microsoft-authentication-library-for-python icon indicating copy to clipboard operation
microsoft-authentication-library-for-python copied to clipboard
verified publisher icon AzureAD

Implementing known_authority_hosts

Open rayluo opened this issue 3 years ago • 1 comments

Implementing the known_authorities behaviors based on the internal design.

The unit tests of this PR is almost as readable as plain English, and are considered as generic acceptance tests for this feature.

This PR also contains the "api reference documentation" for the newly introduced known_authority_hosts parameter.

When merged, this PR will close this internal workitem.

rayluo avatar Aug 08 '22 18:08 rayluo

Azure CLI never used validate_authority and everything works fine. Per our observation, all Azure Stack environments utilizing ADFS have the /adfs postfix in their authentication endpoint URL, which makes MSAL bypass authority verification:

https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/c9a36e952e16f42c6d13315dc3226a0a65c1f59f/msal/authority.py#L78

For example, to verify with redmond Azure Stack environment:

az cloud register -n redmond --endpoint-resource-manager "https://management.redmond.azurestack.corp.microsoft.com/"
az cloud set -n redmond --profile 2019-03-01-hybrid
az login

az cloud register queries https://management.redmond.azurestack.corp.microsoft.com/metadata/endpoints?api-version=2019-05-01 for endpoints and authentication endpoint is https://adfs.redmond.azurestack.corp.microsoft.com/adfs.

jiasli avatar Aug 17 '22 08:08 jiasli

Closing this without merging, because we ended up going with #496

rayluo avatar Nov 18 '22 08:11 rayluo