[Feature Request] Support reading certificate from Windows certificate store

[jiasli]

MSAL client type

Confidential

Problem Statement

Currently, authenticating a service principal with certificate only supports plain-text certificate string as private_key:

microsoft-authentication-library-for-python/msal/application.py

Lines 213 to 224 in 52b1fc5

	:param client_credential:
	For :class:`PublicClientApplication`, you use `None` here.
	For :class:`ConfidentialClientApplication`,
	it can be a string containing client secret,
	or an X509 certificate container in this form::
	{
	"private_key": "...-----BEGIN PRIVATE KEY-----... in PEM format",
	"thumbprint": "A1B2C3D4E5F6...",
	"public_certificate": "...-----BEGIN CERTIFICATE-----... (Optional. See below.)",
	"passphrase": "Passphrase if the private_key is encrypted (Optional. Added in version 1.6.0)",
	}

Proposed solution

It would be helpful to allow reading certificate from Windows certificate store.

[rayluo]

We would need to investigate how, and what kind of extra dependency it would bring (pywin32?).

FWIW, the managed identity support is coming. And I believe the path forward would be stay away from secret and even cert, and use federated by managed identity instead. See the last paragraph of the client_credential parameter for details.

[bgavrilMS]

We don't need to support loading from Windows Cert Store directly, but we need to show how it can be done. What is important is to allow ppl to import a certificate that has the key in TPM, for example from the cert store.

Any methods of loading certs must be compatible with hardware keys.