-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SharedTokenCacheCredential takes an optional AuthenticationRecord #11637
Changes from all commits
d8f05b0
dab3417
6aca170
5e74904
d6458ff
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -27,6 +27,7 @@ | |
# pylint:disable=unused-import,ungrouped-imports | ||
from typing import Any, Iterable, List, Mapping, Optional | ||
from .._internal import AadClientBase | ||
from azure.identity import AuthenticationRecord | ||
|
||
CacheItem = Mapping[str, str] | ||
|
||
|
@@ -86,13 +87,22 @@ class SharedTokenCacheBase(ABC): | |
def __init__(self, username=None, **kwargs): # pylint:disable=unused-argument | ||
# type: (Optional[str], **Any) -> None | ||
|
||
authority = kwargs.pop("authority", None) | ||
self._authority = normalize_authority(authority) if authority else get_default_authority() | ||
|
||
environment = urlparse(self._authority).netloc | ||
self._environment_aliases = KNOWN_ALIASES.get(environment) or frozenset((environment,)) | ||
self._username = username | ||
self._tenant_id = kwargs.pop("tenant_id", None) | ||
self._auth_record = kwargs.pop("authentication_record", None) # type: Optional[AuthenticationRecord] | ||
if self._auth_record: | ||
# authenticate in the tenant that produced the record unless 'tenant_id' specifies another | ||
authenticating_tenant = kwargs.pop("tenant_id", None) or self._auth_record.tenant_id | ||
self._tenant_id = self._auth_record.tenant_id | ||
self._authority = self._auth_record.authority | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't see we have normalize_authority(authority) in ctor of AuthenticationRecord. So maybe we need it here There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Accounts in MSAL's cache don't have "normalized" authorities, so neither does |
||
self._username = self._auth_record.username | ||
self._environment_aliases = frozenset((self._authority,)) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I expect w/ or w/o auth_record, we should have same behavior here as environment = urlparse(self._authority).netloc There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Good eye. We don't need to parse the netloc out of the record's |
||
else: | ||
authenticating_tenant = "organizations" | ||
authority = kwargs.pop("authority", None) | ||
self._authority = normalize_authority(authority) if authority else get_default_authority() | ||
environment = urlparse(self._authority).netloc | ||
self._environment_aliases = KNOWN_ALIASES.get(environment) or frozenset((environment,)) | ||
self._username = username | ||
self._tenant_id = kwargs.pop("tenant_id", None) | ||
|
||
cache = kwargs.pop("_cache", None) # for ease of testing | ||
|
||
|
@@ -110,7 +120,7 @@ def __init__(self, username=None, **kwargs): # pylint:disable=unused-argument | |
if cache: | ||
self._cache = cache | ||
self._client = self._get_auth_client( | ||
authority=self._authority, cache=cache, **kwargs | ||
authority=self._authority, tenant_id=authenticating_tenant, cache=cache, **kwargs | ||
) # type: Optional[AadClientBase] | ||
else: | ||
self._client = None | ||
|
@@ -161,6 +171,14 @@ def _get_account(self, username=None, tenant_id=None): | |
# cache is empty or contains no refresh token -> user needs to sign in | ||
raise CredentialUnavailableError(message=NO_ACCOUNTS) | ||
|
||
if self._auth_record: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do we need try catch here? if it is an invalid auth_record, what's our expected behavior? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I mean if it is invalid, we want to raise ValueError or CredentialUnavailableError or ignore it? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You mean if |
||
for account in accounts: | ||
if account.get("home_account_id") == self._auth_record.home_account_id: | ||
return account | ||
raise CredentialUnavailableError( | ||
message="The cache contains no account matching the given AuthenticationRecord." | ||
) | ||
|
||
filtered_accounts = _filtered_accounts(accounts, username, tenant_id) | ||
if len(filtered_accounts) == 1: | ||
return filtered_accounts[0] | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not from ..__auth_record?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a public class, and I don't want to depend on its internal location.