Skip to content

Extend BearerTokenCredentialPolicy to handle auth challenges #18437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
chlowell merged 7 commits into from
May 24, 2021
Merged

Extend BearerTokenCredentialPolicy to handle auth challenges #18437

chlowell merged 7 commits into from
May 24, 2021

Conversation

@chlowell
Copy link
Member

@chlowell chlowell commented Apr 29, 2021
edited
Loading

When its on_challenge method is not overridden, the ChallengeAuthenticationPolicy proposed in #17489 is functionally equivalent to the existing BearerTokenCredentialPolicy. It's reasonable then to wonder how the existing policy would look when extended to handle authentication challenges. Short answer: it would look something like this 😉

xiangyan99
xiangyan99 reviewed May 3, 2021
View reviewed changes
sdk/core/azure-core/azure/core/pipeline/policies/_authentication.py Outdated


class BearerTokenCredentialPolicy(_BearerTokenCredentialPolicyBase, SansIOHTTPPolicy):
class BearerTokenCredentialPolicy(_BearerTokenCredentialPolicyBase, SansIOHTTPPolicy, HTTPPolicy):
Copy link
Member

@xiangyan99 xiangyan99 May 3, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then the pipeline will call on_request or send or both?

Do we have a design for this scenario? @annatisch

Copy link
Member Author

@chlowell chlowell May 3, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After #16726, the pipeline will call this policy's send method (instead of _SansIOHTTPPolicyRunner.send). Another option is for this policy not to inherit SansIOHTTPPolicy.

Copy link
Member

@johanste johanste May 5, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is an "AvecIOHTTPPolicy" (as opposed to Sans), I would remove the inheritance from SansIOHTTPPolicy and derive from the "correct" base class. I think that your implementation can call self.on_request and self.on_response to make sure they are called in a very similar fashion as before in order to handle any cases where someone has extended/derived from the policy, no?

Copy link
Member Author

@chlowell chlowell May 10, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have done. The extended policy follows _SansIOHTTPPolicyRunner's calling pattern such that it calls a subclass's on_* as the runner would.

@chlowell chlowell mentioned this pull request May 13, 2021
Closed
@chlowell chlowell marked this pull request as ready for review May 17, 2021 15:24
@chlowell chlowell requested a review from xiangyan99 May 20, 2021 18:23
xiangyan99
xiangyan99 reviewed May 20, 2021
View reviewed changes
sdk/core/azure-core/azure/core/pipeline/policies/_authentication.py


class BearerTokenCredentialPolicy(_BearerTokenCredentialPolicyBase, SansIOHTTPPolicy):
class BearerTokenCredentialPolicy(_BearerTokenCredentialPolicyBase, HTTPPolicy):
Copy link
Member

@xiangyan99 xiangyan99 May 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I remember we planned to modify

if isinstance(policy, SansIOHTTPPolicy):

to check hasattibute('on_request'), will that change conflict with this one?

Copy link
Member Author

@chlowell chlowell May 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's #16726. No conflict with this change, and this change doesn't require that PR.

@chlowell chlowell requested a review from xiangyan99 May 24, 2021 15:44
xiangyan99
xiangyan99 reviewed May 24, 2021
View reviewed changes
sdk/core/azure-core/azure/core/pipeline/policies/_authentication.py
:param ~azure.core.pipeline.PipelineRequest request: the request
"""
self._enforce_https(request)
Copy link
Member

@xiangyan99 xiangyan99 May 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do you think about moving _enforce_https into shared utils?

Copy link
Member Author

@chlowell chlowell May 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense the next time another policy needs it. Do we want the key and SAS policies to enforce HTTPS as well?

Copy link
Member

@xiangyan99 xiangyan99 May 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I asked this because I saw ACR also used it. :)

xiangyan99
xiangyan99 approved these changes May 24, 2021
View reviewed changes
Copy link
Member

@xiangyan99 xiangyan99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@chlowell chlowell merged commit ec9d1dd into Azure:master May 24, 2021
@chlowell chlowell deleted the cae-core branch May 24, 2021 16:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xiangyan99 xiangyan99 xiangyan99 approved these changes

@johanste johanste johanste left review comments

@lmazuel lmazuel Awaiting requested review from lmazuel

@schaabs schaabs Awaiting requested review from schaabs

@mccoyp mccoyp Awaiting requested review from mccoyp

Assignees

No one assigned

Labels

Azure.Core

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chlowell @xiangyan99 @johanste