)
+        # Set up as an OIDC generic authority
         mock_authority.is_adfs = False
-        mock_authority._is_b2c = False
+        mock_authority._is_b2c = True  # OIDC sets this but it's not truly B2C
+        mock_authority._is_oidc = True  # This distinguishes OIDC from B2C/CIAM
 
-        # Create app with BOTH thumbprints for generic authority
+        # Create app with BOTH thumbprints for OIDC generic authority
         app = ConfidentialClientApplication(
             client_id="my_client_id",
             client_credential={
@@ -361,14 +367,44 @@ def test_pem_with_both_thumbprints_generic_uses_sha1(
             authority=authority
         )
 
-        # For generic authorities, should use SHA-1 when both are provided
+        # For OIDC generic authorities, should use SHA-1 when both are provided
         self._verify_assertion_params(
             mock_jwt_creator_class,
             expected_algorithm='RS256',
             expected_thumbprint_type='sha1',
             expected_thumbprint_value=self.test_sha1_thumbprint
         )
 
+    def test_pem_with_both_thumbprints_unknown_aad_uses_sha256(
+            self, mock_jwt_creator_class, mock_authority_class):
+        """Test that with both thumbprints, unknown AAD authority (e.g., sovereign cloud) uses SHA-256"""
+        authority = "https://login.microsoftonline.de/tenant"  # Example of sovereign cloud not in known list
+        mock_authority = self._setup_mocks(mock_authority_class, authority)
+        
+        # Set up as an AAD authority (not ADFS, not B2C, not OIDC)
+        mock_authority.is_adfs = False
+        mock_authority._is_b2c = False
+        mock_authority._is_oidc = False
+
+        # Create app with BOTH thumbprints for unknown AAD authority
+        app = ConfidentialClientApplication(
+            client_id="my_client_id",
+            client_credential={
+                "private_key": self.test_private_key,
+                "thumbprint": self.test_sha1_thumbprint,
+                "thumbprint_sha256": self.test_sha256_thumbprint,
+            },
+            authority=authority
+        )
+
+        # For AAD authorities (even unknown ones), should use SHA-256 when both are provided
+        self._verify_assertion_params(
+            mock_jwt_creator_class,
+            expected_algorithm='PS256',
+            expected_thumbprint_type='sha256',
+            expected_thumbprint_value=self.test_sha256_thumbprint
+        )
+
 
 if __name__ == "__main__":
     unittest.main()