- Package Name:
azure-identity
- Package Version:
- Operating System:
- Python Version:
Describe the bug
When CertificateCredential builds the client_credential dict and passes it to MSAL, it sets private_key as bytes:
|
client_credential = {"private_key": cert.pem_bytes, "thumbprint": hexlify(cert.fingerprint).decode("utf-8")} |
But in MSAL's document, private_key should be a str:
https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/3279f045dc573d8408ddcdf3565e8b16247627be/msal/application.py#L257
"private_key": "...-----BEGIN PRIVATE KEY-----... in PEM format",
Its underlying jwt.encode also requires key as str:

It is fortunate that jwt.encode is smart enough to support key as bytes: https://github.com/jpadilla/pyjwt/blob/527fec277e8215a197f8facd3778b359043704ef/jwt/algorithms.py#L336, but this is undocumented behavior and may break unexpectedly.
Expected behavior
azure-identity should strictly follow MSAL's documentation to invoke MSAL.
azure-identityDescribe the bug
When
CertificateCredentialbuilds theclient_credentialdict and passes it to MSAL, it setsprivate_keyasbytes:azure-sdk-for-python/sdk/identity/azure-identity/azure/identity/_credentials/certificate.py
Line 169 in 07d1063
But in MSAL's document,
private_keyshould be astr:https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/3279f045dc573d8408ddcdf3565e8b16247627be/msal/application.py#L257
Its underlying
jwt.encodealso requireskeyasstr:It is fortunate that
jwt.encodeis smart enough to supportkeyasbytes: https://github.com/jpadilla/pyjwt/blob/527fec277e8215a197f8facd3778b359043704ef/jwt/algorithms.py#L336, but this is undocumented behavior and may break unexpectedly.Expected behavior
azure-identityshould strictly follow MSAL's documentation to invoke MSAL.