Additional authority servers

[tmacro]

Azure-adal defines a static list of authority servers here. It then uses this list here to limit the authority servers used for discovery. Why is this a problem? If I register a custom cloud using az cloud register ... with a custom authority server, az login fails with the error

Instance Discovery request returned http error: 400 and server response: {
  "error": "invalid_instance",
  "error_description": "AADSTS50049: Unknown or invalid instance.\r\nTrace ID: d4f1f445-d340-4f65-a0ec-f7e384560000\r\nCorrelation ID: 1e59253d-4595-4082-9daf-6e85c3b73313\r\nTimestamp: 2019-09-23 21:37:56Z",
  "error_codes": [
    50049
  ],
  "timestamp": "2019-09-23 21:37:56Z",
  "trace_id": "d4f1f445-d340-4f65-a0ec-f7e384560000",
  "correlation_id": "1e59253d-4595-4082-9daf-6e85c3b73313",
  "error_uri": "https://login.windows.net/error?code=50049"
}

I would like to add an environment variable (or another method) to allow the user to specify a custom authority server at runtime. This is not just a feature request, I am willing to contribute the code/time needed to make this happen if you are willing.

[rayluo]

Thanks for the feature request (and your willing to contribute)!

ADAL Python has long been allowing to "specify a custom authority server at runtime". That is needed when for example using an ADFS on-prem server as Identity Provider. And the way to do it, is to specify AuthenticationContext(..., validate_authority=False, ...). See the API reference doc here, and the actual usage pattern here.

Ideally Azure CLI should know whether a customer cloud is being used, if so, turn off that validate_authority flag. Perhaps you can create a similar issue in Azure CLI repo and see how it pans out.

CC: @yonzhan

[rayluo]

Addressed in downstream Azure CLI.