-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Cosmos] AAD authentication async client #23717
Conversation
snuck its way into the async PR
API changes have been detected in |
API change check for API changes have been detected in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @simorenoh , looks good to me!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks
* working authentication to get database account * working aad authentication for sync client with sample * readme and changelog * pylint and better comments on sample * working async aad * Delete access_cosmos_with_aad.py snuck its way into the async PR * Update _auth_policies.py * small changes * Update _cosmos_client_connection.py * removing changes made in sync * Update _auth_policy_async.py * Update _auth_policy_async.py * Update _auth_policy_async.py * added licenses to samples
* working authentication to get database account * working aad authentication for sync client with sample * readme and changelog * pylint and better comments on sample * working async aad * Delete access_cosmos_with_aad.py snuck its way into the async PR * Update _auth_policies.py * small changes * Update _cosmos_client_connection.py * removing changes made in sync * Update _auth_policy_async.py * Update _auth_policy_async.py * Update _auth_policy_async.py * added licenses to samples
EventGridv2 TypeSpec Api Preview (Azure#23204) * start typespec * adding eventgrid typespec for api w/ TODOs * update eventgrid typespec with latest eventgrid v2 operations * don't require content-type if there is no body * Update specification/eventgrid/typespec/main.tsp Co-authored-by: JoshLove-msft <[email protected]> * Update specification/eventgrid/typespec/main.tsp Co-authored-by: JoshLove-msft <[email protected]> * changing naming of cloudevent and added in data_base64 * openapi.json * Update specification/eventgrid/typespec/main.tsp Co-authored-by: Libba Lawrence <[email protected]> * Update specification/eventgrid/typespec/main.tsp Co-authored-by: Libba Lawrence <[email protected]> * Update specification/eventgrid/typespec/main.tsp Co-authored-by: Libba Lawrence <[email protected]> * lockTokens format, updated json, optional? params * address code review comments * name_change * add @internal for python * Update specification/eventgrid/Azure.Messaging.EventGrid/main.tsp Co-authored-by: JoshLove-msft <[email protected]> * move @internal to client.tsp (Azure#23538) * rename (Azure#23565) * [EventGrid Typespec] breaking changes with april release of typespec (Azure#23539) * breaking changes with april release of typespec * unknown type * [EG Typespec] Update Release behavior (Azure#23699) * update behavior * just behavior * Add tspconfig and remove AAD auth (Azure#23717) * add tspconfig * add namespace * remove oauth * [EG TypeSpec] Archboard Comments (Azure#23696) * refactoring off of apiview * keep as int * no duration * aligning ack and release * remove behavioral change * ack to release * initial naming changes * Update ReleaseResult doc Co-authored-by: JoshLove-msft <[email protected]> * Update AckResult doc Co-authored-by: JoshLove-msft <[email protected]> * versioning twice-- remove one instance --------- Co-authored-by: JoshLove-msft <[email protected]> * Address couple of stewardship team feedback. These include: 1. Rename CloudEventEvent to simply CloudEvent, 2. Add more description to the operations including the possible erorr codes, 3. Add PublishResult with empty Json object as successful response for the Publish operation, 4. Others. * Add support for missing Reject operation + adding deliveryAttemptCount to BrokerProperties + Adding query parameter for release operation for deliveryDelayInSeconds * Update failedTokens/SuccessfulTokens Description to address code review comments * Update to match service behavior (Azure#23754) * Update to match service behavior * remove locktoken * [EGv2] Editing unused variables (Azure#23917) * event delivery delay not in preview * remove from url comment * [EGv2] Version dependency on Azure.Core (Azure#23936) * verioning fix * spacing mishap? * [EventGrid] Deliveryattempt change (Azure#23960) * deliveryCount 5/1 * small typo * [EventGrid] Remove internal (Azure#23995) * remove internal * remove client.tsp * remove waitWaitTime (Azure#24078) * move location of json file (Azure#24076) * [Egv2] Encode param (Azure#24080) * encode * remove num default on duration --------- Co-authored-by: Laurent Mazuel <[email protected]> * [EGv2] Fix pipeline (Azure#24098) * regen off new commit for encode * reference preview tag * ignore word * update readme to have both apis * update with next autorest * change format to int32 --------- Co-authored-by: Ashraf Hamad <[email protected]> Co-authored-by: Laurent Mazuel <[email protected]> Co-authored-by: JoshLove-msft <[email protected]> Co-authored-by: Ashraf Hamad <[email protected]>
This PR has the changes for the async client to utilize AAD authentication.
The way the @azure.identity package uses AAD credentials to authenticate services is by adding those credentials into a policy that runs when requests are sent to the core pipelines. This policy makes sure to refresh the current token if needed and set the authentication header of requests going to the pipeline. The reason why Cosmos had to create their own policy in this instance is due to the prefix we utilize for our tokens, since the bearer token policy given by the identity module sends a different prefix altogether and as such does not work for us.
It was also recommended by the identity team to create our own policies entirely rather than attempting to override a couple methods, since this could break us on their end - specially for the
_update_headers()
method since it's private.For the async client, the credentials seem to also require their context managers to be in place in order to not run into "Unclosed client session" errors once the context is over. Looks kindda weird with the double
async with
, so if there's any suggestions on this do let me know.Sample is a simple run-through of what can and can't be done, if you think adding more examples would be helpful I can do so as well.