Using PFX files with MSAL for Certificate AuthType

libraries/microsoft-agents-authentication-msal/microsoft_agents/authentication/msal/msal_auth.py

@@ -17,9 +17,6 @@
     TokenCache,
 )
 from requests import Session
-from cryptography.x509 import load_pem_x509_certificate
-from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives import hashes
 
 from microsoft_agents.activity._utils import _DeferredString
 
@@ -212,26 +209,8 @@ def _create_client_application(
             elif self._msal_configuration.AUTH_TYPE == AuthTypes.client_secret:
                 self._client_credential_cache = self._msal_configuration.CLIENT_SECRET
             elif self._msal_configuration.AUTH_TYPE == AuthTypes.certificate:
-                with open(self._msal_configuration.CERT_KEY_FILE) as file:
-                    logger.info(
-                        "Loading certificate private key for MSAL authentication."
-                    )
-                    private_key = file.read()
-
-                with open(self._msal_configuration.CERT_PEM_FILE) as file:
-                    logger.info("Loading public certificate for MSAL authentication.")
-                    public_certificate = file.read()
-
-                # Create an X509 object and calculate the thumbprint
-                logger.info("Calculating thumbprint for the public certificate.")
-                cert = load_pem_x509_certificate(
-                    data=bytes(public_certificate, "UTF-8"), backend=default_backend()
-                )
-                thumbprint = cert.fingerprint(hashes.SHA1()).hex()
-
                 self._client_credential_cache = {
-                    "thumbprint": thumbprint,
-                    "private_key": private_key,
+                    "private_key_pfx_path": self._msal_configuration.CERT_PFX_FILE,
                 }
             else:
                 logger.error(

libraries/microsoft-agents-authentication-msal/setup.py

@@ -15,6 +15,5 @@
         f"microsoft-agents-hosting-core=={package_version}",
         "msal>=1.34.0",
         "requests>=2.32.3",
-        "cryptography>=44.0.0",
     ],
 )

libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/authorization/agent_auth_configuration.py

@@ -15,20 +15,18 @@ class AgentAuthConfiguration:
     CLIENT_ID: The client ID for the Azure AD application.
     AUTH_TYPE: The type of authentication to use (microsoft_agents.hosting.core.authorization.auth_types.AuthTypes).
     CLIENT_SECRET: The client secret for the Azure AD application (if using client secret authentication).
-    CERT_PEM_FILE: The path to the PEM file for certificate authentication (if using certificate authentication).
-    CERT_KEY_FILE: The path to the key file for certificate authentication (if using certificate authentication).
+    CERT_PFX_FILE: The path to the PFX certificate file (if using certificate authentication).
     CONNECTION_NAME: The name of the connection
     SCOPES: The scopes to request
-    AUTHORITY: The authority URL for the Azure AD (if different from the default).f
+    AUTHORITY: The authority URL for the Azure AD (if different from the default).
     ALT_BLUEPRINT_ID: An optional alternative blueprint ID used when constructing a connector client.
     """
 
     TENANT_ID: Optional[str]
-    CLIENT_ID: Optional[str]
     AUTH_TYPE: AuthTypes
+    CLIENT_ID: Optional[str]
     CLIENT_SECRET: Optional[str]
-    CERT_PEM_FILE: Optional[str]
-    CERT_KEY_FILE: Optional[str]
+    CERT_PFX_FILE: Optional[str]
     CONNECTION_NAME: Optional[str]
     SCOPES: Optional[list[str]]
     AUTHORITY: Optional[str]
@@ -46,26 +44,24 @@ class AgentAuthConfiguration:
 
