Add dSTS support - use SHA1 for dSTS authorities

Copilot · bgavrilMS · Copilot · commit a9fb14e91816 · 2026-02-14T16:16:36.000Z
- Update comments to explicitly mention dSTS as part of OIDC generic
- Add test for dSTS authority to verify SHA1 is used
- dSTS is already handled correctly as it's treated as OIDC authority
- All 13 tests passing

Co-authored-by: bgavrilMS &lt;12273384+bgavrilMS@users.noreply.github.com&gt;
diff --git a/msal/application.py b/msal/application.py
@@ -855,14 +855,14 @@ def _build_client(self, client_credential, authority, skip_regional_client=False
                 #   - ADFS: authority.is_adfs
                 #   - B2C: authority._is_b2c (and not OIDC)
                 #   - CIAM: authority._is_b2c (and not OIDC)
-                #   - OIDC generic: authority._is_oidc
+                #   - OIDC generic: authority._is_oidc (includes dSTS)
                 #   - AAD: everything else
-                # Use SHA256 for AAD, B2C, CIAM; use SHA1 for ADFS and OIDC generic
+                # Use SHA256 for AAD, B2C, CIAM; use SHA1 for ADFS, OIDC generic, and dSTS
                 use_sha256 = False
                 if sha256_thumbprint and sha1_thumbprint:
                     # Both thumbprints provided - choose based on authority type
                     is_oidc = getattr(authority, '_is_oidc', False)
-                    # Use SHA1 for ADFS and OIDC generic; SHA256 for everything else (AAD, B2C, CIAM)
+                    # Use SHA1 for ADFS, OIDC generic (including dSTS); SHA256 for everything else (AAD, B2C, CIAM)
                     use_sha256 = not authority.is_adfs and not is_oidc
                 elif sha256_thumbprint:
                     # Only SHA256 provided
diff --git a/tests/test_optional_thumbprint.py b/tests/test_optional_thumbprint.py
@@ -375,6 +375,36 @@ def test_pem_with_both_thumbprints_generic_uses_sha1(
             expected_thumbprint_value=self.test_sha1_thumbprint
         )
 
+    def test_pem_with_both_thumbprints_dsts_uses_sha1(
+            self, mock_jwt_creator_class, mock_authority_class):
+        """Test that with both thumbprints, dSTS authority uses SHA-1"""
+        authority = "https://test-instance1-dsts.dsts.core.azure-test.net/dstsv2/common"
+        mock_authority = self._setup_mocks(mock_authority_class, authority)
+        
+        # Set up as a dSTS authority (dSTS is treated as OIDC)
+        mock_authority.is_adfs = False
+        mock_authority._is_b2c = True  # OIDC sets this but it's not truly B2C
+        mock_authority._is_oidc = True  # dSTS is treated as OIDC generic
+
+        # Create app with BOTH thumbprints for dSTS authority
+        app = ConfidentialClientApplication(
+            client_id="my_client_id",
+            client_credential={
+                "private_key": self.test_private_key,
+                "thumbprint": self.test_sha1_thumbprint,
+                "thumbprint_sha256": self.test_sha256_thumbprint,
+            },
+            authority=authority
+        )
+
+        # For dSTS authorities, should use SHA-1 when both are provided
+        self._verify_assertion_params(
+            mock_jwt_creator_class,
+            expected_algorithm='RS256',
+            expected_thumbprint_type='sha1',
+            expected_thumbprint_value=self.test_sha1_thumbprint
+        )
+
     def test_pem_with_both_thumbprints_unknown_aad_uses_sha256(
             self, mock_jwt_creator_class, mock_authority_class):
         """Test that with both thumbprints, unknown AAD authority (e.g., sovereign cloud) uses SHA-256"""
