[Identity] Ensuring the claims get sent through the getToken requests.#18445
[Identity] Ensuring the claims get sent through the getToken requests.#18445sadasant merged 36 commits intoAzure:mainfrom
Conversation
Co-authored-by: Jeff Fisher <xirzec@xirzec.com>
sadasant
requested review from
HarshaNalluru,
KarishmaGhiya,
chlowell,
g2vinay and
schaabs
ghost
added
the
| /** | ||
| * Claims received from challenges. | ||
| */ | ||
| claims?: string; |
There was a problem hiding this comment.
This is an internal type.
| }); | ||
|
|
||
| let clientCapabilities: string[] = ["CP1"]; | ||
| let clientCapabilities: string[] = ["cp1"]; |
There was a problem hiding this comment.
If one goes to the service documentation, this value appears in lowercase: https://docs.microsoft.com/azure/active-directory/develop/claims-challenge
This change has no effect other than helping me have a more 1:1 comparison between our recordings and our docs.
witemple-msft
left a comment
witemple-msft
left a comment
There was a problem hiding this comment.
Looks good to me. Checking my notes: this is part of the internal token options, but not the public GetTokenOptions, so this is meant to be used for challenges, but a user who is using identity will not have the option to pass in claims?
|
@witemple-msft (thank you) I believe we deferred the decision of exposing the “claims” to end users. Claims can be either a base64 string or a JSON object, but the properties of that JSON objects are not well defined. Perhaps they will be in the future. |
Better comment regarding dotenv.config
| "Waiting for the revocation of the token. Retrying in 30 seconds. Retry number", | ||
| ++count | ||
| ); | ||
| await delay(30000); |
There was a problem hiding this comment.
I think it's reasonable to give up after 8 minutes
There was a problem hiding this comment.
This only gets executed on record mode. On playback mode this shrinks to 0. I’m only running this in playback mode on CI, so it won’t wait
| // Important: | ||
| // IN PLAYBACK MODE... | ||
| // Verifying that the first access token and the final one are different will not work consistently in this test. | ||
| // The recorder strips out the access tokens from the responses on the recordings. |
There was a problem hiding this comment.
My solution in Python was to record hashes of the access tokens. That way the values are unique and no longer secret.
There was a problem hiding this comment.
Our recorder in JS strips the access token, but the service sometimes answers with different expiration dates. I could add some boilerplate code to fix the resulting access tokens to different values, but it will get really cumbersome given that the recorder doesn’t play well with other mocking tools. For unit-tests, we already have unit tests in core-client and core-rest-pipeline about the underlying code used here.
…ing them on the recordings
|
(well, that didn’t work) |
|
This pull request is protected by Check Enforcer. What is Check Enforcer?Check Enforcer helps ensure all pull requests are covered by at least one check-run (typically an Azure Pipeline). When all check-runs associated with this pull request pass then Check Enforcer itself will pass. Why am I getting this message?You are getting this message because Check Enforcer did not detect any check-runs being associated with this pull request within five minutes. This may indicate that your pull request is not covered by any pipelines and so Check Enforcer is correctly blocking the pull request being merged. What should I do now?If the check-enforcer check-run is not passing and all other check-runs associated with this PR are passing (excluding license-cla) then you could try telling Check Enforcer to evaluate your pull request again. You can do this by adding a comment to this pull request as follows: What if I am onboarding a new service?Often, new services do not have validation pipelines associated with them, in order to bootstrap pipelines for a new service, you can issue the following command as a pull request comment: |
|
I’ll merge this as soon as CI agrees with me. |
Azure#18445) This PR: - Ensures claims are sent through correctly. - Sees what other properties we can send through that could have been missed. - Adds two recorded tests for the challenge flow. I’m not using ARM endpoints for this test since I wasn’t able to revoke the ARM session when I tested this. I tried many times. The Identity SDK crew is investigating that outside of this PR.
3 participants
By this point, core is ready to handle challenges. Identity should have been ready a while ago, but as I tested this feature, I realized I had forgotten to ensure the claims would go through the getToken requests. I believe this happened as we decided to drop the claims from the GetTokenOption. The reason why we dropped claims were, if I remember correctly, that claims could be either strings or objects with potentially arbitrary properties, and that they were only used internally and not expected to be used by customers.
Anyway, this PR intends to do something rather narrow:
There are some questions I have remaining, regarding the recorder. I’ll route those questions outside of this PR. I’ll potentially make issues.
If you’re wondering why am I not using ARM endpoints for this test, the reason is that I wasn’t able to revoke the ARM session when I tested this. I tried many times. The Identity SDK crew is investigating that outside of this PR. Once that is resolved, I will add recorded tests for the ARM endpoints.
I may open some issues based on this PR, but give me some time to discuss our findings with the team.