Update with CI changes

python/docs-ref-autogen/msal/index.yml

@@ -7,4 +7,5 @@ packages:
 - msal
 modules:
 - msal.application
+- msal.auth_scheme
 - msal.token_cache

python/docs-ref-autogen/msal/msal.application.ClientApplication.yml

@@ -195,29 +195,17 @@ constructor:
     types:
     - <xref:list>[<xref:str>]
   - name: azure_region
-    description: "AAD provides regional endpoints for apps to opt in\nto keep their\
-      \ traffic remain inside that region.\n\nAs of 2021 May, regional service is\
-      \ only available for\n`acquire_token_for_client()` sent by any of the following\
-      \ scenarios:\n\n1. An app powered by a capable MSAL (MSAL Python 1.12+ will\
-      \ be provisioned) \n\n2. An app with managed identity, which is formerly known\
-      \ as MSI. (However MSAL Python does not support managed identity, so this one\
-      \ does not apply.) \n\n3. An app authenticated by [Subject Name/Issuer (SNI)](https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/60).\
-      \ \n\n4. An app which already onboard to the region's allow-list. \n\nThis parameter\
-      \ defaults to None, which means region behavior remains off.\n\nApp developer\
-      \ can opt in to a regional endpoint,\nby provide its region name, such as \"\
-      westus\", \"eastus2\".\nYou can find a full list of regions by running\n`az\
-      \ account list-locations -o table`, or referencing to\n[this doc](https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.management.resourcemanager.fluent.core.region?view=azure-dotnet).\n\
-      \nAn app running inside Azure Functions and Azure VM can use a special keyword\n\
-      `ClientApplication.ATTEMPT_REGION_DISCOVERY` to auto-detect region.\n\n\n> [!NOTE]\n\
-      > Setting azure_region to non-None for an app running\n>\n> outside of Azure\
-      \ Function/VM could hang indefinitely.\n>\n> \n>\n> You should consider opting\
-      \ in/out region behavior on-demand,\n>\n> by loading azure_region=None or azure_region=\"\
-      westus\"\n>\n> or azure_region=True (which means opt-in and auto-detect)\n>\n\
-      > from your per-deployment configuration, and then do\n>\n> app = ConfidentialClientApplication(...,\
-      \ azure_region=azure_region).\n>\n> \n>\n> Alternatively, you can configure\
-      \ a short timeout,\n>\n> or provide a custom http_client which has a short timeout.\n\
-      >\n> That way, the latency would be under your control,\n>\n> but still less\
-      \ performant than opting out of region feature.\n>\n\nNew in version 1.12.0."
+    description: "(optional)\nInstructs MSAL to use the Entra regional token service.\
+      \ This legacy feature is only available to\nfirst-party applications. Only `acquire_token_for_client()`\
+      \ is supported.\n\nSupports 3 values:\n\n   `azure_region=None` - meaning no\
+      \ region is used. This is the default value.\n   `azure_region=\"some_region\"\
+      ` - meaning the specified region is used.\n   `azure_region=True` - meaning\
+      \ MSAL will try to auto-detect the region. This is not recommended.\n\n\n> [!NOTE]\n\
+      > Region auto-discovery has been tested on VMs and on Azure Functions. It is\
+      \ unreliable.\n>\n> Applications using this option should configure a short\
+      \ timeout.\n>\n> \n>\n> For more details and for the values of the region string\n\
+      >\n> \n>\n> see [https://learn.microsoft.com/entra/msal/dotnet/resources/region-discovery-troubleshooting](https://learn.microsoft.com/entra/msal/dotnet/resources/region-discovery-troubleshooting)\n\
+      >\n\nNew in version 1.12.0."
     defaultValue: None
     types:
     - <xref:str>
@@ -494,7 +482,7 @@ methods:
 
     [https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication](https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication)'
   signature: acquire_token_by_username_password(username, password, scopes, claims_challenge=None,
-    **kwargs)
+    auth_scheme=None, **kwargs)
   parameters:
   - name: username
     description: Typically a UPN in the form of an email address.
@@ -523,6 +511,16 @@ methods:
       It is a string of a JSON object which contains lists of claims being requested
       from these locations.'
     defaultValue: None
+  - name: auth_scheme
+    description: 'You can provide an `msal.auth_scheme.PopAuthScheme` object
+
+      so that MSAL will get a Proof-of-Possession (POP) token for you.
+
+
+      New in version 1.26.0.'
+    defaultValue: None
+    types:
+    - <xref:object>
   return:
     description: "A dict representing the json response from AAD:\n\n* A successful\
       \ response would contain \"access_token\" key, \n\n* an error response would\
@@ -544,7 +542,7 @@ methods:
 
