Credentials accept tenant_id argument to get_token #19602

chlowell · 2021-06-30T16:37:25Z

This is the first step in enabling clients to implement tenant discovery via authentication challenges. Credentials which can in principle authenticate in multiple tenants (i.e. not ManagedIdentityCredential) receive a new parameter, allow_multitenant_authentication. When this is True, these credentials will honor a tenant_id keyword argument to get_token. When it's False, which is the default, get_token raises an exception when given a tenant that doesn't match the credential's configured tenant (i.e. the one set at instantiation), unless environment variable AZURE_IDENTITY_ENABLE_LEGACY_TENANT_SELECTION is set (because raising this exception may be a breaking change for some applications). When that environment variable is set get_token will use the credential's configured tenant, ignoring a tenant_id keyword argument.

Closes #17979, closes #19300

sdk/identity/azure-identity/azure/identity/aio/_credentials/azure_cli.py

mccoyp · 2021-07-03T00:55:21Z

sdk/identity/azure-identity/azure/identity/aio/_credentials/azure_cli.py

    """

+    def __init__(self, **kwargs):
+        self._allow_multitenant = kwargs.get("allow_multitenant_authentication", False)


Should we kwargs.pop here and in the sync version?

No need, kwargs isn't used again. I should use keyword-only syntax here though.

check-enforcer · 2021-07-06T15:56:31Z

This pull request is protected by Check Enforcer.

What is Check Enforcer?

Check Enforcer helps ensure all pull requests are covered by at least one check-run (typically an Azure Pipeline). When all check-runs associated with this pull request pass then Check Enforcer itself will pass.

Why am I getting this message?

You are getting this message because Check Enforcer did not detect any check-runs being associated with this pull request within five minutes. This may indicate that your pull request is not covered by any pipelines and so Check Enforcer is correctly blocking the pull request being merged.

What should I do now?

If the check-enforcer check-run is not passing and all other check-runs associated with this PR are passing (excluding license-cla) then you could try telling Check Enforcer to evaluate your pull request again. You can do this by adding a comment to this pull request as follows:
/check-enforcer evaluate
Typically evaulation only takes a few seconds. If you know that your pull request is not covered by a pipeline and this is expected you can override Check Enforcer using the following command:
/check-enforcer override
Note that using the override command triggers alerts so that follow-up investigations can occur (PRs still need to be approved as normal).

What if I am onboarding a new service?

Often, new services do not have validation pipelines associated with them, in order to bootstrap pipelines for a new service, you can issue the following command as a pull request comment:
/azp run prepare-pipelines
This will run a pipeline that analyzes the source tree and creates the pipelines necessary to build and validate your pull request. Once the pipeline has been created you can trigger the pipeline using the following comment:
/azp run python - [service] - ci

Co-authored-by: McCoy Patiño <39780829+mccoyp@users.noreply.github.com>

chlowell · 2021-07-07T16:28:13Z

sdk/identity/azure-identity/azure/identity/_internal/__init__.py

@@ -43,6 +49,24 @@ def validate_tenant_id(tenant_id):
        )


+def resolve_tenant(default_tenant, allow_multitenant, tenant_id=None, **_):


@christothes I believe this is equivalent to your TenantIdResolver but please take a look, maybe I misread that (C# pattern matching syntax is new to me).

mccoyp · 2021-07-07T17:56:14Z

sdk/identity/azure-identity/azure/identity/_internal/interactive.py

@@ -79,7 +84,7 @@ def _build_auth_record(response):
        six.raise_from(auth_error, ex)


-class InteractiveCredential(MsalCredential):
+class InteractiveCredential(MsalCredential, ABC):


What's the reasoning for making InteractiveCredential an ABC instead of MsalCredential? I'm not too familiar with the purpose of inheriting from ABC

A class inheriting ABC can only be instantiated if it implements every method the ABC decorates with abstractmethod. That's useful here because it enables InteractiveCredential.get_token to consolidate common code and do most of the work for subclasses while ensuring you get a runtime error when a subclass doesn't implement the one method that differs between authentication flows. With this change MsalCredential loses its only abstract method and thus its reason for inheriting ABC. InteractiveCredential still has an abstract method but was inheriting ABC through MsalCredential. So, now it must inherit ABC directly.

