Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Harmonise Microsoft Authentication APIs with AAD "v2" and MSAL concepts #277

Merged
merged 2 commits into from
Feb 3, 2021
Merged

Harmonise Microsoft Authentication APIs with AAD "v2" and MSAL concepts #277

merged 2 commits into from
Feb 3, 2021

Conversation

mjcheetham
Copy link
Collaborator

Refactor the MicrosoftAuthentication component API signature to accept a set of scopes (string[] scopes) rather than a single "resource ID", and drop the no-longer used remote URL parameter.

Introduce a new wrapper type for the authentication result such that we can drop the dependency on the JWT library and not expose the MSAL AuthenticationResult type either. We only need the access token (as a string) and the account UPN.

Note that technically before we should not have been trying to parse the access token as a JWT because there is no guarantee that STS returns JWTs - they should be treated transparently.

@mjcheetham mjcheetham added engineering Refactoring or build changes auth:microsoft Specific to Microsoft AAD/MSA authentication labels Feb 2, 2021
@mjcheetham
msauth: return MSAL wrapped result rather than JWT AT
216b2a8 
Change the MSAuth GetToken method signature to return a wrapper result
object rather than just the JWT access token. The result wrapper object
includes the account UPN and the wrap AT as returned by MSAL. We do not
need to inspect the claims of the AT (which might not even by a JWT in
some cases anyway) since we have the account info elsewhere.
@mjcheetham
msauth: rename resource to scopes and drop remote URI
28fdf76 
Rename the resource parameter to the MSAuth component to scopes, which
is the AAD "v2" concept. Also drop the remote URI parameter which is no
longer needed.
derrickstolee
derrickstolee approved these changes Feb 2, 2021
View reviewed changes
Copy link
Contributor

@derrickstolee derrickstolee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks clean. As for the actual behavior, I'll need to trust your testing. ☑️

@mjcheetham
Copy link
Collaborator Author

Code looks clean. As for the actual behavior, I'll need to trust your testing. ☑️

There should be no behaviour changes at all. All I'm doing is removing a 'jump' method that turns the string resourceId in to a string[] scope with new [] { $"resourceId/.default" }, and introducing a simple transport/wrapper object for the access token + account ID (rather than trying to extract that from the access token ourselves).

@mjcheetham mjcheetham merged commit a9c1810 into git-ecosystem:master Feb 3, 2021
@mjcheetham mjcheetham deleted the msal-api-harmony branch February 3, 2021 10:05
@mjcheetham mjcheetham mentioned this pull request Mar 3, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derrickstolee derrickstolee derrickstolee approved these changes

@dscho dscho Awaiting requested review from dscho

@jeffhostetler jeffhostetler Awaiting requested review from jeffhostetler

@bgavrilMS bgavrilMS Awaiting requested review from bgavrilMS

Assignees
No one assigned
Labels
auth:microsoft Specific to Microsoft AAD/MSA authentication engineering Refactoring or build changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mjcheetham @derrickstolee