From 7fef03311ccda0236cb0569c7208dcbf45148ea7 Mon Sep 17 00:00:00 2001 From: Christopher Scott Date: Tue, 17 Jan 2023 10:58:34 -0600 Subject: [PATCH 1/7] Fix regional endpoint validation error --- .../Azure.Identity/src/MsalConfidentialClient.cs | 2 +- .../tests/ManagedIdentityCredentialTests.cs | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/sdk/identity/Azure.Identity/src/MsalConfidentialClient.cs b/sdk/identity/Azure.Identity/src/MsalConfidentialClient.cs index e45dd7c812d08..d8862cb5f9f51 100644 --- a/sdk/identity/Azure.Identity/src/MsalConfidentialClient.cs +++ b/sdk/identity/Azure.Identity/src/MsalConfidentialClient.cs @@ -12,7 +12,7 @@ namespace Azure.Identity { internal class MsalConfidentialClient : MsalClientBase { - private const string s_instanceMetadata = "{\"tenant_discovery_endpoint\":\"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration\",\"api-version\":\"1.1\",\"metadata\":[{\"preferred_network\":\"login.microsoftonline.com\",\"preferred_cache\":\"login.windows.net\",\"aliases\":[\"login.microsoftonline.com\",\"login.windows.net\",\"login.microsoft.com\",\"sts.windows.net\"]}]}"; + private const string s_instanceMetadata = "{\"tenant_discovery_endpoint\":\"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration\",\"api-version\":\"1.1\",\"metadata\":[{\"preferred_network\":\"login.microsoftonline.com\",\"preferred_cache\":\"login.windows.net\",\"aliases\":[\"login.microsoftonline.com\",\"login.windows.net\",\"login.microsoft.com\",\"sts.windows.net\"]},{\"preferred_network\":\"login.partner.microsoftonline.cn\",\"preferred_cache\":\"login.partner.microsoftonline.cn\",\"aliases\":[\"login.partner.microsoftonline.cn\",\"login.chinacloudapi.cn\"]},{\"preferred_network\":\"login.microsoftonline.de\",\"preferred_cache\":\"login.microsoftonline.de\",\"aliases\":[\"login.microsoftonline.de\"]},{\"preferred_network\":\"login.microsoftonline.us\",\"preferred_cache\":\"login.microsoftonline.us\",\"aliases\":[\"login.microsoftonline.us\",\"login.usgovcloudapi.net\"]},{\"preferred_network\":\"login-us.microsoftonline.com\",\"preferred_cache\":\"login-us.microsoftonline.com\",\"aliases\":[\"login-us.microsoftonline.com\"]}]}"; internal readonly string _clientSecret; internal readonly bool _includeX5CClaimHeader; internal readonly IX509Certificate2Provider _certificateProvider; diff --git a/sdk/identity/Azure.Identity/tests/ManagedIdentityCredentialTests.cs b/sdk/identity/Azure.Identity/tests/ManagedIdentityCredentialTests.cs index 69a7c8455d272..ba8a680e0f33d 100644 --- a/sdk/identity/Azure.Identity/tests/ManagedIdentityCredentialTests.cs +++ b/sdk/identity/Azure.Identity/tests/ManagedIdentityCredentialTests.cs @@ -109,7 +109,7 @@ public async Task VerifyImdsRequestWithClientIdMockAsync() [TestCase("westus")] public async Task VerifyImdsRequestWithClientIdAndRegionalAuthorityNameMockAsync(string regionName) { - using var environment = new TestEnvVar(new() { {"AZURE_REGIONAL_AUTHORITY_NAME", regionName}, {"MSI_ENDPOINT", null }, { "MSI_SECRET", null }, { "IDENTITY_ENDPOINT", null }, { "IDENTITY_HEADER", null }, { "AZURE_POD_IDENTITY_AUTHORITY_HOST", null } }); + using var environment = new TestEnvVar(new() { { "AZURE_REGIONAL_AUTHORITY_NAME", regionName }, { "MSI_ENDPOINT", null }, { "MSI_SECRET", null }, { "IDENTITY_ENDPOINT", null }, { "IDENTITY_HEADER", null }, { "AZURE_POD_IDENTITY_AUTHORITY_HOST", null } }); var response = CreateMockResponse(200, ExpectedToken); var mockTransport = new MockTransport(response); @@ -147,9 +147,12 @@ public async Task VerifyImdsRequestWithClientIdAndNonPubCloudMockAsync(Uri autho var options = new TokenCredentialOptions() { Transport = mockTransport, AuthorityHost = authority }; //var pipeline = CredentialPipeline.GetInstance(options); var _pipeline = new HttpPipeline(mockTransport); - var pipeline = new CredentialPipeline(authority, _pipeline, new ClientDiagnostics(options)); + var pipeline = new CredentialPipeline(authority, _pipeline, new ClientDiagnostics(options)); - ManagedIdentityCredential credential = InstrumentClient(new ManagedIdentityCredential(new ManagedIdentityClient( pipeline, "mock-client-id"))); + ManagedIdentityCredential credential = InstrumentClient( + new ManagedIdentityCredential( + new ManagedIdentityClient( + new ManagedIdentityClientOptions { Pipeline = pipeline, ClientId = "mock-client-id", Options = options }))); AccessToken actualToken = await credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default)); @@ -857,7 +860,6 @@ public static IEnumerable AuthorityHostValues() yield return new object[] { AzureAuthorityHosts.AzureGermany }; yield return new object[] { AzureAuthorityHosts.AzureGovernment }; yield return new object[] { AzureAuthorityHosts.AzurePublicCloud }; - yield return new object[] { new Uri("https://foo.bar") }; } private MockResponse CreateMockResponse(int responseCode, string