[Identity] Adding regional STS support (Azure#15778)

Added regional STS support to client credential types. - Added the `RegionalAuthority` type, that allows specifying Azure regions. - Added `regionalAuthority` property to `ClientSecretCredentialOptions` and `ClientCertificateCredentialOptions`. - If instead of a region, `autoDiscoverRegion` is specified as the value for `regionalAuthority`, MSAL will be used to attempt to discover the region. - A region can also be specified through the `AZURE_REGIONAL_AUTHORITY_NAME` environment variable. Fixes Azure#15762 Fixes Azure#15714
AzureSDKAutomation · Jun 18, 2021 · 32c780f · 32c780f
1 parent 9b511e3
commit 32c780f
Show file tree

Hide file tree

Showing 16 changed files with 416 additions and 12 deletions.
diff --git a/sdk/identity/identity/CHANGELOG.md b/sdk/identity/identity/CHANGELOG.md
@@ -11,6 +11,14 @@
 
 - Removed the protected method `getAzureCliAccessToken` from the public API of the `AzureCliCredential`. While it will continue to be available as part of v1, we won't be supporting this method as part of v2's public API.
 
+### New Features
+
+- Added regional STS support to client credential types.
+  - Added the `RegionalAuthority` type, that allows specifying Azure regions.
+  - Added `regionalAuthority` property to `ClientSecretCredentialOptions` and `ClientCertificateCredentialOptions`.
+  - If instead of a region, `AutoDiscoverRegion` is specified as the value for `regionalAuthority`, MSAL will be used to attempt to discover the region.
+  - A region can also be specified through the `AZURE_REGIONAL_AUTHORITY_NAME` environment variable.
+
 ## 2.0.0-beta.3 (2021-05-12)
 
 ### New features

diff --git a/sdk/identity/identity/package.json b/sdk/identity/identity/package.json
@@ -43,7 +43,8 @@
     "test:node": "npm run clean && npm run build:test && npm run unit-test:node && npm run integration-test:node",
     "test": "npm run clean && npm run build:test && npm run unit-test && npm run integration-test",
     "unit-test:browser": "karma start --single-run",
-    "unit-test:node": "mocha -r esm -r ts-node/register --reporter ../../../common/tools/mocha-multi-reporter.js --timeout 180000 --full-trace --exclude \"test/**/browser/**/*.spec.ts\" \"test/**/*.spec.ts\"",
+    "unit-test:node": "mocha -r esm -r ts-node/register --reporter ../../../common/tools/mocha-multi-reporter.js --timeout 300000 --full-trace --exclude \"test/**/browser/**/*.spec.ts\" \"test/**/*.spec.ts\"",
+    "unit-test:node:no-timeouts": "mocha -r esm -r ts-node/register --reporter ../../../common/tools/mocha-multi-reporter.js  --no-timeouts --full-trace --exclude \"test/**/browser/**/*.spec.ts\" \"test/**/*.spec.ts\"",
     "unit-test": "npm run unit-test:node && npm run unit-test:browser",
     "docs": "typedoc --excludePrivate --excludeNotExported --excludeExternals --stripInternal --mode file --out ./dist/docs ./src"
   },
@@ -81,8 +82,8 @@
     "@azure/core-tracing": "1.0.0-preview.11",
     "@azure/logger": "^1.0.0",
     "@azure/abort-controller": "^1.0.0",
-    "@azure/msal-common": "^4.0.0",
-    "@azure/msal-node": "^1.0.2",
+    "@azure/msal-common": "^4.3.0",
+    "@azure/msal-node": "^1.1.0",
     "@azure/msal-browser": "^2.0.0",
     "@types/stoppable": "^1.1.0",
     "events": "^3.0.0",

diff --git a/...entcertificatecredential_internal/recording_supports_specifying_the_regional_authority.js b/...entcertificatecredential_internal/recording_supports_specifying_the_regional_authority.js
diff --git a/...dings/node/clientsecretcredential/recording_supports_specifying_the_regional_authority.js b/...dings/node/clientsecretcredential/recording_supports_specifying_the_regional_authority.js
diff --git a/...e/clientsecretcredential_internal/recording_supports_specifying_the_regional_authority.js b/...e/clientsecretcredential_internal/recording_supports_specifying_the_regional_authority.js
diff --git a/sdk/identity/identity/review/identity.api.md b/sdk/identity/identity/review/identity.api.md
@@ -92,6 +92,7 @@ export class ClientCertificateCredential implements TokenCredential {
 
