Add support for SHA256 certificate thumbprint with authority-based selection

Co-authored-by: bgavrilMS <12273384+bgavrilMS@users.noreply.github.com>

Author: Copilot

msal/application.py

@@ -300,6 +300,10 @@ def __init__(
                             "Changed in version 1.35.0, if thumbprint is absent"
                             "and a public_certificate is present, MSAL will"
                             "automatically calculate an SHA-256 thumbprint instead.",
+                        "thumbprint_sha256": "An SHA-256 thumbprint (Added in version 1.35.0). "
+                            "If both thumbprint and thumbprint_sha256 are provided, "
+                            "SHA-256 is used for AAD authorities (including B2C, CIAM), "
+                            "and SHA-1 is used for ADFS and generic authorities.",
                         "passphrase": "Needed if the private_key is encrypted (Added in version 1.6.0)",
                         "public_certificate": "...-----BEGIN CERTIFICATE-----...",  # Needed if you use Subject Name/Issuer auth. Added in version 0.5.0.
                     }
@@ -823,10 +827,10 @@ def _build_client(self, client_credential, authority, skip_regional_client=False
                     )
 
                     # Determine thumbprints based on what's provided
-                    if client_credential.get("thumbprint"):
-                        # User provided a thumbprint - use it as SHA-1 (legacy/manual approach)
-                        sha1_thumbprint = client_credential["thumbprint"]
-                        sha256_thumbprint = None
+                    if client_credential.get("thumbprint") or client_credential.get("thumbprint_sha256"):
+                        # User provided one or both thumbprints - use them as-is
+                        sha1_thumbprint = client_credential.get("thumbprint")
+                        sha256_thumbprint = client_credential.get("thumbprint_sha256")
                     elif isinstance(client_credential.get('public_certificate'), str):
                         # No thumbprint provided, but we have a certificate to calculate thumbprints
                         from cryptography import x509
@@ -836,7 +840,7 @@ def _build_client(self, client_credential, authority, skip_regional_client=False
                             _extract_cert_and_thumbprints(cert))
                     else:
                         raise ValueError(
-                            "You must provide either 'thumbprint' or 'public_certificate' "
+                            "You must provide either 'thumbprint', 'thumbprint_sha256', or 'public_certificate' "
                             "from which the thumbprint can be calculated.")
                 else:
                     raise ValueError(
@@ -846,13 +850,36 @@ def _build_client(self, client_credential, authority, skip_regional_client=False
                     and isinstance(client_credential.get('public_certificate'), str)
                 ):  # Then we treat the public_certificate value as PEM content
                     headers["x5c"] = extract_certs(client_credential['public_certificate'])
-                if sha256_thumbprint and not authority.is_adfs:
+                # Determine which thumbprint to use based on what's available and authority type
+                # Spec: If both thumbprints are provided:
+                #   - Use SHA256 for AAD authorities (including B2C, CIAM)
+                #   - Use SHA1 for ADFS and generic authorities
+                use_sha256 = False
+                if sha256_thumbprint and sha1_thumbprint:
+                    # Both thumbprints provided - choose based on authority type
+                    # Use SHA256 for AAD (including B2C, CIAM), SHA1 for ADFS and generic
+                    from .authority import WELL_KNOWN_AUTHORITY_HOSTS, WELL_KNOWN_B2C_HOSTS, _CIAM_DOMAIN_SUFFIX
+                    is_known_aad = authority.instance in WELL_KNOWN_AUTHORITY_HOSTS
+                    is_b2c_or_ciam = (
+                        authority.instance.endswith(_CIAM_DOMAIN_SUFFIX) or
+                        any(authority.instance.endswith("." + d) for d in WELL_KNOWN_B2C_HOSTS)
+                    )
+                    # Use SHA256 for known AAD, B2C, or CIAM; SHA1 for ADFS and generic
+                    use_sha256 = (is_known_aad or is_b2c_or_ciam) and not authority.is_adfs
+                elif sha256_thumbprint:
+                    # Only SHA256 provided
+                    use_sha256 = True
+                elif sha1_thumbprint:
+                    # Only SHA1 provided
+                    use_sha256 = False
+                else:
+                    raise ValueError("You must provide either 'thumbprint' (SHA-1) or 'thumbprint_sha256' (SHA-256).")
+                
+                if use_sha256:
                     assertion_params = {
                         "algorithm": "PS256", "sha256_thumbprint": sha256_thumbprint,
                     }
-                else:  # Fall back
-                    if not sha1_thumbprint:
-                        raise ValueError("You shall provide a thumbprint in SHA1.")
+                else:
                     assertion_params = {
                         "algorithm": "RS256", "sha1_thumbprint": sha1_thumbprint,
                     }

tests/test_optional_thumbprint.py

@@ -210,6 +210,169 @@ def test_pem_with_neither_raises_error(self, mock_jwt_creator_class, mock_author
         self.assertIn("thumbprint", str(context.exception).lower())
         self.assertIn("public_certificate", str(context.exception).lower())
 
