Open bgavrilMS opened 9 months ago
Unlike MSAL.NET, MSAL GO will actually figure out the token_endpoint and authorize_endpoint from the STS, via OIDC discovery (@chlowell to keep me honest)
Yes, that's the design: https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/1f802fb142172e9fa7fbdfc1d19431b98e423e0d/apps/internal/oauth/resolvers.go#L47-L48
I volunteer as tribute
Hey @bgavrilMS, I'm finally able to prioritize working on this issue (yay).
I have made some changes, now I'm looking at Acceptance Tests section. I wanted to ask - is there an existing test I should mirror? Could you provide the link? I have been searching for client_credentials
(as per _Get a token for clientcredentials flow from dSTS), but tests referencing that do not seem to really cover what I am implementing.
In other words, the goal is to mock the response from dSTS endpoint using a mocked http server, then proceed with test cases mentioned in 1, 2, 3 re the Acceptance Tests section? in context of method calls, I'm going to do AcquireTokenByCredential
, is that sufficient? Should I call even AcquireTokenSilent
for example?
Thanks.
For test 1, have a look at https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/main/apps/confidential/confidential_test.go#L114
You should assert that:
This is for an SPN token. I am not sure you want to enable user auth.
To support a new authority type, we need to evolve MSAL.GO to have a better abstraction for authorities. Today, MSAL.GO supports AAD and ADFS authorities.
How MSAL detects the authority type
MSAL parses the authority string to figure out the authority type. If the string ends in "adfs" it is an indication that it is ADFS authority.
For dSTS, there is also specific logic to figure this out - the first path segment is hardcoded to "dstsv2", e.g. "https://some.url.dsts.core.azure-test.net/dstsv2/tenantID"
Endpoint discovery
Unlike MSAL.NET, MSAL GO will actually figure out the token_endpoint and authorize_endpoint from the STS, via OIDC discovery (@chlowell to keep me honest). Some logic needs to be added for dSTS. Note that MSAL.NET hardcodes the endpoints.
https://github.com/AzureAD/microsoft-authentication-library-for-go//blob/cc89d3480721852bd00435ac0ce220d12c2cc8a3/apps/internal/oauth/resolvers.go#L122
Authority validation
Today, AAD authorities are validated through instance discovery. ADFS authorities are not validated. dSTS authorities are not validated (but we might define some rules later). Ideally we should have an abstraction for this.
WithTenant
MSAL Go allows app developers to update the authority via the
WithTenant
API. See https://github.com/AzureAD/microsoft-authentication-library-for-go//blob/cc89d3480721852bd00435ac0ce220d12c2cc8a3/apps/internal/oauth/ops/authority/authority.go#L238The logic must be updated to account for dSTS.
Acceptance Tests
We do not have E2E testing env for dSTS, so we have to rely on manual testing and unit testing.
Get a token for client_credentials flow from dSTS, using both "https://some.url.dsts.core.azure-test.net/dstsv2/tenantID" and "https://some.url.dsts.core.azure-test.net/dstsv2/common" authority. Rely on a mocked HTTP response. Please ping me for this response sample. Ensure instance discovery is not done.
As above, but change the tenant via
WithTenant(T2)
. Ensure communication is now made over T2 endpoint.As 1, but make another request - ensure token comes from cache. Assert tokens cache keys.