 // @public
 export interface ClientCertificateCredentialOptions extends TokenCredentialOptions {
+    regionalAuthority?: string;
     sendCertificateChain?: boolean;
 }
 
@@ -103,6 +104,7 @@ export class ClientSecretCredential implements TokenCredential {
 
 // @public
 export interface ClientSecretCredentialOptions extends TokenCredentialOptions {
+    regionalAuthority?: string;
 }
 
 // @public
@@ -210,6 +212,63 @@ export class ManagedIdentityCredential implements TokenCredential {
     getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
     }
 
+// @public
+export enum RegionalAuthority {
+    AsiaEast = "eastasia",
+    AsiaSouthEast = "southeastasia",
+    AustraliaCentral = "australiacentral",
+    AustraliaCentral2 = "australiacentral2",
+    AustraliaEast = "australiaeast",
+    AustraliaSouthEast = "australiasoutheast",
+    AutoDiscoverRegion = "AutoDiscoverRegion",
+    BrazilSouth = "brazilsouth",
+    CanadaCentral = "canadacentral",
+    CanadaEast = "canadaeast",
+    ChinaEast = "chinaeast",
+    ChinaEast2 = "chinaeast2",
+    ChinaNorth = "chinanorth",
+    ChinaNorth2 = "chinanorth2",
+    EuropeNorth = "northeurope",
+    EuropeWest = "westeurope",
+    FranceCentral = "francecentral",
+    FranceSouth = "francesouth",
+    GermanyCentral = "germanycentral",
+    GermanyNorth = "germanynorth",
+    GermanyNorthEast = "germanynortheast",
+    GermanyWestCentral = "germanywestcentral",
+    GovernmentUSArizona = "usgovarizona",
+    GovernmentUSDodCentral = "usdodcentral",
+    GovernmentUSDodEast = "usdodeast",
+    GovernmentUSIowa = "usgoviowa",
+    GovernmentUSTexas = "usgovtexas",
+    GovernmentUSVirginia = "usgovvirginia",
+    IndiaCentral = "centralindia",
+    IndiaSouth = "southindia",
+    IndiaWest = "westindia",
+    JapanEast = "japaneast",
+    JapanWest = "japanwest",
+    KoreaCentral = "koreacentral",
+    KoreaSouth = "koreasouth",
+    NorwayEast = "norwayeast",
+    NorwayWest = "norwaywest",
+    SouthAfricaNorth = "southafricanorth",
+    SouthAfricaWest = "southafricawest",
+    SwitzerlandNorth = "switzerlandnorth",
+    SwitzerlandWest = "switzerlandwest",
+    UAECentral = "uaecentral",
+    UAENorth = "uaenorth",
+    UKSouth = "uksouth",
+    UKWest = "ukwest",
+    USCentral = "centralus",
+    USEast = "eastus",
+    USEast2 = "eastus2",
+    USNorthCentral = "northcentralus",
+    USSouthCentral = "southcentralus",
+    USWest = "westus",
+    USWest2 = "westus2",
+    USWestCentral = "westcentralus"
+}
+
 // @public
 export function serializeAuthenticationRecord(record: AuthenticationRecord): string;
 

