jiasli
commented
1 year ago Azure CLI never used validate_authority and everything works fine. Per our observation, all Azure Stack environments utilizing ADFS have the /adfs postfix in their authentication endpoint URL, which makes MSAL bypass authority verification:
For example, to verify with redmond Azure Stack environment:
az cloud register -n redmond --endpoint-resource-manager "https://management.redmond.azurestack.corp.microsoft.com/"
az cloud set -n redmond --profile 2019-03-01-hybrid
az loginaz cloud register queries https://management.redmond.azurestack.corp.microsoft.com/metadata/endpoints?api-version=2019-05-01 for endpoints and authentication endpoint is https://adfs.redmond.azurestack.corp.microsoft.com/adfs.
rayluo
Implementing the known_authorities behaviors based on the internal design.
The unit tests of this PR is almost as readable as plain English, and are considered as generic acceptance tests for this feature.
This PR also contains the "api reference documentation" for the newly introduced
known_authority_hostsparameter.When merged, this PR will close this internal workitem.
This entire PR has been shelved, because later we discovered some new requirements for Azure Stack scenarios (internal link), so we proceeded with #496.