SharedTokenCacheCredential takes an optional AuthenticationRecord #11637
Conversation
chlowell
added
Client
| @@ -29,6 +29,7 @@ | |||
| import msal_extensions | |||
| from azure.core.credentials import AccessToken | |||
| from .._internal import AadClientBase | |||
| from azure.identity import AuthenticationRecord | |||
There was a problem hiding this comment.
Why not from ..__auth_record?
There was a problem hiding this comment.
It's a public class, and I don't want to depend on its internal location.
| self._tenant_id = kwargs.pop("tenant_id", None) | ||
| self._auth_record = kwargs.pop("authentication_record", None) # type: Optional[AuthenticationRecord] | ||
| if self._auth_record: | ||
| self._authority = self._auth_record.authority |
There was a problem hiding this comment.
I don't see we have normalize_authority(authority) in ctor of AuthenticationRecord. So maybe we need it here
There was a problem hiding this comment.
Accounts in MSAL's cache don't have "normalized" authorities, so neither does AuthenticationRecord. This credential's client will normalize the authority it's given.
| self._authority = self._auth_record.authority | ||
| self._username = self._auth_record.username | ||
| self._tenant_id = self._auth_record.tenant_id | ||
| self._environment_aliases = frozenset((self._authority,)) |
There was a problem hiding this comment.
I expect w/ or w/o auth_record, we should have same behavior here as
environment = urlparse(self._authority).netloc
self._environment_aliases = KNOWN_ALIASES.get(environment) or frozenset((environment,))
?
There was a problem hiding this comment.
Good eye. We don't need to parse the netloc out of the record's authority because the record's authority is already a netloc. As for why I'm ignoring potential aliases: the purpose of the record is to enable an application to use tokens it cached in prior authentications. An AuthenticationRecord and the account it represents will have identical values for authority because they're both results of the same authentication. An account having an alias of the record's authority was cached during a different authentication, and therefore doesn't match the record.
| @@ -163,6 +170,14 @@ def _get_account(self, username=None, tenant_id=None): | |||
| # cache is empty or contains no refresh token -> user needs to sign in | |||
| raise CredentialUnavailableError(message=NO_ACCOUNTS) | |||
|
|
|||
| if self._auth_record: | |||
There was a problem hiding this comment.
Do we need try catch here? if it is an invalid auth_record, what's our expected behavior?
There was a problem hiding this comment.
I mean if it is invalid, we want to raise ValueError or CredentialUnavailableError or ignore it?
There was a problem hiding this comment.
You mean if self._auth_record.home_account_id raises AttributeError? In that case self._auth_record isn't an AuthenticationRecord. Handling that exception seems tantamount to an isinstance check.
| self._username = self._auth_record.username | ||
| self._environment_aliases = frozenset((self._authority,)) | ||
| else: | ||
| authenticating_tenant = "common" |
There was a problem hiding this comment.
If we're using the Azure CLI client id I believe we should be defaulting to the organizations endpoint rather than common.
There was a problem hiding this comment.
I kept common to maintain the existing behavior. That was probably too conservative given I don't know a scenario the change would break. So, I've switched to organizations.
chlowell
force-pushed
the
shared-cache-auth-record
branch
from
b86790f to
d6458ff
Compare
Create 2020-10-01 version of resources swagger with templateLink.queryString property (Azure#11637) * Initial commit * Add templateLink.queryString property into 2020-10 resources version * Prettier fix * Fix api-version in examples * Change description of queryString * Fixed an undefined tag in readme * Avocado fixes * Suppress pre-existing lint errors * Fix template specs tag * Revert "Fix template specs tag" This reverts commit c0a2358b1ff17f1a6e278a79e9a691b4226f1ac4. * For real this time: Fix template specs tag Co-authored-by: Filiz Topatan <[email protected]>
Create 2020-10-01 version of resources swagger with templateLink.queryString property (Azure#11637) * Initial commit * Add templateLink.queryString property into 2020-10 resources version * Prettier fix * Fix api-version in examples * Change description of queryString * Fixed an undefined tag in readme * Avocado fixes * Suppress pre-existing lint errors * Fix template specs tag * Revert "Fix template specs tag" This reverts commit c0a2358b1ff17f1a6e278a79e9a691b4226f1ac4. * For real this time: Fix template specs tag Co-authored-by: Filiz Topatan <[email protected]>
This enables users who want to authenticate silently only to initialize the credential with an
AuthenticationRecordfrom a prior authentication. Closes #11448.