Feature/azuread fic

[mehighlow]

Azure AD (Entra ID) Federated Identity Credentials

Implements federated identity credentials so an external IdP’s OIDC-issued tokens can be trusted by a Microsoft Entra ID app. A common use case is an OIDC-enabled Kubernetes workload: the cluster issues a service account token and publishes OIDC metadata; the app registration is configured with a federated credential, allowing that token to authenticate without a client secret.

Links:
https://learn.microsoft.com/en-us/graph/api/resources/federatedidentitycredentials-overview
https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation-create-trust
https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html

[mehighlow]

docs PR python-social-auth/social-docs#393

[codecov]

Codecov Report

❌ Patch coverage is 84.52381% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 79.01%. Comparing base (3facf31) to head (e6fa4d6).
⚠️ Report is 2 commits behind head on master.

Files with missing lines	Patch %	Lines
social_core/backends/azuread.py	70.27%	8 Missing and 3 partials ⚠️
social_core/tests/backends/test_azuread.py	95.74%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1553      +/-   ##
==========================================
+ Coverage   78.98%   79.01%   +0.03%     
==========================================
  Files         354      354              
  Lines       11523    11605      +82     
  Branches      526      534       +8     
==========================================
+ Hits         9101     9170      +69     
- Misses       2241     2250       +9     
- Partials      181      185       +4     

Flag	Coverage Δ
unittests	79.01% <84.52%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This PR implements support for Azure AD (Entra ID) Federated Identity Credentials, allowing applications to authenticate using OIDC tokens from external identity providers instead of client secrets. This is particularly useful for Kubernetes workloads using service account tokens.

Changes:

• Added client_assertion support to AzureAD OAuth2 backend as an alternative to client secrets
• Modified token request methods to use client assertions when secrets are not configured
• Added comprehensive test coverage for federated identity credential authentication flows

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
social_core/backends/azuread.py	Implements client assertion authentication logic with fallback to environment variables and file-based tokens
social_core/tests/backends/test_azuread.py	Adds test classes covering FIC authentication, assertion validation, and missing credentials scenarios

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[nijel]

This IMHO could use context manager:

Suggested change

	handle = tempfile.NamedTemporaryFile("w", delete=False)
	handle.write(value)
	handle.close()
	self.addCleanup(os.remove, handle.name)
	return handle.name
	with tempfile.NamedTemporaryFile("w", delete=False) as handle:
	handle.write(value)
	self.addCleanup(os.remove, handle.name)
	return handle.name