From 88017624deccb3e20353f0f1ad57dbbbabc1e742 Mon Sep 17 00:00:00 2001 From: John Doak Date: Wed, 12 Apr 2023 14:15:12 -0700 Subject: [PATCH] Revert "Change r.login.microsoftonline.com to login.microsoft.com" This reverts commit 5e54e5e5be6bd8ed8a404f1e77f305567e25ae15. --- README.md | 4 +-- .../internal/oauth/ops/authority/authority.go | 26 ++++--------------- .../oauth/ops/authority/authority_test.go | 2 +- 3 files changed, 8 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 893b1568..c7935dac 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ Acquiring tokens with MSAL Go follows this general three step pattern. There mig * Initializing a public client: ```go - publicClientApp, err := public.New("client_id", public.WithAuthority("https://login.microsoft.com/Enter_The_Tenant_Name_Here")) + publicClientApp, err := public.New("client_id", public.WithAuthority("https://login.microsoftonline.com/Enter_The_Tenant_Name_Here")) ``` * Initializing a confidential client: @@ -54,7 +54,7 @@ Acquiring tokens with MSAL Go follows this general three step pattern. There mig if err != nil { return nil, fmt.Errorf("could not create a cred from a secret: %w", err) } - confidentialClientApp, err := confidential.New("client_id", cred, confidential.WithAuthority("https://login.microsoft.com/Enter_The_Tenant_Name_Here")) + confidentialClientApp, err := confidential.New("client_id", cred, confidential.WithAuthority("https://login.microsoftonline.com/Enter_The_Tenant_Name_Here")) ``` 1. MSAL comes packaged with an in-memory cache. Utilizing the cache is optional, but we would highly recommend it. diff --git a/apps/internal/oauth/ops/authority/authority.go b/apps/internal/oauth/ops/authority/authority.go index 8c79e5cc..5bebdb8e 100644 --- a/apps/internal/oauth/ops/authority/authority.go +++ b/apps/internal/oauth/ops/authority/authority.go @@ -1,7 +1,6 @@ // Copyright (c) Microsoft Corporation. // Licensed under the MIT license. -// TODO(someone): Write a package description and document everything. package authority import ( @@ -29,27 +28,16 @@ const ( regionName = "REGION_NAME" defaultAPIVersion = "2021-10-01" imdsEndpoint = "http://169.254.169.254/metadata/instance/compute/location?format=text&api-version=" + defaultAPIVersion - - autoDetectRegion = "TryAutoDetect" -) - -// These are various hosts that host AAD Instance discovery endpoints. -const ( - defaultHost = "login.microsoftonline.com" - loginMicrosoft = "login.microsoft.com" - loginWindows = "login.windows.net" - loginSTSWindows = "sts.windows.net" - loginMicrosoftOnline = defaultHost + defaultHost = "login.microsoftonline.com" + autoDetectRegion = "TryAutoDetect" ) -// jsonCaller is an interface that allows us to mock the JSONCall method. type jsonCaller interface { JSONCall(ctx context.Context, endpoint string, headers http.Header, qv url.Values, body, resp interface{}) error } -// aadTrustedHostList is a list of trusted hosts for AAD. var aadTrustedHostList = map[string]bool{ - loginWindows: true, // Microsoft Azure Worldwide - Used in validation scenarios where host is not this list + "login.windows.net": true, // Microsoft Azure Worldwide - Used in validation scenarios where host is not this list "login.chinacloudapi.cn": true, // Microsoft Azure China "login.microsoftonline.de": true, // Microsoft Azure Blackforest "login-us.microsoftonline.com": true, // Microsoft Azure US Government - Legacy @@ -66,8 +54,6 @@ func TrustedHost(host string) bool { return false } -// OAuthResponseBase is the base JSON return message for an OAuth call. -// This is embedded in other calls to get the base fields from every response. type OAuthResponseBase struct { Error string `json:"error"` SubError string `json:"suberror"` @@ -456,8 +442,6 @@ func (c Client) GetTenantDiscoveryResponse(ctx context.Context, openIDConfigurat return resp, err } -// AADInstanceDiscovery attempts to discover a tenant endpoint (used in OIDC auth with an authorization endpoint). -// This is done by AAD which allows for aliasing of tenants (windows.sts.net is the same as login.windows.com). func (c Client) AADInstanceDiscovery(ctx context.Context, authorityInfo Info) (InstanceDiscoveryResponse, error) { region := "" var err error @@ -470,8 +454,8 @@ func (c Client) AADInstanceDiscovery(ctx context.Context, authorityInfo Info) (I if region != "" { environment := authorityInfo.Host switch environment { - case loginMicrosoft, loginWindows, loginSTSWindows, defaultHost: - environment = loginMicrosoft + case "login.microsoft.com", "login.windows.net", "sts.windows.net", defaultHost: + environment = "r." + defaultHost } resp.TenantDiscoveryEndpoint = fmt.Sprintf(tenantDiscoveryEndpointWithRegion, region, environment, authorityInfo.Tenant) metadata := InstanceDiscoveryMetadata{ diff --git a/apps/internal/oauth/ops/authority/authority_test.go b/apps/internal/oauth/ops/authority/authority_test.go index 0ce103fc..d33b3677 100644 --- a/apps/internal/oauth/ops/authority/authority_test.go +++ b/apps/internal/oauth/ops/authority/authority_test.go @@ -267,7 +267,7 @@ func TestAADInstanceDiscoveryWithRegion(t *testing.T) { client := Client{&fakeJSONCaller{}} region := "region" discoveryPath := "tenant/v2.0/.well-known/openid-configuration" - publicCloudEndpoint := fmt.Sprintf("https://%s.login.microsoft.com/%s", region, discoveryPath) + publicCloudEndpoint := fmt.Sprintf("https://%s.r.login.microsoftonline.com/%s", region, discoveryPath) for _, test := range []struct{ host, expectedEndpoint string }{ {"login.chinacloudapi.cn", fmt.Sprintf("https://%s.login.chinacloudapi.cn/%s", region, discoveryPath)}, {"login.microsoft.com", publicCloudEndpoint},