[Identity] Explicitly implement TokenCredential protocol #25788
Conversation
mccoyp
added
Client
|
API change check APIView has identified API level changes in this PR and created following API reviews. |
mccoyp
force-pushed
the
id-tokencred-impl
branch
from
f0cc19a to
f7e196a
Compare
|
Should not be needed anymore now that runtimeChecklable has been puclished |
|
Reopening -- |
|
@xiangyan99 what do you think of this approach? Adding |
ghost
added
the
no-recent-activity
|
Hi @mccoyp. Thank you for your interest in helping to improve the Azure SDK experience and for your contribution. We've noticed that there hasn't been recent engagement on this pull request. If this is still an active work stream, please let us know by pushing some changes or leaving a comment. Otherwise, we'll close this out in 7 days. |
| @@ -72,7 +72,7 @@ | |||
| ), | |||
| python_requires=">=3.7", | |||
| install_requires=[ | |||
| "azure-core<2.0.0,>=1.11.0", | |||
| "azure-core<2.0.0,>=1.23.1", | |||
There was a problem hiding this comment.
Let's not force users to upgrade azure-core. We can use try import catch instead?
There was a problem hiding this comment.
This was motivated by the TokenCredential import, but that may not actually be necessary. I talked this over with Laurent, and he feels that the best solution would be to actually match the method signatures of the protocol; i.e. document kwargs like claims even if they wouldn't have an effect for a particular credential. I think this does make sense, since it makes the capabilities and limitations of each credential more explicit and more correctly implements the protocol.
I want to first check what pyright thinks of this PR's approach. If explicit subtyping without full implementation raises errors with pyright anyway, then this approach won't be viable regardless and would make the choice easier to make (unless you agree that we should go for the full implementation route regardless).
ghost
removed
the
no-recent-activity
|
Closing in favor of a new PR that will adjust Identity credential type signatures to match the protocol definition. |
Description
Resolves #25175. Per PEP 544, explicitly declaring protocol implementations is discouraged -- as it shouldn't be necessary -- but allowed. Our credentials are structural subtypes of the TokenCredential protocol (as shown by successful
isinstancechecks enabled by #25187), but PyCharm's third-party type checker still warns that credentials such as DefaultAzureCredential aren't TokenCredentials. Explicitly subtyping the protocol fixes this.Technically, PyCharm raises these warnings because its type checker is more aggressive than
isinstance; to completely implement the TokenCredential protocol'sget_tokenspec, all credentialget_tokenmethods need to includeclaimsandtenant_idin their signatures. This probably isn't the solution we want, as we don't actually support these keyword arguments in all credentials due to environment constraints (for example, we can't specify atenant_idin managed identity authentication).To choose which credentials to update, I provided each credential type in
azure-identityto a Key Vault client and updated those that raised the warning described in #25175.This also bumps the minimum version of
azure-coreto 1.23.1, which was the first version of the package to expose the TokenCredential type outside ofTYPE_CHECKING.All SDK Contribution checklist:
General Guidelines and Best Practices
Testing Guidelines