     token cache look-up, then this method is easier and recommended.'
   signature: acquire_token_silent(scopes, account, authority=None, force_refresh=False,
-    claims_challenge=None, **kwargs)
+    claims_challenge=None, auth_scheme=None, **kwargs)
   parameters:
   - name: scopes
     isRequired: true
@@ -556,6 +554,8 @@ methods:
     defaultValue: 'False'
   - name: claims_challenge
     defaultValue: None
+  - name: auth_scheme
+    defaultValue: None
   return:
     description: "* A dict containing no \"error\" key, and typically contains an\
       \ \"access_token\" key, if cache lookup succeeded. \n\n* None when cache lookup\
@@ -581,7 +581,7 @@ methods:
     Otherwise, the other method <xref:msal.application.ClientApplication.acquire_token_silent>
     is recommended.'
   signature: acquire_token_silent_with_error(scopes, account, authority=None, force_refresh=False,
-    claims_challenge=None, **kwargs)
+    claims_challenge=None, auth_scheme=None, **kwargs)
   parameters:
   - name: scopes
     description: '(Required)
@@ -616,6 +616,16 @@ methods:
       It is a string of a JSON object which contains lists of claims being requested
       from these locations.'
     defaultValue: None
+  - name: auth_scheme
+    description: 'You can provide an `msal.auth_scheme.PopAuthScheme` object
+
+      so that MSAL will get a Proof-of-Possession (POP) token for you.
+
+
+      New in version 1.26.0.'
+    defaultValue: None
+    types:
+    - <xref:object>
   - name: authority
     defaultValue: None
   return:
@@ -859,6 +869,10 @@ methods:
       \n1. somehow store this content, typically inside the current session, \n\n\
       2. guide the end user (i.e. resource owner) to visit that auth_uri, \n\n3. and\
       \ then relay this dict and subsequent auth response to <xref:msal.application.ClientApplication.acquire_token_by_auth_code_flow>."
+- uid: msal.application.ClientApplication.is_pop_supported
+  name: is_pop_supported
+  summary: Returns True if this client supports Proof-of-Possession Access Token.
+  signature: is_pop_supported()
 - uid: msal.application.ClientApplication.remove_account
   name: remove_account
   summary: Sign me out and forget me from token cache

python/docs-ref-autogen/msal/msal.application.ConfidentialClientApplication.yml

@@ -195,29 +195,17 @@ constructor:
     types:
     - <xref:list>[<xref:str>]
   - name: azure_region
-    description: "AAD provides regional endpoints for apps to opt in\nto keep their\
-      \ traffic remain inside that region.\n\nAs of 2021 May, regional service is\
-      \ only available for\n`acquire_token_for_client()` sent by any of the following\
-      \ scenarios:\n\n1. An app powered by a capable MSAL (MSAL Python 1.12+ will\
-      \ be provisioned) \n\n2. An app with managed identity, which is formerly known\
-      \ as MSI. (However MSAL Python does not support managed identity, so this one\
-      \ does not apply.) \n\n3. An app authenticated by [Subject Name/Issuer (SNI)](https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/60).\
-      \ \n\n4. An app which already onboard to the region's allow-list. \n\nThis parameter\
-      \ defaults to None, which means region behavior remains off.\n\nApp developer\
-      \ can opt in to a regional endpoint,\nby provide its region name, such as \"\
-      westus\", \"eastus2\".\nYou can find a full list of regions by running\n`az\
-      \ account list-locations -o table`, or referencing to\n[this doc](https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.management.resourcemanager.fluent.core.region?view=azure-dotnet).\n\
-      \nAn app running inside Azure Functions and Azure VM can use a special keyword\n\
-      `ClientApplication.ATTEMPT_REGION_DISCOVERY` to auto-detect region.\n\n\n> [!NOTE]\n\
-      > Setting azure_region to non-None for an app running\n>\n> outside of Azure\
-      \ Function/VM could hang indefinitely.\n>\n> \n>\n> You should consider opting\
-      \ in/out region behavior on-demand,\n>\n> by loading azure_region=None or azure_region=\"\
-      westus\"\n>\n> or azure_region=True (which means opt-in and auto-detect)\n>\n\
-      > from your per-deployment configuration, and then do\n>\n> app = ConfidentialClientApplication(...,\
-      \ azure_region=azure_region).\n>\n> \n>\n> Alternatively, you can configure\
-      \ a short timeout,\n>\n> or provide a custom http_client which has a short timeout.\n\
-      >\n> That way, the latency would be under your control,\n>\n> but still less\
-      \ performant than opting out of region feature.\n>\n\nNew in version 1.12.0."
+    description: "(optional)\nInstructs MSAL to use the Entra regional token service.\
+      \ This legacy feature is only available to\nfirst-party applications. Only `acquire_token_for_client()`\
+      \ is supported.\n\nSupports 3 values:\n\n   `azure_region=None` - meaning no\
+      \ region is used. This is the default value.\n   `azure_region=\"some_region\"\
+      ` - meaning the specified region is used.\n   `azure_region=True` - meaning\
+      \ MSAL will try to auto-detect the region. This is not recommended.\n\n\n> [!NOTE]\n\
+      > Region auto-discovery has been tested on VMs and on Azure Functions. It is\
+      \ unreliable.\n>\n> Applications using this option should configure a short\
+      \ timeout.\n>\n> \n>\n> For more details and for the values of the region string\n\
+      >\n> \n>\n> see [https://learn.microsoft.com/entra/msal/dotnet/resources/region-discovery-troubleshooting](https://learn.microsoft.com/entra/msal/dotnet/resources/region-discovery-troubleshooting)\n\
+      >\n\nNew in version 1.12.0."
     defaultValue: None
     types:
     - <xref:str>

python/docs-ref-autogen/msal/msal.application.PublicClientApplication.yml

@@ -32,7 +32,10 @@ constructor:
     description: 'This setting is only effective if your app is running on Windows
       10+.
 
