Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Identity] Throw CredentialUnavailableException from credentials not supporting ADFS #14763

Merged
merged 3 commits into from
Sep 2, 2020
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions sdk/identity/Azure.Identity/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@

### Fixes and improvements
- Fixed issue with non GUID Client Ids (Issue [#14585](https://github.com/Azure/azure-sdk-for-net/issues/14585))
- Update `VisualStudioCredential` and `VisualStudioCodeCredential` to throw `CredentialUnavailableException` for ADFS tenant (Issue [#14639](https://github.com/Azure/azure-sdk-for-net/issues/14639))


## 1.2.2 (2020-08-20)
Expand Down
2 changes: 2 additions & 0 deletions sdk/identity/Azure.Identity/src/Constants.cs
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ internal class Constants
{
public const string OrganizationsTenantId = "organizations";

public const string AdfsTenantId = "adfs";

// TODO: Currently this is piggybacking off the Azure CLI client ID, but needs to be switched once the Developer Sign On application is available
public const string DeveloperSignOnClientId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";

Expand Down
5 changes: 5 additions & 0 deletions sdk/identity/Azure.Identity/src/VisualStudioCodeCredential.cs
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,11 @@ private async ValueTask<AccessToken> GetTokenImplAsync(TokenRequestContext reque

try
{
if (string.Equals(_tenantId, Constants.AdfsTenantId, StringComparison.Ordinal))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does case matter here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably in practice no, but since it's part of the Authority path, it is possible the service would treat this as case sensitive. So to err on the side of caution I was doing a case insensitive compare for the time being, and we can document that users should use the tenant id "adfs" all lowercase when authenticating with ADFS.

{
throw new CredentialUnavailableException("VisualStudioCodeCredential authentication unavailable. ADFS tenant / authorities are not supported.");
}

GetUserSettings(out var tenant, out var environmentName);
schaabs marked this conversation as resolved.
Show resolved Hide resolved

var cloudInstance = GetAzureCloudInstance(environmentName);
Expand Down
5 changes: 5 additions & 0 deletions sdk/identity/Azure.Identity/src/VisualStudioCredential.cs
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,11 @@ private async ValueTask<AccessToken> GetTokenImplAsync(TokenRequestContext reque

try
{
if (string.Equals(_tenantId, Constants.AdfsTenantId, StringComparison.Ordinal))
{
throw new CredentialUnavailableException("VisualStudioCredential authentication unavailable. ADFS tenant/authorities are not supported.");
}

var tokenProviderPath = GetTokenProviderPath();
var tokenProviders = GetTokenProviders(tokenProviderPath);

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.

using System.Threading;
using Azure.Core;
using Azure.Core.TestFramework;
using NUnit.Framework;

namespace Azure.Identity.Tests
{
public class VisualStudioCodeCredentialTests : ClientTestBase
{
public VisualStudioCodeCredentialTests(bool isAsync) : base(isAsync)
{

}

[Test]
public void AdfsTenantThrowsCredentialUnavailable()
{
var options = new VisualStudioCodeCredentialOptions { TenantId = "adfs", Transport = new MockTransport() };

VisualStudioCodeCredential credential = InstrumentClient(new VisualStudioCodeCredential(options));

Assert.ThrowsAsync<CredentialUnavailableException>(async () => await credential.GetTokenAsync(new TokenRequestContext(new[] { "https://vault.azure.net/.default" }), CancellationToken.None));
}
}
}
10 changes: 10 additions & 0 deletions sdk/identity/Azure.Identity/tests/VisualStudioCredentialTests.cs
Original file line number Diff line number Diff line change
Expand Up @@ -178,5 +178,15 @@ public void AuthenticateWithVsCredential_CredentialUnavailableExceptionPassThrou
var credential = InstrumentClient(new VisualStudioCredential(default, default, fileSystem, testProcessFactory));
Assert.ThrowsAsync<CredentialUnavailableException>(async () => await credential.GetTokenAsync(new TokenRequestContext(new[]{"https://vault.azure.net/"}), CancellationToken.None));
}

[Test]
public void AdfsTenantThrowsCredentialUnavailable()
{
var options = new VisualStudioCredentialOptions { TenantId = "adfs", Transport = new MockTransport() };

VisualStudioCredential credential = InstrumentClient(new VisualStudioCredential(options));

Assert.ThrowsAsync<CredentialUnavailableException>(async () => await credential.GetTokenAsync(new TokenRequestContext(new[] { "https://vault.azure.net/.default" }), CancellationToken.None));
}
}
}