-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove silent auth special case for home tenant aliases #375
Conversation
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
tenant := silent.TenantID | ||
if tenant == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure looks simpler :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
😆 it's definitely that. For reference, here's AuthParams.WithTenant()
, which sets the tenant for each authentication and uses the client's configured tenant when the caller doesn't specify an override.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Signing off on this provided that you've tested that MSAL continues to serve tokens from a cache after the upgrade.
It does; this change passes the prior tests and adds coverage for the affected scenario, and we've also tested it downstream in the Azure SDK and azd. |
#366 made access token cache reads prefer a user's home tenant over an alias for that tenant ("common", "organizations"). However, it didn't make a corresponding change to cache writes, which use the alias for the realm. The result is an unnecessary token request during silent auth because the cache wrote a token for e.g. "common" and the client searches for one matching the home tenant.
This PR prevents that unnecessary request by making the cache tenant agnostic according to the rationale here: AzureAD/microsoft-authentication-library-for-python#341 (comment). When the client requests a token from "common", for example, it will cache that token with realm "common". I first took the other approach, having cache writes follow reads in replacing aliases with the user's home tenant ID, but found making that work might require a separate implementation of
AcquireTokenSilent
for OBO authentication. The "tenant agnostic" approach is much simpler.