* Credentials accept tenant_id argument to get_token (#19602) * Update changelog for azure-identity 1.7.0b2 (#19693) * [Key Vault] Drop 3.5 support for keys (#19712) * [AutoRelease] t2-compute-2021-07-08-85328 (#19715) * CodeGen from PR 14638 in Azure/azure-rest-api-specs Move RestorePoint properties into new properties bag for restore point (#14638) * version,CHANGELOG * test Co-authored-by: SDKAuto <sdkautomation@microsoft.com> Co-authored-by: PythonSdkPipelines <PythonSdkPipelines> * debug_guide for python SDK (#19716) * Increment package version after release of azure-servicebus (#19709) * Increment package version after release of azure-identity (#19721) * Prevent DeprecationWarning in Identity tests (#19723) * move _utils.py (#19431) * move _utils.py * update * [QnA] Initial SDK (#19544) * Template + first code gen * Basic client * First tests * Added async client + tests * Added answerspan test * Added authoring APIs * Some updates * Pure generated clients * Test updates * Update test imports * Clean working recordings * Renamed directory * Removed authoring for now * Use unreleased core * Remove conversation + ci yaml * Some CI updates * update language __init__.py to not have a space in the name * Setup.py * Updated core dependency * CI fixes * Added language nspkg * Fix Python 2.7 * Added some more tests * Test fixes * Added live configuration * Bumped msrest * readme + samples * No pypi or refdocs yet * Review feedback Co-authored-by: scbedd <45376673+scbedd@users.noreply.github.com> * fix broken rest due to utils movement (#19728) * handle details "null" (#19430) * handle details "null" * update * Bump aiohttp from 3.5.4 to 3.7.4 in /common/smoketest (#19330) Bumps [aiohttp](https://github.com/aio-libs/aiohttp) from 3.5.4 to 3.7.4. - [Release notes](https://github.com/aio-libs/aiohttp/releases) - [Changelog](https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst) - [Commits](aio-libs/aiohttp@v3.5.4...v3.7.4) --- updated-dependencies: - dependency-name: aiohttp dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Charles Lowell <chlowe@microsoft.com> Co-authored-by: McCoy Patiño <39780829+mccoyp@users.noreply.github.com> Co-authored-by: Azure CLI Bot <azclibot@microsoft.com> Co-authored-by: SDKAuto <sdkautomation@microsoft.com> Co-authored-by: msyyc <70930885+msyyc@users.noreply.github.com> Co-authored-by: Azure SDK Bot <53356347+azure-sdk@users.noreply.github.com> Co-authored-by: annatisch <antisch@microsoft.com> Co-authored-by: scbedd <45376673+scbedd@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* leave stream open in response * update * Get latest main (#19733) * Credentials accept tenant_id argument to get_token (#19602) * Update changelog for azure-identity 1.7.0b2 (#19693) * [Key Vault] Drop 3.5 support for keys (#19712) * [AutoRelease] t2-compute-2021-07-08-85328 (#19715) * CodeGen from PR 14638 in Azure/azure-rest-api-specs Move RestorePoint properties into new properties bag for restore point (#14638) * version,CHANGELOG * test Co-authored-by: SDKAuto <sdkautomation@microsoft.com> Co-authored-by: PythonSdkPipelines <PythonSdkPipelines> * debug_guide for python SDK (#19716) * Increment package version after release of azure-servicebus (#19709) * Increment package version after release of azure-identity (#19721) * Prevent DeprecationWarning in Identity tests (#19723) * move _utils.py (#19431) * move _utils.py * update * [QnA] Initial SDK (#19544) * Template + first code gen * Basic client * First tests * Added async client + tests * Added answerspan test * Added authoring APIs * Some updates * Pure generated clients * Test updates * Update test imports * Clean working recordings * Renamed directory * Removed authoring for now * Use unreleased core * Remove conversation + ci yaml * Some CI updates * update language __init__.py to not have a space in the name * Setup.py * Updated core dependency * CI fixes * Added language nspkg * Fix Python 2.7 * Added some more tests * Test fixes * Added live configuration * Bumped msrest * readme + samples * No pypi or refdocs yet * Review feedback Co-authored-by: scbedd <45376673+scbedd@users.noreply.github.com> * fix broken rest due to utils movement (#19728) * handle details "null" (#19430) * handle details "null" * update * Bump aiohttp from 3.5.4 to 3.7.4 in /common/smoketest (#19330) Bumps [aiohttp](https://github.com/aio-libs/aiohttp) from 3.5.4 to 3.7.4. - [Release