Closed rayluo closed 1 year ago
Azure CLI never used validate_authority
and everything works fine. Per our observation, all Azure Stack environments utilizing ADFS have the /adfs
postfix in their authentication endpoint URL, which makes MSAL bypass authority verification:
For example, to verify with redmond
Azure Stack environment:
az cloud register -n redmond --endpoint-resource-manager "https://management.redmond.azurestack.corp.microsoft.com/"
az cloud set -n redmond --profile 2019-03-01-hybrid
az login
az cloud register
queries https://management.redmond.azurestack.corp.microsoft.com/metadata/endpoints?api-version=2019-05-01 for endpoints and authentication
endpoint is https://adfs.redmond.azurestack.corp.microsoft.com/adfs.
Closing this without merging, because we ended up going with #496
Implementing the known_authorities behaviors based on the internal design.
The unit tests of this PR is almost as readable as plain English, and are considered as generic acceptance tests for this feature.
This PR also contains the "api reference documentation" for the newly introduced
known_authority_hosts
parameter.When merged, this PR will close this internal workitem.
This entire PR has been shelved, because later we discovered some new requirements for Azure Stack scenarios (internal link), so we proceeded with #496.