-      This parameter defaults to None, which means MSAL will not utilize a broker.'
+      This parameter defaults to None, which means MSAL will not utilize a broker.
+
+
+      New in MSAL Python 1.25.0.'
     isRequired: true
     types:
     - <xref:boolean>
@@ -88,7 +91,8 @@ methods:
     `ms-appx-web://Microsoft.AAD.BrokerPlugin/YOUR_CLIENT_ID`'
   signature: acquire_token_interactive(scopes, prompt=None, login_hint=None, domain_hint=None,
     claims_challenge=None, timeout=None, port=None, extra_scopes_to_consent=None,
-    max_age=None, parent_window_handle=None, on_before_launching_ui=None, **kwargs)
+    max_age=None, parent_window_handle=None, on_before_launching_ui=None, auth_scheme=None,
+    **kwargs)
   parameters:
   - name: scopes
     description: It is a list of case-sensitive strings.
@@ -215,6 +219,16 @@ methods:
     defaultValue: None
     types:
     - <xref:function>
+  - name: auth_scheme
+    description: 'You can provide an `msal.auth_scheme.PopAuthScheme` object
+
+      so that MSAL will get a Proof-of-Possession (POP) token for you.
+
+
+      New in version 1.26.0.'
+    defaultValue: None
+    types:
+    - <xref:object>
   return:
     description: "* A dict containing no \"error\" key, and typically contains an\
       \ \"access_token\" key. \n\n* A dict containing an \"error\" key, when token\

python/docs-ref-autogen/msal/msal.auth_scheme.PopAuthScheme.yml

@@ -0,0 +1,42 @@
+### YamlMime:PythonClass
+uid: msal.auth_scheme.PopAuthScheme
+name: PopAuthScheme
+fullName: msal.auth_scheme.PopAuthScheme
+module: msal.auth_scheme
+inheritances:
+- builtins.object
+summary: Create an auth scheme which is needed to obtain a Proof-of-Possession token.
+constructor:
+  syntax: PopAuthScheme(http_method=None, url=None, nonce=None)
+  parameters:
+  - name: http_method
+    description: Its value is an uppercase http verb, such as "GET" and "POST".
+    defaultValue: None
+    types:
+    - <xref:str>
+  - name: url
+    description: The url to be signed.
+    defaultValue: None
+    types:
+    - <xref:str>
+  - name: nonce
+    description: The nonce came from resource's challenge.
+    defaultValue: None
+    types:
+    - <xref:str>
+attributes:
+- uid: msal.auth_scheme.PopAuthScheme.HTTP_DELETE
+  name: HTTP_DELETE
+  signature: HTTP_DELETE = 'DELETE'
+- uid: msal.auth_scheme.PopAuthScheme.HTTP_GET
+  name: HTTP_GET
+  signature: HTTP_GET = 'GET'
+- uid: msal.auth_scheme.PopAuthScheme.HTTP_PATCH
+  name: HTTP_PATCH
+  signature: HTTP_PATCH = 'PATCH'
+- uid: msal.auth_scheme.PopAuthScheme.HTTP_POST
+  name: HTTP_POST
+  signature: HTTP_POST = 'POST'
+- uid: msal.auth_scheme.PopAuthScheme.HTTP_PUT
+  name: HTTP_PUT
+  signature: HTTP_PUT = 'PUT'

python/docs-ref-autogen/msal/msal.auth_scheme.yml

@@ -0,0 +1,6 @@
+### YamlMime:PythonModule
+uid: msal.auth_scheme
+name: auth_scheme
+fullName: msal.auth_scheme
+classes:
+- msal.auth_scheme.PopAuthScheme

python/docs-ref-autogen/msal/msal.yml

@@ -5,4 +5,5 @@ fullName: msal
 type: import
 modules:
 - msal.application
+- msal.auth_scheme
 - msal.token_cache

python/docs-ref-autogen/toc.yml

@@ -11,6 +11,12 @@
     - name: msal.application.PublicClientApplication
       uid: msal.application.PublicClientApplication
     name: msal.application
+  - items:
+    - name: Overview
+      uid: msal.auth_scheme
+    - name: msal.auth_scheme.PopAuthScheme
+      uid: msal.auth_scheme.PopAuthScheme
+    name: msal.auth_scheme
   - items:
     - name: Overview
       uid: msal.token_cache