Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Identity] CAE b3 #17612

Merged
merged 2 commits into from
Apr 12, 2021
Merged

[Identity] CAE b3 #17612

merged 2 commits into from
Apr 12, 2021

Conversation

jiasli
Copy link
Member

@jiasli jiasli commented Apr 8, 2021
edited
Loading

Dependencies

CAE b3 support build upon

This PR is a rework of #17070.

Testing Guide

# Log in with CAE enabled
> az login

# A successful command using Track 2 SDK
> az storage account list

# A successful command using Track 1 SDK
> az group list

# Get the access token
# Decode it at https://jwt.ms and check claims
#   - "xms_cc": ["CP1"]
#   - "xms_ssm": "1" 
> az account get-access-token

# Revoke the session
> az rest -m POST -u https://graph.microsoft.com/v1.0/me/revokeSignInSessions

# Wait several minute for the session revocation to propagate

# A failed command using Track 2 SDK
> az storage account list
AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-04-08T07:28:53.6808518Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-08T07:29:09.0000000Z'.
Trace ID: 686ab9c1-9991-4bc1-b353-279b2ea2ab01
Correlation ID: d1731352-800d-4b95-ae15-5e1999ce5d0b
Timestamp: 2021-04-08 07:53:44Z
To re-authenticate, please run:
az logout
az login
If the problem persists, please contact your tenant administrator.

# A failed command using Track 1 SDK
> az group list
Authentication failed.
The access token has expired or been revoked by Continuous Access Evaluation. Silent re-authentication will be attempted in the future.
To re-authenticate, please run:
az logout
az login
If the problem persists, please contact your tenant administrator.

Additional context

Due to MSAL caching issue AzureAD/microsoft-authentication-library-for-python#335, az logout is currently mandatory before calling az login again so that revoked access tokens can be purged from MSAL cache.

@jiasli jiasli self-assigned this Apr 8, 2021
@yonzhan yonzhan added this to the S185 milestone Apr 8, 2021
@yonzhan
Copy link
Collaborator

yonzhan commented Apr 8, 2021

CAE b3

@jiasli
Copy link
Member Author

jiasli commented Apr 9, 2021

Installation instruction:

python -m venv cae-venv

# PowerShell
. .\cae-venv\Scripts\Activate.ps1

# Bash
. cae-venv/bin/activate

python -m pip install --upgrade pip

pip install --extra-index-url https://azurecliedge.blob.core.windows.net/cae/simple/ azure-cli==2.21.0.1

@jiasli jiasli mentioned this pull request Apr 9, 2021
Closed
@yonzhan yonzhan modified the milestones: S185, S186 Apr 10, 2021
@jiasli jiasli merged commit 3823c76 into Azure:beta Apr 12, 2021
@jiasli jiasli deleted the cae-b3 branch April 12, 2021 05:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evelyn-ys evelyn-ys Awaiting requested review from evelyn-ys

@fengzhou-msft fengzhou-msft Awaiting requested review from fengzhou-msft

@houk-ms houk-ms Awaiting requested review from houk-ms

@jsntcy jsntcy Awaiting requested review from jsntcy

@Juliehzl Juliehzl Awaiting requested review from Juliehzl

@kairu-ms kairu-ms Awaiting requested review from kairu-ms

@qwordy qwordy Awaiting requested review from qwordy

Assignees

@jiasli jiasli

Labels
MSAL
Projects
None yet
Milestone
S186
Development

Successfully merging this pull request may close these issues.
2 participants
@jiasli @yonzhan