Read credential from pfx

Author: rayluo

msal/application.py

@@ -283,6 +283,10 @@ def __init__(
                         "passphrase": "Passphrase if the private_key is encrypted (Optional. Added in version 1.6.0)",
                     }
 
+                The following command will generate a .pfx file from your .key and .pem file::
+
+                    openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.pem
+
         :type client_credential: Union[dict, str]
 
         :param dict client_claims:

sample/.env.sample.entra-id

@@ -8,11 +8,15 @@
 # Alternatively, use "https://login.microsoftonline.com/common" for multi-tenant app.
 AUTHORITY=<authority url>
 
-# The following variables are required for the app to run.
 CLIENT_ID=<client id>
 
-# Leave it empty if you are using a public client which has no client secret.
-CLIENT_SECRET=<client secret>
+# Uncomment the following setting if you are using a confidential client
+# which has a client secret. Example value: your password
+#CLIENT_SECRET=<client secret>
+
+# Configure this if you are using a confidential client which has a client credential.
+# Example value: {"private_key_pfx_path": "/path/to/your.pfx"}
+CLIENT_CREDENTIAL_JSON=<client credential json>
 
 # Multiple scopes can be added into the same line, separated by a space.
 # Here we use a Microsoft Graph API as an example

sample/.env.sample.external-id

@@ -4,11 +4,15 @@
 # configure AUTHORITY as https://contoso.ciamlogin.com/contoso.onmicrosoft.com
 AUTHORITY=<authority url>
 
-# The following variables are required for the app to run.
 CLIENT_ID=<client id>
 
-# Leave it empty if you are using a public client which has no client secret.
-CLIENT_SECRET=<client secret>
+# Uncomment the following setting if you are using a confidential client
+# which has a client secret. Example value: your password
+#CLIENT_SECRET=<client secret>
+
+# Configure this if you are using a confidential client which has a client credential.
+# Example value: {"private_key_pfx_path": "/path/to/your.pfx"}
+CLIENT_CREDENTIAL_JSON=<client credential json>
 
 # Multiple scopes can be added into the same line, separated by a space.
 # Here we use a Microsoft Graph API as an example

sample/.env.sample.external-id-custom-domain

@@ -5,11 +5,15 @@
 # "https://www.contoso.com/TENANT_GUID/v2.0"
 OIDC_AUTHORITY=<authority url>
 
-# The following variables are required for the app to run.
 CLIENT_ID=<client id>
 
-# Leave it empty if you are using a public client which has no client secret.
-CLIENT_SECRET=<client secret>
+# Uncomment the following setting if you are using a confidential client
+# which has a client secret. Example value: your password
+#CLIENT_SECRET=<client secret>
+
+# Configure this if you are using a confidential client which has a client credential.
+# Example value: {"private_key_pfx_path": "/path/to/your.pfx"}
+CLIENT_CREDENTIAL_JSON=<client credential json>
 
 # Multiple scopes can be added into the same line, separated by a space.
 # Here we use a Microsoft Graph API as an example

sample/confidential_client_certificate_sample.py

@@ -43,7 +43,8 @@
     os.getenv('CLIENT_ID'),
     authority=os.getenv('AUTHORITY'),  # For Entra ID or External ID
     oidc_authority=os.getenv('OIDC_AUTHORITY'),  # For External ID with custom domain
-    client_credential=os.getenv('CLIENT_SECRET'),
+    client_credential=os.getenv('CLIENT_SECRET')  # ENV VAR contains a quotation mark-less string
+        or json.loads(os.getenv('CLIENT_CREDENTIAL_JSON')),  # ENV VAR contains a JSON blob as a string
     token_cache=global_token_cache,  # Let this app (re)use an existing token cache.
         # If absent, ClientApplication will create its own empty token cache
     )