+    def test_pem_with_thumbprint_sha256_only_uses_sha256(
+            self, mock_jwt_creator_class, mock_authority_class):
+        """Test that providing only thumbprint_sha256 uses SHA-256"""
+        authority = "https://login.microsoftonline.com/common"
+        self._setup_mocks(mock_authority_class, authority)
+
+        # Create app with only SHA256 thumbprint
+        sha256_thumbprint = "A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2"
+        app = ConfidentialClientApplication(
+            client_id="my_client_id",
+            client_credential={
+                "private_key": self.test_private_key,
+                "thumbprint_sha256": sha256_thumbprint,
+            },
+            authority=authority
+        )
+
+        # Verify SHA-256 with PS256 algorithm is used
+        self._verify_assertion_params(
+            mock_jwt_creator_class,
+            expected_algorithm='PS256',
+            expected_thumbprint_type='sha256'
+        )
+
+    def test_pem_with_both_thumbprints_aad_uses_sha256(
+            self, mock_jwt_creator_class, mock_authority_class):
+        """Test that with both thumbprints, AAD authority uses SHA-256"""
+        authority = "https://login.microsoftonline.com/common"
+        self._setup_mocks(mock_authority_class, authority)
+
+        # Create app with BOTH thumbprints for AAD
+        sha1_thumbprint = "A1B2C3D4E5F6"
+        sha256_thumbprint = "A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2"
+        app = ConfidentialClientApplication(
+            client_id="my_client_id",
+            client_credential={
+                "private_key": self.test_private_key,
+                "thumbprint": sha1_thumbprint,
+                "thumbprint_sha256": sha256_thumbprint,
+            },
+            authority=authority
+        )
+
+        # For AAD, should use SHA-256 when both are provided
+        self._verify_assertion_params(
+            mock_jwt_creator_class,
+            expected_algorithm='PS256',
+            expected_thumbprint_type='sha256'
+        )
+
+    def test_pem_with_both_thumbprints_adfs_uses_sha1(
+            self, mock_jwt_creator_class, mock_authority_class):
+        """Test that with both thumbprints, ADFS authority uses SHA-1"""
+        authority = "https://adfs.contoso.com/adfs"
+        self._setup_mocks(mock_authority_class, authority)
+
+        # Create app with BOTH thumbprints for ADFS
+        sha1_thumbprint = "A1B2C3D4E5F6"
+        sha256_thumbprint = "A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2"
+        app = ConfidentialClientApplication(
+            client_id="my_client_id",
+            client_credential={
+                "private_key": self.test_private_key,
+                "thumbprint": sha1_thumbprint,
+                "thumbprint_sha256": sha256_thumbprint,
+            },
+            authority=authority
+        )
+
+        # For ADFS, should use SHA-1 when both are provided
+        self._verify_assertion_params(
+            mock_jwt_creator_class,
+            expected_algorithm='RS256',
+            expected_thumbprint_type='sha1',
+            expected_thumbprint_value=sha1_thumbprint
+        )
+
+    def test_pem_with_both_thumbprints_b2c_uses_sha256(
+            self, mock_jwt_creator_class, mock_authority_class):
+        """Test that with both thumbprints, B2C authority uses SHA-256"""
+        authority = "https://contoso.b2clogin.com/contoso.onmicrosoft.com/B2C_1_susi"
+        mock_authority = self._setup_mocks(mock_authority_class, authority)
+        
+        # Manually set _is_b2c to True for this B2C authority
+        mock_authority._is_b2c = True
+
+        # Create app with BOTH thumbprints for B2C
+        sha1_thumbprint = "A1B2C3D4E5F6"
+        sha256_thumbprint = "A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2"
+        app = ConfidentialClientApplication(
+            client_id="my_client_id",
+            client_credential={
+                "private_key": self.test_private_key,
+                "thumbprint": sha1_thumbprint,
+                "thumbprint_sha256": sha256_thumbprint,
+            },
+            authority=authority
+        )
+
+        # For B2C, should use SHA-256 when both are provided
+        self._verify_assertion_params(
+            mock_jwt_creator_class,
+            expected_algorithm='PS256',
+            expected_thumbprint_type='sha256'
+        )
+
+    def test_pem_with_both_thumbprints_ciam_uses_sha256(
+            self, mock_jwt_creator_class, mock_authority_class):
+        """Test that with both thumbprints, CIAM authority uses SHA-256"""
+        authority = "https://contoso.ciamlogin.com/contoso.onmicrosoft.com"
+        mock_authority = self._setup_mocks(mock_authority_class, authority)
+
+        # Create app with BOTH thumbprints for CIAM
+        sha1_thumbprint = "A1B2C3D4E5F6"
+        sha256_thumbprint = "A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2"
+        app = ConfidentialClientApplication(
+            client_id="my_client_id",
+            client_credential={
+                "private_key": self.test_private_key,
+                "thumbprint": sha1_thumbprint,
+                "thumbprint_sha256": sha256_thumbprint,
+            },
+            authority=authority
+        )
+
+        # For CIAM, should use SHA-256 when both are provided
+        self._verify_assertion_params(
+            mock_jwt_creator_class,
+            expected_algorithm='PS256',
+            expected_thumbprint_type='sha256'
+        )
+
+    def test_pem_with_both_thumbprints_generic_uses_sha1(
+            self, mock_jwt_creator_class, mock_authority_class):
+        """Test that with both thumbprints, generic authority uses SHA-1"""
+        authority = "https://custom.authority.com/tenant"
+        mock_authority = self._setup_mocks(mock_authority_class, authority)
+        
+        # Set up as a generic authority (not ADFS, not B2C, not in known hosts)
+        mock_authority.is_adfs = False
+        mock_authority._is_b2c = False
+
+        # Create app with BOTH thumbprints for generic authority
+        sha1_thumbprint = "A1B2C3D4E5F6"
+        sha256_thumbprint = "A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2"
+        app = ConfidentialClientApplication(
+            client_id="my_client_id",
+            client_credential={
+                "private_key": self.test_private_key,
+                "thumbprint": sha1_thumbprint,
+                "thumbprint_sha256": sha256_thumbprint,
+            },
+            authority=authority
+        )
+
+        # For generic authorities, should use SHA-1 when both are provided
+        self._verify_assertion_params(
+            mock_jwt_creator_class,
+            expected_algorithm='RS256',
+            expected_thumbprint_type='sha1',
+            expected_thumbprint_value=sha1_thumbprint
+        )
+
 
 if __name__ == "__main__":
     unittest.main()