     def __init__(
         self,
-        auth_type: AuthTypes = None,
-        client_id: str = None,
-        tenant_id: Optional[str] = None,
-        client_secret: Optional[str] = None,
-        cert_pem_file: Optional[str] = None,
-        cert_key_file: Optional[str] = None,
-        connection_name: Optional[str] = None,
-        authority: Optional[str] = None,
-        scopes: Optional[list[str]] = None,
+        auth_type: AuthTypes | None = None,
+        client_id: str | None = None,
+        tenant_id: str | None = None,
+        client_secret: str | None = None,
+        cert_pfx_file: str | None = None,
+        connection_name: str | None = None,
+        authority: str | None = None,
+        scopes: list[str] | None = None,
         anonymous_allowed: bool = False,
-        **kwargs: Optional[dict[str, str]],
+        **kwargs: str,
     ):
 
         self.AUTH_TYPE = auth_type or kwargs.get("AUTHTYPE", AuthTypes.client_secret)
         self.CLIENT_ID = client_id or kwargs.get("CLIENTID", None)
         self.AUTHORITY = authority or kwargs.get("AUTHORITY", None)
         self.TENANT_ID = tenant_id or kwargs.get("TENANTID", None)
         self.CLIENT_SECRET = client_secret or kwargs.get("CLIENTSECRET", None)
-        self.CERT_PEM_FILE = cert_pem_file or kwargs.get("CERTPEMFILE", None)
-        self.CERT_KEY_FILE = cert_key_file or kwargs.get("CERTKEYFILE", None)
+        self.CERT_PFX_FILE = cert_pfx_file or kwargs.get("CERTPFXFILE", None)
         self.CONNECTION_NAME = connection_name or kwargs.get("CONNECTIONNAME", None)
         self.SCOPES = scopes or kwargs.get("SCOPES", None)
         self.ALT_BLUEPRINT_ID = kwargs.get("ALT_BLUEPRINT_NAME", None)

tests/hosting_core/test_auth_configuration.py

@@ -16,8 +16,7 @@ def test_auth_configuration_basic(self):
             tenant_id="test-tenant-id",
             client_id="test-client-id",
             client_secret="test-client-secret",
-            cert_pem_file="test-cert.pem",
-            cert_key_file="test-cert.key",
+            cert_pfx_file="test-cert.pfx",
             connection_name="test-connection",
             authority="https://login.microsoftonline.com",
             scopes=["test-scope-1", "test-scope-2"],
@@ -27,8 +26,7 @@ def test_auth_configuration_basic(self):
         assert auth_config.TENANT_ID == "test-tenant-id"
         assert auth_config.CLIENT_ID == "test-client-id"
         assert auth_config.CLIENT_SECRET == "test-client-secret"
-        assert auth_config.CERT_PEM_FILE == "test-cert.pem"
-        assert auth_config.CERT_KEY_FILE == "test-cert.key"
+        assert auth_config.CERT_PFX_FILE == "test-cert.pfx"
         assert auth_config.CONNECTION_NAME == "test-connection"
         assert auth_config.AUTHORITY == "https://login.microsoftonline.com"
         assert auth_config.SCOPES == ["test-scope-1", "test-scope-2"]
@@ -69,11 +67,10 @@ def test_load_configuration_from_env(self):
     def test_empty_settings(self):
         auth_config = AgentAuthConfiguration()
         assert auth_config.AUTH_TYPE == AuthTypes.client_secret
-        assert auth_config.TENANT_ID == None
-        assert auth_config.CLIENT_ID == None
-        assert auth_config.CLIENT_SECRET == None
-        assert auth_config.CERT_PEM_FILE == None
-        assert auth_config.CERT_KEY_FILE == None
-        assert auth_config.CONNECTION_NAME == None
-        assert auth_config.AUTHORITY == None
-        assert auth_config.SCOPES == None
+        assert auth_config.TENANT_ID is None
+        assert auth_config.CLIENT_ID is None
+        assert auth_config.CLIENT_SECRET is None
+        assert auth_config.CERT_PFX_FILE is None
+        assert auth_config.CONNECTION_NAME is None
+        assert auth_config.AUTHORITY is None
+        assert auth_config.SCOPES is None