[Identity] Adding regional STS support #15778
Conversation
sadasant
requested review from
bterlson,
chradek,
deyaaeldeen,
mikeharder,
praveenkuttappan and
xirzec
as code owners
ghost
added
the
sadasant
force-pushed
the
identity/fix15762
branch
from
a8e90ca
to
c8cf76e
Compare
| @@ -43,7 +43,8 @@ | |||
| "test:node": "npm run clean && npm run build:test && npm run unit-test:node && npm run integration-test:node", | |||
| "test": "npm run clean && npm run build:test && npm run unit-test && npm run integration-test", | |||
| "unit-test:browser": "karma start --single-run", | |||
| "unit-test:node": "mocha -r esm -r ts-node/register --reporter ../../../common/tools/mocha-multi-reporter.js --timeout 180000 --full-trace --exclude \"test/**/browser/**/*.spec.ts\" \"test/**/*.spec.ts\"", | |||
| "unit-test:node": "mocha -r esm -r ts-node/register --reporter ../../../common/tools/mocha-multi-reporter.js --timeout 300000 --full-trace --exclude \"test/**/browser/**/*.spec.ts\" \"test/**/*.spec.ts\"", | |||
| "unit-test:node:no-timeouts": "mocha -r esm -r ts-node/register --reporter ../../../common/tools/mocha-multi-reporter.js --no-timeouts --full-trace --exclude \"test/**/browser/**/*.spec.ts\" \"test/**/*.spec.ts\"", | |||
There was a problem hiding this comment.
I’ve increased the timeout because the live regional test is very time consuming. I’ve added a no-timeouts line here to help testing. We have something similar on Key Vault.
There was a problem hiding this comment.
My understanding is we can't fix the tests to be fast because it depends on MSAL and MSAL is slow, even for unit tests? In theory these shouldn't be unit tests, but live tests if they need external deps.
There was a problem hiding this comment.
These are live tests. On playback they are pretty fast. In the three tests I’m adding here, only one does finish. The one that finishes takes 27 seconds
There was a problem hiding this comment.
The reason these tests are taking so long is because the test is using the region RegionalAuthority.AutoDiscoverRegion. This results in MSAL trying to discover the region it is running in which it does, in part, by trying to query IMDS. I'm assuming this is likely timing out if you're running in a local environment.
There was a problem hiding this comment.
There are alternatives that may work that seem complicated in my mind. The alternative that seems simple is to remove the live test. We have two other tests that verify that the parameter is sent through MSAL, which should be enough. What do you think?
There was a problem hiding this comment.
Oh I can record this test with a specific region, then only enable it for playback 🤔 I’ll do that for now
There was a problem hiding this comment.
It’s not timing out though, the recordings show all 200s 🤔
|
|
||
| constructor(options: MsalNodeOptions) { | ||
| super(options); | ||
| this.msalConfig = this.defaultNodeMsalConfig(options); | ||
| this.clientId = this.msalConfig.auth.clientId; | ||
| this.azureRegion = options.regionalAuthority || process.env.AZURE_REGIONAL_AUTHORITY_NAME; |
There was a problem hiding this comment.
This seems like the right priority, but I wonder if the env variable should trump the auto discover setting or not. I don't have strong feelings about it though, since it's easiest to say the option passed always wins.
There was a problem hiding this comment.
I can see your point about auto discover, however, I think we should stick to the convention that code configuration always wins as you put it. We follow this convention with all our other supported environment variables. Altering this behavior based of the value specified adds a lot of complexity without much benefit.
| @@ -43,7 +43,8 @@ | |||
| "test:node": "npm run clean && npm run build:test && npm run unit-test:node && npm run integration-test:node", | |||
| "test": "npm run clean && npm run build:test && npm run unit-test && npm run integration-test", | |||
| "unit-test:browser": "karma start --single-run", | |||
| "unit-test:node": "mocha -r esm -r ts-node/register --reporter ../../../common/tools/mocha-multi-reporter.js --timeout 180000 --full-trace --exclude \"test/**/browser/**/*.spec.ts\" \"test/**/*.spec.ts\"", | |||
| "unit-test:node": "mocha -r esm -r ts-node/register --reporter ../../../common/tools/mocha-multi-reporter.js --timeout 300000 --full-trace --exclude \"test/**/browser/**/*.spec.ts\" \"test/**/*.spec.ts\"", | |||
| "unit-test:node:no-timeouts": "mocha -r esm -r ts-node/register --reporter ../../../common/tools/mocha-multi-reporter.js --no-timeouts --full-trace --exclude \"test/**/browser/**/*.spec.ts\" \"test/**/*.spec.ts\"", | |||
There was a problem hiding this comment.