notes](https://github.com/aio-libs/aiohttp/releases) - [Changelog](https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst) - [Commits](aio-libs/aiohttp@v3.5.4...v3.7.4) --- updated-dependencies: - dependency-name: aiohttp dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Charles Lowell <chlowe@microsoft.com> Co-authored-by: McCoy Patiño <39780829+mccoyp@users.noreply.github.com> Co-authored-by: Azure CLI Bot <azclibot@microsoft.com> Co-authored-by: SDKAuto <sdkautomation@microsoft.com> Co-authored-by: msyyc <70930885+msyyc@users.noreply.github.com> Co-authored-by: Azure SDK Bot <53356347+azure-sdk@users.noreply.github.com> Co-authored-by: annatisch <antisch@microsoft.com> Co-authored-by: scbedd <45376673+scbedd@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Charles Lowell <chlowe@microsoft.com> Co-authored-by: McCoy Patiño <39780829+mccoyp@users.noreply.github.com> Co-authored-by: Azure CLI Bot <azclibot@microsoft.com> Co-authored-by: SDKAuto <sdkautomation@microsoft.com> Co-authored-by: msyyc <70930885+msyyc@users.noreply.github.com> Co-authored-by: Azure SDK Bot <53356347+azure-sdk@users.noreply.github.com> Co-authored-by: annatisch <antisch@microsoft.com> Co-authored-by: scbedd <45376673+scbedd@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* leave stream open in response * update * Get latest main (Azure#19733) * Credentials accept tenant_id argument to get_token (Azure#19602) * Update changelog for azure-identity 1.7.0b2 (Azure#19693) * [Key Vault] Drop 3.5 support for keys (Azure#19712) * [AutoRelease] t2-compute-2021-07-08-85328 (Azure#19715) * CodeGen from PR 14638 in Azure/azure-rest-api-specs Move RestorePoint properties into new properties bag for restore point (Azure#14638) * version,CHANGELOG * test Co-authored-by: SDKAuto <sdkautomation@microsoft.com> Co-authored-by: PythonSdkPipelines <PythonSdkPipelines> * debug_guide for python SDK (Azure#19716) * Increment package version after release of azure-servicebus (Azure#19709) * Increment package version after release of azure-identity (Azure#19721) * Prevent DeprecationWarning in Identity tests (Azure#19723) * move _utils.py (Azure#19431) * move _utils.py * update * [QnA] Initial SDK (Azure#19544) * Template + first code gen * Basic client * First tests * Added async client + tests * Added answerspan test * Added authoring APIs * Some updates * Pure generated clients * Test updates * Update test imports * Clean working recordings * Renamed directory * Removed authoring for now * Use unreleased core * Remove conversation + ci yaml * Some CI updates * update language __init__.py to not have a space in the name * Setup.py * Updated core dependency * CI fixes * Added language nspkg * Fix Python 2.7 * Added some more tests * Test fixes * Added live configuration * Bumped msrest * readme + samples * No pypi or refdocs yet * Review feedback Co-authored-by: scbedd <45376673+scbedd@users.noreply.github.com> * fix broken rest due to utils movement (Azure#19728) * handle details "null" (Azure#19430) * handle details "null" * update * Bump aiohttp from 3.5.4 to 3.7.4 in /common/smoketest (Azure#19330) Bumps [aiohttp](https://github.com/aio-libs/aiohttp) from 3.5.4 to 3.7.4. - [Release notes](https://github.com/aio-libs/aiohttp/releases) - [Changelog](https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst) - [Commits](aio-libs/aiohttp@v3.5.4...v3.7.4) --- updated-dependencies: - dependency-name: aiohttp dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Charles Lowell <chlowe@microsoft.com> Co-authored-by: McCoy Patiño <39780829+mccoyp@users.noreply.github.com> Co-authored-by: Azure CLI Bot <azclibot@microsoft.com> Co-authored-by: SDKAuto <sdkautomation@microsoft.com> Co-authored-by: msyyc <70930885+msyyc@users.noreply.github.com> Co-authored-by: Azure SDK Bot <53356347+azure-sdk@users.noreply.github.com> Co-authored-by: annatisch <antisch@microsoft.com> Co-authored-by: scbedd <45376673+scbedd@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Charles Lowell <chlowe@microsoft.com> Co-authored-by: McCoy Patiño <39780829+mccoyp@users.noreply.github.com> Co-authored-by: Azure CLI Bot <azclibot@microsoft.com> Co-authored-by: SDKAuto <sdkautomation@microsoft.com> Co-authored-by: msyyc <70930885+msyyc@users.noreply.github.com> Co-authored-by: Azure SDK Bot <53356347+azure-sdk@users.noreply.github.com> Co-authored-by: annatisch <antisch@microsoft.com> Co-authored-by: scbedd <45376673+scbedd@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chlowell added the Azure.Identity label Jun 30, 2021

