Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Identity] Support for tenant Id Challenges / tenant discovery in ClientCredentials #15837

Merged
25 commits merged into from
Jun 30, 2021
Merged

[Identity] Support for tenant Id Challenges / tenant discovery in ClientCredentials #15837

25 commits merged into from
Jun 30, 2021

Conversation

sadasant
Copy link
Contributor

@sadasant sadasant commented Jun 18, 2021
edited
Loading

This PR adds tenantId to the getTokenOptions, and adds options on every Identity credential to allow multi-tenant authentication (which will be disabled by default).

Fixes #15797

@sadasant sadasant self-assigned this Jun 18, 2021
@check-enforcer

This comment has been minimized.

Sign in to view
@sadasant sadasant marked this pull request as ready for review June 25, 2021 21:35
@sadasant sadasant changed the title [Identity] Draft for the support for tenant Id Challenges / tenant discovery in ClientCredentials [Identity] Support for tenant Id Challenges / tenant discovery in ClientCredentials Jun 25, 2021
schaabs
schaabs reviewed Jun 29, 2021
View reviewed changes
sdk/identity/identity/review/identity.api.md
@@ -314,7 +327,7 @@ export interface UsernamePasswordCredentialOptions extends TokenCredentialOption
// @public
export class VisualStudioCodeCredential implements TokenCredential {
constructor(options?: VisualStudioCodeCredentialOptions);
getToken(scopes: string | string[], _options?: GetTokenOptions): Promise<AccessToken>;
getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a breaking change? Can callers specify the argument name explicitly?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not a breaking change, just a name change :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Callers can’t specify the argument names like this, they just pass the value.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thankfully we don't have magical kwargs :)

schaabs
schaabs approved these changes Jun 29, 2021
View reviewed changes
Copy link
Member

@schaabs schaabs left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the quick turnaround! Please get an approver from the JS team as well.

witemple-msft
witemple-msft approved these changes Jun 29, 2021
View reviewed changes
Copy link
Member

@witemple-msft witemple-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a couple of questions in the comments, but LGTM from an API/JS/TS perspective.

sdk/identity/identity/src/msal/browserFlows/browserCommon.ts Outdated Show resolved Hide resolved
sdk/identity/identity/src/msal/nodeFlows/nodeCommon.ts Show resolved Hide resolved
sdk/identity/identity/test/internal/utils.spec.ts Show resolved Hide resolved
sdk/identity/identity/CHANGELOG.md Outdated Show resolved Hide resolved
xirzec
xirzec reviewed Jun 30, 2021
View reviewed changes
Copy link
Member

@xirzec xirzec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The public surface changes look good!

I have some remarks about the implementation

sdk/identity/identity/review/identity.api.md
@@ -314,7 +327,7 @@ export interface UsernamePasswordCredentialOptions extends TokenCredentialOption
// @public
export class VisualStudioCodeCredential implements TokenCredential {
constructor(options?: VisualStudioCodeCredentialOptions);
getToken(scopes: string | string[], _options?: GetTokenOptions): Promise<AccessToken>;
getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thankfully we don't have magical kwargs :)

sdk/identity/identity/src/credentials/azureCliCredential.ts Show resolved Hide resolved
sdk/identity/identity/src/credentials/azurePowerShellCredential.ts Show resolved Hide resolved
sdk/identity/identity/src/util/validateMultiTenant.ts Outdated Show resolved Hide resolved
sdk/identity/identity/src/util/validateMultiTenant.ts Outdated Show resolved Hide resolved
sdk/identity/identity/src/util/validateMultiTenant.ts Show resolved Hide resolved
@sadasant sadasant requested a review from xirzec June 30, 2021 18:36
@sadasant @chradek
Update sdk/identity/identity/CHANGELOG.md
f49f32b 
Co-authored-by: chradek <51000525+chradek@users.noreply.github.com>
@sadasant sadasant requested a review from chradek June 30, 2021 20:27
chradek
chradek reviewed Jun 30, 2021
View reviewed changes
sdk/identity/identity/src/credentials/authorizationCodeCredential.ts Outdated
Comment on lines 141 to 145
const tenantId = processMultiTenantRequest(
this.tenantId,
this.allowMultiTenantAuthentication,
options
)!;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see you're using the non-null assertion. When would processMultiTenantRequest return undefined where that would be ok? We've been bitten by the non-null assertion in other packages and I wonder if it makes more sense to throw an error instead, or at least handle the undefined case.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The tenantId has a default for this credential, which is common. It’s set on the credential options. processMultiTenantRequest will only pick the getToken options’ tenant if it exists, so either it exists in the options, or is assigned by the user, or is just common. Would a comment help?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I see. I can throw an error just in case

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was hoping we could do some TypeScript magic like this:

export function processMultiTenantRequest<T extends string | undefined>(
  tenantId: T,
  allowMultiTenantAuthentication?: boolean,
  getTokenOptions?: GetTokenOptions
): T extends string ? string : string | undefined {
  if (
    !allowMultiTenantAuthentication &&
    getTokenOptions?.tenantId &&
    tenantId &&
    getTokenOptions.tenantId !== tenantId
  ) {
    throw new Error(multiTenantErrorMessage);
  }
  if (allowMultiTenantAuthentication && getTokenOptions?.tenantId) {
    return getTokenOptions.tenantId;
  }
  return tenantId as any;
}

That works but I had to resort to casting the final return as any.

Anyway, it looks like you're really only doing non-null assertion here, I see now your other calls handle undefined. With that said, maybe just add a comment so someone running across it will know this.tenantId is always available here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok I’ll add a comment!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh look, I can do this!

    const tenantId = processMultiTenantRequest(
      this.tenantId,
      this.allowMultiTenantAuthentication,
      options
    ) || this.tenantId;

Safer ^_^

@ghost
Copy link

ghost commented Jun 30, 2021

Hello @sadasant!

Because this pull request has the auto-merge label, I will be glad to assist with helping to merge this pull request once all check-in policies pass.

p.s. you can customize the way I help with merging this pull request, such as holding this pull request until a specific person approves. Simply @mention me (@msftbot) and give me an instruction to get started! Learn more here.

@ghost ghost merged commit d8407ad into Azure:main Jun 30, 2021
@sadasant sadasant deleted the identity/fix15797 branch June 30, 2021 23:25
openapi-sdkautomation bot pushed a commit to AzureSDKAutomation/azure-sdk-for-js that referenced this pull request Sep 1, 2021
CodeGen from PR 15837 in Azure/azure-rest-api-specs
d4d24ab 
Add swagger for Compute Diagnostic Resource Provider (Azure#15837)
@sadasant sadasant mentioned this pull request May 10, 2022
Closed
6 tasks
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@schaabs schaabs schaabs approved these changes

@chradek chradek chradek approved these changes

@witemple-msft witemple-msft witemple-msft approved these changes

@bterlson bterlson Awaiting requested review from bterlson bterlson is a code owner

@deyaaeldeen deyaaeldeen Awaiting requested review from deyaaeldeen

@jeremymeng jeremymeng Awaiting requested review from jeremymeng

@christothes christothes Awaiting requested review from christothes

@xirzec xirzec Awaiting requested review from xirzec

Assignees

@sadasant sadasant

Labels
Azure.Core Azure.Identity
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for tenant Id Challenges / tenant discovery in ClientCredentials
6 participants
@sadasant @xirzec @christothes @schaabs @chradek @witemple-msft