search

manicminer / hamilton

Go SDK for Microsoft Graph
Apache License 2.0
87 stars 62 forks source link

azcli auth doesn't support MSAL scopes #189

Open thomas11 opened 2 years ago

thomas11 commented 2 years ago

Currently, in AzureCliAuthorizer.Token(), the arguments to az are hard-coded as

{"account", "get-access-token", fmt.Sprintf("--resource=%s", a.conf.Endpoint)}

This is correct for ADAL and also works for MSAL as long as you need the default scope of Resource Manager. However, for a different scope like KeyVault, the arguments should instead be

{"account", "get-access-token", fmt.Sprintf("--scope=%s", a.conf.Endpoint+"/.default")}

Note the MSAL-style (OAuth v2) scope.

I tested the above change and it unblocked a small program that changes Key Vault secrets. I don't have a full PR just yet because I wasn't sure how you wanted to treat MSAL vs ADAL here.

thomas11 commented 2 years ago

Related question - @manicminer , does contributing to this repo require a CLA?