Updated in warning placement

4gust · 4gust · commit 63bb27f99e9d · 2026-05-21T16:24:06.000+01:00
diff --git a/msal/application.py b/msal/application.py
@@ -715,6 +715,17 @@ def get_client_assertion():
         self._region_detected = None
         self.client, self._regional_client = self._build_client(
             client_credential, self.authority)
+        # Warn if using a static string/bytes client_assertion (discouraged for long-running apps)
+        if client_credential and isinstance(client_credential.get("client_assertion"), (str, bytes)):
+            warnings.warn(
+                "Passing a static string/bytes 'client_assertion' is "
+                "discouraged because the JWT will eventually expire. "
+                "Pass a no-arg callable instead (optionally wrapped in "
+                "msal.AutoRefresher) so MSAL can obtain a fresh "
+                "assertion on demand. "
+                "See https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/746",
+                DeprecationWarning, stacklevel=2)
+        
         self.authority_groups = {}
         self._telemetry_buffer = {}
         self._telemetry_lock = Lock()
@@ -846,19 +857,6 @@ def _build_client(self, client_credential, authority, skip_regional_client=False
             # so that we can ignore an empty string came from an empty ENV VAR.
             if client_credential.get("client_assertion"):
                 client_assertion = client_credential['client_assertion']
-                if not callable(client_assertion):
-                    # Soft-deprecation: a fixed string assertion has a fixed
-                    # expiration. Long-running apps should pass a callable so
-                    # MSAL can fetch a fresh assertion on demand. See
-                    # https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/746
-                    warnings.warn(
-                        "Passing a static string/bytes 'client_assertion' is "
-                        "discouraged because the JWT will eventually expire. "
-                        "Pass a no-arg callable instead (optionally wrapped in "
-                        "msal.AutoRefresher) so MSAL can obtain a fresh "
-                        "assertion on demand. "
-                        "See https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/746",
-                        DeprecationWarning, stacklevel=2)
             else:
                 headers = {}
                 sha1_thumbprint = sha256_thumbprint = None
diff --git a/setup.cfg b/setup.cfg
@@ -63,6 +63,7 @@ broker =
     # most existing MSAL Python apps do not have the redirect_uri needed by broker.
     #
     # We need pymsalruntime.CallbackData introduced in PyMsalRuntime 0.14
+    # Using >=0.20 to accept all 0.20.x releases that include required features
     pymsalruntime>=0.20,<0.21; python_version>='3.9' and platform_system=='Windows'
     # On Mac, PyMsalRuntime 0.17+ is expected to support SSH cert and ROPC
     pymsalruntime>=0.20,<0.21; python_version>='3.9' and platform_system=='Darwin'

Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,7 @@ broker =`
`63`	`63`	`# most existing MSAL Python apps do not have the redirect_uri needed by broker.`
`64`	`64`	`#`
`65`	`65`	`# We need pymsalruntime.CallbackData introduced in PyMsalRuntime 0.14`
	`66`	`+ # Using >=0.20 to accept all 0.20.x releases that include required features`
`66`	`67`	`pymsalruntime>=0.20,<0.21; python_version>='3.9' and platform_system=='Windows'`
`67`	`68`	`# On Mac, PyMsalRuntime 0.17+ is expected to support SSH cert and ROPC`
`68`	`69`	`pymsalruntime>=0.20,<0.21; python_version>='3.9' and platform_system=='Darwin'`