diff --git a/sdk/identity/identity/src/credentials/clientCertificateCredentialOptions.ts b/sdk/identity/identity/src/credentials/clientCertificateCredentialOptions.ts
@@ -12,4 +12,10 @@ export interface ClientCertificateCredentialOptions extends TokenCredentialOptio
    * Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim
    */
   sendCertificateChain?: boolean;
+  /**
+   * Specifies a regional authority. Please refer to the {@link RegionalAuthority} type for the accepted values.
+   * If {@link RegionalAuthority.AutoDiscoverRegion} is specified, we will try to discover the regional authority endpoint.
+   * If the property is not specified, the credential uses the global authority endpoint.
+   */
+  regionalAuthority?: string;
 }
diff --git a/sdk/identity/identity/src/credentials/clientSecretCredentialOptions.ts b/sdk/identity/identity/src/credentials/clientSecretCredentialOptions.ts
@@ -6,4 +6,11 @@ import { TokenCredentialOptions } from "../client/identityClient";
 /**
  * Optional parameters for the {@link ClientSecretCredential} class.
  */
-export interface ClientSecretCredentialOptions extends TokenCredentialOptions {}
+export interface ClientSecretCredentialOptions extends TokenCredentialOptions {
+  /**
+   * Specifies a regional authority. Please refer to the {@link RegionalAuthority} type for the accepted values.
+   * If {@link RegionalAuthority.AutoDiscoverRegion} is specified, we will try to discover the regional authority endpoint.
+   * If the property is not specified, the credential uses the global authority endpoint.
+   */
+  regionalAuthority?: string;
+}
diff --git a/sdk/identity/identity/src/index.ts b/sdk/identity/identity/src/index.ts
@@ -8,6 +8,7 @@ export { AuthenticationRecord } from "./msal/types";
 export { AuthenticationRequiredError } from "./msal/errors";
 export { serializeAuthenticationRecord, deserializeAuthenticationRecord } from "./msal/utils";
 export { TokenCredentialOptions } from "./client/identityClient";
+export { RegionalAuthority } from "./regionalAuthority";
 export { InteractiveCredentialOptions } from "./credentials/interactiveCredentialOptions";
 
 export { ChainedTokenCredential } from "./credentials/chainedTokenCredential";

diff --git a/sdk/identity/identity/src/msal/nodeFlows/msalClientCertificate.ts b/sdk/identity/identity/src/msal/nodeFlows/msalClientCertificate.ts
@@ -106,7 +106,8 @@ export class MsalClientCertificate extends MsalNode {
     try {
       const result = await this.confidentialApp!.acquireTokenByClientCredential({
         scopes,
-        correlationId: options.correlationId
+        correlationId: options.correlationId,
+        azureRegion: this.azureRegion
       });
       // Even though we're providing the same default in memory persistence cache that we use for DeviceCodeCredential,
       // The Client Credential flow does not return the account information from the authentication service,

diff --git a/sdk/identity/identity/src/msal/nodeFlows/msalClientSecret.ts b/sdk/identity/identity/src/msal/nodeFlows/msalClientSecret.ts
@@ -31,7 +31,8 @@ export class MsalClientSecret extends MsalNode {
     try {
       const result = await this.confidentialApp!.acquireTokenByClientCredential({
         scopes,
-        correlationId: options.correlationId
+        correlationId: options.correlationId,
+        azureRegion: this.azureRegion
       });
       // The Client Credential flow does not return an account,
       // so each time getToken gets called, we will have to acquire a new token through the service.

diff --git a/sdk/identity/identity/src/msal/nodeFlows/nodeCommon.ts b/sdk/identity/identity/src/msal/nodeFlows/nodeCommon.ts
@@ -20,13 +20,20 @@ import {
   msalToPublic,
   publicToMsal
 } from "../utils";
+import { RegionalAuthority } from "../../regionalAuthority";
 
 /**
  * Union of the constructor parameters that all MSAL flow types for Node.
  * @internal
  */
 export interface MsalNodeOptions extends MsalFlowOptions {
   tokenCredentialOptions: TokenCredentialOptions;
+  /**
+   * Specifies a regional authority. Please refer to the {@link RegionalAuthority} type for the accepted values.
+   * If {@link RegionalAuthority.AutoDiscoverRegion} is specified, we will try to discover the regional authority endpoint.
+   * If the property is not specified, uses a non-regional authority endpoint.
+   */
+  regionalAuthority?: string;
 }
 
 /**
@@ -45,11 +52,16 @@ export abstract class MsalNode extends MsalBaseUtilities implements MsalFlow {
   protected clientId: string;
   protected identityClient?: IdentityClient;
   protected requiresConfidential: boolean = false;
+  protected azureRegion?: string;
 
   constructor(options: MsalNodeOptions) {
     super(options);
     this.msalConfig = this.defaultNodeMsalConfig(options);
     this.clientId = this.msalConfig.auth.clientId;
+    this.azureRegion = options.regionalAuthority ?? process.env.AZURE_REGIONAL_AUTHORITY_NAME;
+    if (this.azureRegion === RegionalAuthority.AutoDiscoverRegion) {
+      this.azureRegion = "AUTO_DISCOVER";
+    }
   }
 
   /**