My understanding is we can't fix the tests to be fast because it depends on MSAL and MSAL is slow, even for unit tests? In theory these shouldn't be unit tests, but live tests if they need external deps.
| AustraliaCentralValue = "australiacentral", | ||
| AustraliaEastValue = "australiaeast", | ||
| AustraliaSouthEastValue = "australiasoutheast", | ||
| AutoDiscoverRegion = "AUTO_DISCOVER", |
There was a problem hiding this comment.
It's interesting that MSAL for node seems to use a different constant for this than .NET, which uses the string constant "TryAutoDetect" which it exposes as a constant AttemptRegionDiscovery. Does MSAL for node have a constant defined for this? If so I think we should use it to ensure we're always in sync with this value.
There was a problem hiding this comment.
I don’t see it here: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/regional-authorities.md
I’ll ask the MSAL team.
What is the value of the AutoDiscoverRegion in .Net? I don’t quite understand it in the .NET’s PR. What would be the equivalent for JS on the public API perspective? I can hide the internals.
There was a problem hiding this comment.
As discussed, I’ll use the value AutoDiscoverRegion for now.
sdk/identity/identity/src/credentials/clientCertificateCredentialOptions.ts
Outdated
Show resolved
Hide resolved
sdk/identity/identity/src/credentials/clientSecretCredentialOptions.ts
Outdated
Show resolved
Hide resolved
…ialOptions.ts Co-authored-by: Scott Schaab <[email protected]>
…tions.ts Co-authored-by: Scott Schaab <[email protected]>
|
Hello @sadasant! Because this pull request has the p.s. you can customize the way I help with merging this pull request, such as holding this pull request until a specific person approves. Simply @mention me (
|
ghost
merged commit 
Microsoft.SecurityInsights 2021-09-01-preview (Azure#16933) * Adds base for updating Microsoft.SecurityInsights from version preview/2021-03-01-preview to version 2021-09-01-preview * Updates readme * Updates API version in new specs and examples * Microsoft.security insights 2021 09 01 preview add missing resources (Azure#15531) * Copy missing resources specs and examples from 2019-01-01-preview * Update added resources specs and examples and extract common types * Update readme * Extract ClientInfo, UserInfo and Lable to common types * Fix SpellCheck and Avocado * Return ThreatIntelligence to readme * Fix broken refs in Watchlists * Resolve duplicate schema errors * Run prettier * Make common types prettier * Add required property to operations according to ARM requirments * Fix readme * Add file separators to readme * Rename example file * Supress OBJECT_ADDITIONAL_PROPERTIES * Add 'where' to OBJECT_ADDITIONAL_PROPERTIES supression * Move OBJECT_ADDITIONAL_PROPERTIES supression under general Supression section. * Copy dataConnectors from 2021-03-01-preview * Update version of dataConnectors (this was done as there were errors when trying to generate C# client. Copying and changing version again fixed the problem). * Add dataConnectorsCheckRequirments path, parameters and definitions from 2019-01-01-preveiw Co-authored-by: Anat Gilenson <[email protected]> * Use newest common types in new 2021-09-01-preview API version (Azure#15778) * Use newest common types in AlertRules * Use newest common types in AutomationRules * Use newest common types in Bookmarks * Use newest common types in dataConnectors * Use newest common types in Enrichment * Use newest common types in Entities * Use newest common types in EntityQueries * Use newest common types in Incidents * Use newest common types in Metadata * Use newest common types in OfficeConsents * Use newest common types in OnboardingStates * Use newest common types in operations * Use newest common types in Settings * Use newest common types in SourceControls * Use newest common types in ThreatIntelligence * Use newest common types in Watchlist * Use newest common types in EntityTypes * Use newest common types in RelationTypes * Fix ThreatIntelligence Co-authored-by: Anat Gilenson <[email protected]> * Add template version to the scheduled alert rule + scheduled template (Azure#15919) * Add template version to the scheduled alert rule * Update AlertRules.json * Update AlertRules.json * Update AlertRules.json * Update AlertRules.json * Update GetAlertRuleTemplates.json * Update GetAlertRuleTemplateById.json * add aws s3 connector (Azure#15844) * Add a new kind of alert rules - NRT (Azure#15980) * add NRT rule * add NRT rule * add NRT rule * add NRT rule * fix typo * fix typo * fix * Align new Metadata feature with 2021-03-01-preview (Azure#16304) Co-authored-by: Anat Gilenson <[email protected]> * Add fixes from 2021-03-01-preview (Azure#16238) Co-authored-by: Anat Gilenson <[email protected]> * Add entity query templates (Azure#16269) * Add entity query templates from 2021-03-01-preview * Update version * Use newest common types and update readme * Fix conflicting common types Co-authored-by: Anat Gilenson <[email protected]> * Fix bookmark relations operatinIds to be consistent with other operationIds. (Azure#16519) Co-authored-by: Anat Gilenson <[email protected]> * Add corrections from 2021-03-01-preview (Azure#16490) Co-authored-by: Anat Gilenson <[email protected]> * Remove unused parameters (Azure#16619) Co-authored-by: Anat Gilenson <[email protected]> * Update readme default readme tag for client generation (Azure#16620) Co-authored-by: Anat Gilenson <[email protected]> * Use CloudError instead of ErrorResponse to avoid breaking change (Azure#16691) Co-authored-by: Anat Gilenson <[email protected]> * Add data connectors polling ccp api support (Azure#16293) * adding dataConnectors polling CCP api Support. (witout tests validations) * azure sentinel dataconnectors update examples * azure sentinel dataConnectors examples update and fix * azure sentinel dataConnectors prettier * azure sentinel dataConnectors add connect disconnect examples update path * azure sentinel dataConnectors add connect disconnect examples fix * azure sentinel dataConnectors add connect disconnect examples fix 2 * azure sentinel dataConnectors rebase dataConnectors dev * azure sentinel dataconnectors - fix put to post on connect and disconnect endpoints * azure sentinel dataconnectors - adding x-ms-secret to password on connect * azure sentinel dataconnectors - connect/disconnect endpoint remove unnedded 201 return * azure sentinel dataConnectors - remove empty body DataConnectorDisconnectBody Co-authored-by: Alon Danoch <[email protected]> * Add office IRM Connector (Azure#16764) * Add office IRM * fix * fix * fix * fix Co-authored-by: omerhaimov <[email protected]> * Add teamInformation to IncidentProperties 2021-09-01-preview (Azure#16787) * Fix Swagger for SecurityInsights - Add teamInformation to IncidentProperties * Try change description as advised by Swagger reviewer Yuchao Yan to fix the validation error. * Revert change in ntDomain description as it has nothing to do with validations Co-authored-by: Anat Gilenson <[email protected]> * Make CloudError and CloudErrorBody external resources (already exist under Microsoft.Rest.Azure namespace) (Azure#16872) Co-authored-by: Anat Gilenson <[email protected]> * Remove operational insights parameter 2021 09 01 preview (Azure#16891) * Remove operationalInsightsResourceProvider parameter from specs * Remove parameter from examples Co-authored-by: Anat Gilenson <[email protected]> * Update EntityTypes.json (Azure#16972) Co-authored-by: Anat Gilenson <[email protected]> Co-authored-by: Amit Bergman <[email protected]> Co-authored-by: sagamzu <[email protected]> Co-authored-by: necoh <[email protected]> Co-authored-by: alondanoch <[email protected]> Co-authored-by: Alon Danoch <[email protected]> Co-authored-by: omerhaimov <[email protected]> Co-authored-by: omerhaimov <[email protected]> Co-authored-by: Yuchao Yan <[email protected]>
Added regional STS support to client credential types.
RegionalAuthoritytype, that allows specifying Azure regions.regionalAuthorityproperty toClientSecretCredentialOptionsandClientCertificateCredentialOptions.autoDiscoverRegionis specified as the value forregionalAuthority, MSAL will be used to attempt to discover the region.AZURE_REGIONAL_AUTHORITY_NAMEenvironment variable.Fixes #15762
Fixes #15714