[Identity] Prepare release (#45112)

Removing beta feature for this patch release.

Signed-off-by: Paul Van Eck <paulvaneck@microsoft.com>

Author: pvaneck

sdk/identity/azure-identity/CHANGELOG.md

@@ -1,14 +1,6 @@
 # Release History
 
-## 1.26.0b2 (Unreleased)
-
-### Features Added
-
-### Breaking Changes
-
-> These changes do not impact the API of stable versions such as 1.25.1.
-> Only code written against beta version 1.26.0b1 is affected.
-- Renamed `use_token_proxy` keyword argument to `enable_azure_proxy` in `WorkloadIdentityCredential` to better reflect its purpose. ([#44147](https://github.com/Azure/azure-sdk-for-python/pull/44147))
+## 1.25.2 (2026-02-10)
 
 ### Bugs Fixed
 

sdk/identity/azure-identity/TROUBLESHOOTING.md

@@ -278,12 +278,6 @@ Get-AzAccessToken -ResourceUrl "https://management.core.windows.net"
 |---|---|---|
 |WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured|The `WorkloadIdentityCredential` requires `client_id`, `tenant_id` and `token_file_path` to authenticate with Microsoft Entra ID.| <ul><li>If using `DefaultAzureCredential` then:</li><ul><li>Ensure client ID is specified via the `workload_identity_client_id` keyword argument or the `AZURE_CLIENT_ID` env variable.</li><li>Ensure tenant ID is specified via the `AZURE_TENANT_ID` env variable.</li><li>Ensure token file path is specified via `AZURE_FEDERATED_TOKEN_FILE` env variable.</li><li>Ensure authority host is specified via `AZURE_AUTHORITY_HOST` env variable.</ul><li>If using `WorkloadIdentityCredential` then:</li><ul><li>Ensure tenant ID is specified via the `tenant_id` keyword argument or the `AZURE_TENANT_ID` env variable.</li><li>Ensure client ID is specified via the `client_id` keyword argument or the `AZURE_CLIENT_ID` env variable.</li><li>Ensure token file path is specified via the `token_file_path` keyword argument or the `AZURE_FEDERATED_TOKEN_FILE` environment variable. </li></ul></li><li>Consult the [product troubleshooting guide](https://azure.github.io/azure-workload-identity/docs/troubleshooting.html) for other issues.</li></ul>|
 
-#### `ClientAuthenticationError` for applications using [Azure Kubernetes Service identity bindings](https://learn.microsoft.com/azure/aks/identity-bindings-concepts)
-
-| Error Message |Description| Mitigation |
-|---|---|---|
-|<ul><li>AADSTS700211: No matching federated identity record found for presented assertion issuer ...</li><li>AADSTS700212: No matching federated identity record found for presented assertion audience 'api://AKSIdentityBinding'.</li></ul> |`WorkloadIdentityCredential` isn't configured to use the identity binding proxy|Set the `enable_azure_proxy` keyword argument to `True` when creating `WorkloadIdentityCredential`. Note that identity binding mode isn't supported when `WorkloadIdentityCredential` is used via `DefaultAzureCredential`. `WorkloadIdentityCredential` should be used directly in this scenario.|
-
 ## Troubleshoot `AzurePipelinesCredential` authentication issues
 
 [comment]: # ( cspell:ignore oidcrequesturi )

sdk/identity/azure-identity/azure/identity/_constants.py

@@ -68,10 +68,6 @@ class EnvironmentVariables:
     AZURE_REGIONAL_AUTHORITY_NAME = "AZURE_REGIONAL_AUTHORITY_NAME"
 
     AZURE_FEDERATED_TOKEN_FILE = "AZURE_FEDERATED_TOKEN_FILE"
-    AZURE_KUBERNETES_SNI_NAME = "AZURE_KUBERNETES_SNI_NAME"
-    AZURE_KUBERNETES_TOKEN_PROXY = "AZURE_KUBERNETES_TOKEN_PROXY"
-    AZURE_KUBERNETES_CA_FILE = "AZURE_KUBERNETES_CA_FILE"
-    AZURE_KUBERNETES_CA_DATA = "AZURE_KUBERNETES_CA_DATA"
 
     AZURE_TOKEN_CREDENTIALS = "AZURE_TOKEN_CREDENTIALS"
     WORKLOAD_IDENTITY_VARS = (AZURE_AUTHORITY_HOST, AZURE_TENANT_ID, AZURE_FEDERATED_TOKEN_FILE)

sdk/identity/azure-identity/azure/identity/_credentials/workload_identity.py

@@ -9,18 +9,13 @@
 
 from .client_assertion import ClientAssertionCredential
 from .._constants import EnvironmentVariables
-from .._internal import within_credential_chain
 