token) From 602b0ed775d11a51e96bfddd84716c82b2c810fa Mon Sep 17 00:00:00 2001 From: Christopher Scott Date: Tue, 17 Jan 2023 14:10:06 -0600 Subject: [PATCH 2/7] adjust flaky test --- .../Azure.Identity/tests/ManagedIdentityCredentialTests.cs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sdk/identity/Azure.Identity/tests/ManagedIdentityCredentialTests.cs b/sdk/identity/Azure.Identity/tests/ManagedIdentityCredentialTests.cs index ba8a680e0f33d..8c10f2787196d 100644 --- a/sdk/identity/Azure.Identity/tests/ManagedIdentityCredentialTests.cs +++ b/sdk/identity/Azure.Identity/tests/ManagedIdentityCredentialTests.cs @@ -699,10 +699,11 @@ public async Task VerifyInitialImdsConnectionTimeoutHonored() var startTime = DateTimeOffset.UtcNow; var ex = Assert.ThrowsAsync(async () => await credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default))); + var endTime = DateTimeOffset.UtcNow; Assert.That(ex.Message, Does.Contain(ImdsManagedIdentitySource.AggregateError)); - Assert.Less(DateTimeOffset.UtcNow - startTime, TimeSpan.FromSeconds(2)); + Assert.Less(endTime - startTime, TimeSpan.FromSeconds(2)); await Task.CompletedTask; } From 9b206db74dbee29687c4f664194eed5547e66091 Mon Sep 17 00:00:00 2001 From: Christopher Scott Date: Fri, 20 Jan 2023 15:45:56 -0600 Subject: [PATCH 3/7] fb --- sdk/identity/Azure.Identity/src/MsalConfidentialClient.cs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sdk/identity/Azure.Identity/src/MsalConfidentialClient.cs b/sdk/identity/Azure.Identity/src/MsalConfidentialClient.cs index d8862cb5f9f51..29f6aa7a4bac3 100644 --- a/sdk/identity/Azure.Identity/src/MsalConfidentialClient.cs +++ b/sdk/identity/Azure.Identity/src/MsalConfidentialClient.cs @@ -12,7 +12,8 @@ namespace Azure.Identity { internal class MsalConfidentialClient : MsalClientBase { - private const string s_instanceMetadata = "{\"tenant_discovery_endpoint\":\"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration\",\"api-version\":\"1.1\",\"metadata\":[{\"preferred_network\":\"login.microsoftonline.com\",\"preferred_cache\":\"login.windows.net\",\"aliases\":[\"login.microsoftonline.com\",\"login.windows.net\",\"login.microsoft.com\",\"sts.windows.net\"]},{\"preferred_network\":\"login.partner.microsoftonline.cn\",\"preferred_cache\":\"login.partner.microsoftonline.cn\",\"aliases\":[\"login.partner.microsoftonline.cn\",\"login.chinacloudapi.cn\"]},{\"preferred_network\":\"login.microsoftonline.de\",\"preferred_cache\":\"login.microsoftonline.de\",\"aliases\":[\"login.microsoftonline.de\"]},{\"preferred_network\":\"login.microsoftonline.us\",\"preferred_cache\":\"login.microsoftonline.us\",\"aliases\":[\"login.microsoftonline.us\",\"login.usgovcloudapi.net\"]},{\"preferred_network\":\"login-us.microsoftonline.com\",\"preferred_cache\":\"login-us.microsoftonline.com\",\"aliases\":[\"login-us.microsoftonline.com\"]}]}"; + // The instance metadata our callback returns only contains a known aka.ms link to ensure it will match the authority sent when a _appTokenProviderCallback is configured. + private const string s_instanceMetadata ="{\"tenant_discovery_endpoint\":\"https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot\",\"api-version\":\"1.1\",\"metadata\":[{\"preferred_network\":\"aka.ms\",\"preferred_cache\":\"aka.ms\",\"aliases\":[\"aka.ms\"]}]}"; internal readonly string _clientSecret; internal readonly bool _includeX5CClaimHeader; internal readonly IX509Certificate2Provider _certificateProvider; @@ -75,7 +76,7 @@ protected override async ValueTask CreateClientA if (_appTokenProviderCallback != null) { confClientBuilder.WithAppTokenProvider(_appTokenProviderCallback) - .WithAuthority(_authority.AbsoluteUri, TenantId, false) + .WithAuthority("https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot", TenantId, false) .WithInstanceDiscoveryMetadata(s_instanceMetadata); } else From f04343afcbdf8a792541f5c263520bc4e84a11cc Mon Sep 17 00:00:00 2001 From: Christopher Scott Date: Mon, 23 Jan 2023 13:01:10 -0600 Subject: [PATCH 4/7] upgrade Microsoft.Identity.Client to get WithInstanceDiscovery(bool) --- eng/Packages.Data.props | 2 +- sdk/identity/Azure.Identity/src/MsalConfidentialClient.cs | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/eng/Packages.Data.props b/eng/Packages.Data.props index b47de1137f52f..868c6776946cc 100644 --- a/eng/Packages.Data.props +++ b/eng/Packages.Data.props @@ -104,7 +104,7 @@ - + - + From e303a7eb2d747904d581596af63b59a6c28063b2 Mon Sep 17 00:00:00 2001 From: Christopher Scott Date: Tue, 24 Jan 2023 15:47:02 -0600 Subject: [PATCH 7/7] update Microsoft.Identity.Client.Extensions.Msal --- eng/Packages.Data.props | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eng/Packages.Data.props b/eng/Packages.Data.props index ab1476d508d77..638a3f2749c99 100644 --- a/eng/Packages.Data.props +++ b/eng/Packages.Data.props @@ -105,7 +105,7 @@ - +