chlowell requested review from christothes and mccoyp June 30, 2021 16:37

chlowell force-pushed the dynamic-tenant branch from 1e4151c to 9304a83 Compare July 1, 2021 01:06

mccoyp reviewed Jul 3, 2021

View reviewed changes

chlowell and others added 13 commits July 6, 2021 16:18

GetTokenMixin passes kwargs through the get_token flow

7998ad7

credentials using MSAL take tenant_id in get_token

d57b93b

AadClient allows multitenant auth

e5f2502

remove some dead code

df6c707

async service principal credentials accept tenant_id for silent auth

1b90fdb

so does VisualStudioCodeCredential

f8238c2

auth code and CLI credentials

a4fdaa2

PowerShell credential

6a3e8b8

SharedTokenCacheCredential

1d286c9

tests

8e90d26

Thanks, McCoy

ae143bf

Co-authored-by: McCoy Patiño <39780829+mccoyp@users.noreply.github.com>

MsalCredential isn't abstract anymore

a027eb4

keyword-only syntax

9122191

chlowell force-pushed the dynamic-tenant branch from 4a80f07 to 9122191 Compare July 6, 2021 23:24

chlowell added 2 commits July 6, 2021 17:12

try %WINDIR% after %SYSTEMROOT%

7781b76

rather, stop clearing environ in these tests 😂

3424c88

chlowell marked this pull request as ready for review July 7, 2021 16:24

chlowell requested a review from schaabs as a code owner July 7, 2021 16:24

chlowell requested a review from mccoyp July 7, 2021 16:24

chlowell commented Jul 7, 2021

View reviewed changes

mccoyp reviewed Jul 7, 2021

View reviewed changes

mccoyp approved these changes Jul 7, 2021

View reviewed changes

chlowell added 2 commits July 7, 2021 16:39

actually these credentials should tolerate unexpected kwargs

f726cd3

add allow_multitenant_authentication to DefaultAzureCredential

3298bb2

chlowell added 2 commits July 7, 2021 16:46

tests

f0ab7b2

update docstrings

fa7bac0

chlowell merged commit 4fbe208 into Azure:main Jul 8, 2021

chlowell deleted the dynamic-tenant branch July 8, 2021 00:32

rakshith91 pushed a commit to rakshith91/azure-sdk-for-python that referenced this pull request Jul 16, 2021

Credentials accept tenant_id argument to get_token (Azure#19602)

9758f6d

chlowell mentioned this pull request Sep 8, 2021

Nickel Community Feature Requests related to StaticTokenCredential / token helper methods #19306

Closed

9 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Credentials accept tenant_id argument to get_token #19602

Credentials accept tenant_id argument to get_token #19602

chlowell commented Jun 30, 2021

mccoyp Jul 3, 2021

chlowell Jul 6, 2021

check-enforcer bot commented Jul 6, 2021

chlowell Jul 7, 2021

mccoyp Jul 7, 2021

chlowell Jul 7, 2021

		@@ -43,6 +49,24 @@ def validate_tenant_id(tenant_id):
		)


		def resolve_tenant(default_tenant, allow_multitenant, tenant_id=None, **_):

Credentials accept tenant_id argument to get_token #19602

Credentials accept tenant_id argument to get_token #19602

Conversation

chlowell commented Jun 30, 2021

mccoyp Jul 3, 2021

Choose a reason for hiding this comment

chlowell Jul 6, 2021

Choose a reason for hiding this comment

check-enforcer bot commented Jul 6, 2021

What is Check Enforcer?

Why am I getting this message?

What should I do now?

What if I am onboarding a new service?

chlowell Jul 7, 2021

Choose a reason for hiding this comment

mccoyp Jul 7, 2021

Choose a reason for hiding this comment

chlowell Jul 7, 2021

Choose a reason for hiding this comment