 
 WORKLOAD_CONFIG_ERROR = (
     "WorkloadIdentityCredential authentication unavailable. The workload options are not fully "
     "configured. See the troubleshooting guide for more information: "
     "https://aka.ms/azsdk/python/identity/workloadidentitycredential/troubleshoot"
 )
-CA_DATA_FILE_ERROR = "Both AZURE_KUBERNETES_CA_FILE and AZURE_KUBERNETES_CA_DATA are set. Only one should be set."
-CUSTOM_PROXY_ENV_ERROR = (
-    "AZURE_KUBERNETES_TOKEN_PROXY is not set but other custom endpoint-related environment variables are present."
-)
 
 
 class TokenFileMixin:
@@ -105,51 +100,10 @@ def __init__(
 
         self._token_file_path = token_file_path
 
-        if kwargs.pop("enable_azure_proxy", False) and not within_credential_chain.get():
-            token_proxy_endpoint = os.environ.get(EnvironmentVariables.AZURE_KUBERNETES_TOKEN_PROXY)
-            sni = os.environ.get(EnvironmentVariables.AZURE_KUBERNETES_SNI_NAME)
-            ca_file = os.environ.get(EnvironmentVariables.AZURE_KUBERNETES_CA_FILE)
-            ca_data = os.environ.get(EnvironmentVariables.AZURE_KUBERNETES_CA_DATA)
-            if token_proxy_endpoint:
-                if ca_file and ca_data:
-                    raise ValueError(CA_DATA_FILE_ERROR)
-
-                transport = _get_transport(
-                    sni=sni,
-                    token_proxy_endpoint=token_proxy_endpoint,
-                    ca_file=ca_file,
-                    ca_data=ca_data,
-                )
-
-                if transport:
-                    kwargs["transport"] = transport
-                else:
-                    raise ValueError(
-                        "Transport creation failed. Ensure that the requests package is installed to enable token "
-                        "proxy usage in this credential."
-                    )
-            elif sni or ca_file or ca_data:
-                raise ValueError(CUSTOM_PROXY_ENV_ERROR)
-
         super(WorkloadIdentityCredential, self).__init__(
             tenant_id=tenant_id,
             client_id=client_id,
             func=self._get_service_account_token,
             token_file_path=token_file_path,
             **kwargs,
         )
-
-
-def _get_transport(sni, token_proxy_endpoint, ca_file, ca_data):
-    try:
-        from .._internal.token_binding_transport_requests import CustomRequestsTransport
-
-        return CustomRequestsTransport(
-            sni=sni,
-            proxy_endpoint=token_proxy_endpoint,
-            ca_file=ca_file,
-            ca_data=ca_data,
-        )
-
-    except ImportError:
-        return None

sdk/identity/azure-identity/azure/identity/_internal/token_binding_transport_mixin.py

@@ -2,4 +2,4 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 # ------------------------------------
-VERSION = "1.26.0b2"
+VERSION = "1.25.2"

sdk/identity/azure-identity/azure/identity/_internal/token_binding_transport_requests.py

@@ -7,14 +7,8 @@
 from typing import Any, Optional
 
 from .client_assertion import ClientAssertionCredential
-from ..._credentials.workload_identity import (
-    TokenFileMixin,
-    WORKLOAD_CONFIG_ERROR,
-    CA_DATA_FILE_ERROR,
-    CUSTOM_PROXY_ENV_ERROR,
-)
+from ..._credentials.workload_identity import TokenFileMixin, WORKLOAD_CONFIG_ERROR
 from ..._constants import EnvironmentVariables
-from ..._internal import within_credential_chain
 
 
 class WorkloadIdentityCredential(ClientAssertionCredential, TokenFileMixin):
@@ -81,61 +75,10 @@ def __init__(
 
         self._token_file_path = token_file_path
 
-        if kwargs.pop("enable_azure_proxy", False) and not within_credential_chain.get():
-            token_proxy_endpoint = os.environ.get(EnvironmentVariables.AZURE_KUBERNETES_TOKEN_PROXY)
-            sni = os.environ.get(EnvironmentVariables.AZURE_KUBERNETES_SNI_NAME)
-            ca_file = os.environ.get(EnvironmentVariables.AZURE_KUBERNETES_CA_FILE)
-            ca_data = os.environ.get(EnvironmentVariables.AZURE_KUBERNETES_CA_DATA)
-            if token_proxy_endpoint:
-                if ca_file and ca_data:
-                    raise ValueError(CA_DATA_FILE_ERROR)
-
-                transport = _get_transport(
-                    sni=sni,
-                    token_proxy_endpoint=token_proxy_endpoint,
-                    ca_file=ca_file,
-                    ca_data=ca_data,
-                )
-
-                if transport:
-                    kwargs["transport"] = transport
-                else:
-                    raise ValueError(
-                        "Async transport creation failed. Ensure that the aiohttp or requests package is installed to "
-                        "enable token proxy usage in this credential."
-                    )
-            elif sni or ca_file or ca_data:
-                raise ValueError(CUSTOM_PROXY_ENV_ERROR)
-
         super().__init__(
             tenant_id=tenant_id,
             client_id=client_id,
             func=self._get_service_account_token,
             token_file_path=token_file_path,
             **kwargs,
         )
-
-
-def _get_transport(sni, token_proxy_endpoint, ca_file, ca_data):
-    try:
-        from .._internal.token_binding_transport_aiohttp import CustomAioHttpTransport
-
-        return CustomAioHttpTransport(
-            sni=sni,
-            proxy_endpoint=token_proxy_endpoint,
-            ca_file=ca_file,
-            ca_data=ca_data,
-        )
-    except ImportError:
-        # Fallback to async-wrapped requests transport
-        try:
-            from .._internal.token_binding_transport_asyncio import CustomAsyncioRequestsTransport
-
-            return CustomAsyncioRequestsTransport(
-                sni=sni,
-                proxy_endpoint=token_proxy_endpoint,
-                ca_file=ca_file,
-                ca_data=ca_data,
-            )
-        except ImportError:
-            return None