App service support for MI #537
Conversation
There was a problem hiding this comment.
Blockers are:
- query parameter names (docs)
- returned token expiration time is always 0
- fake token responses in tests don't resemble actual responses
Expiration time is always 0 because App Service responses include only expires_on (docs) and MSAL unmarshals only expires_in, using a custom UnmarshalJSON to convert that duration to an instant. Unit tests pass despite this because their fake responses always include expires_in
| @@ -377,8 +394,7 @@ func (c Client) retry(maxRetries int, req *http.Request) (*http.Response, error) | |||
| var resp *http.Response | |||
| var err error | |||
| for attempt := 0; attempt < maxRetries; attempt++ { | |||
| tryCtx, tryCancel := context.WithTimeout(req.Context(), time.Second*15) | |||
| defer tryCancel() | |||
There was a problem hiding this comment.
What's the problem with deferring this?
| case UserAssignedResourceID: | ||
| q.Set(miQueryParameterResourceId, string(t)) | ||
| case UserAssignedObjectID: | ||
| q.Set(miQueryParameterObjectId, string(t)) |
There was a problem hiding this comment.
| q.Set(miQueryParameterObjectId, string(t)) | |
| q.Set("principal_id", string(t)) |
There was a problem hiding this comment.
I don't see this in .net or other msal's
Is this changed for App service only?
There was a problem hiding this comment.
Yes, but it appears I'm out of date on this point, as the docs now state the API will accept object_id as an alias for principal_id. 🤷 I'd still make this change because Azure SDK uses, and tests, principal_id, and these docs have been incorrect before (i.e. if you want to keep using object_id, make sure you test it)
There was a problem hiding this comment.
I tested with object_id and it worked, would you recommend that I also test with principal_id?
There was a problem hiding this comment.
You should run live tests before merging in any case
Updated the resource Id parameter for every source except IMDS
Added support for expires_in different time formats for expire_in support for principle_id for app service in managed identity
| } | ||
|
|
||
| // Function to parse different date formats | ||
| parseExpiresOn := func(expiresOn string) (time.Time, error) { |
There was a problem hiding this comment.
Pls add a comment pointing at AzureAD/microsoft-authentication-library-for-dotnet#4963 to explain when this can occur.
There was a problem hiding this comment.
Maybe I'm overlooking it, but that issue doesn't mention the platform returning the unsupported format
There was a problem hiding this comment.
The CX who reported this didn't make it very clear, it seems to be container + App Service.
There was a problem hiding this comment.
It would be good to know what the linked PR added support for so that support is easier to maintain. Setting that aside, the linked PR added ISO 8601 parsing. Why does this PR have two additional formats?
There was a problem hiding this comment.
We asked, the CX didn't answer. Ultimately, Azure SDK for .NET did not have this problem so it was clearly a regression.
Not objecting to supporting only ISO 8601. The .NET code uses a general-purpose DateTime parser btw https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/4964/files#diff-a7d2338916806e48fb637fd9caad6095fec8537a96d157bc2ea47ab64903fef9R93
I assume Azure.SDK for .NET did the same.
|
Added support for App service
Added support for logging in Managed Identity