Add TokenIssuancePolicy #215
Conversation
There was a problem hiding this comment.
Hi @kenchan0130, thanks for contributing to this SDK! Overall this is looking great. I have just one comment about a method signature/behavior which is mainly about trying to be consistent between client methods. If you can take a look at this, this should be good to merge. Thanks!
msgraph/serviceprincipals.go
Outdated
| @@ -778,3 +778,135 @@ func (c *ServicePrincipalsClient) AssignAppRoleForResource(ctx context.Context, | |||
|
|
|||
| return &appRoleAssignment, status, nil | |||
| } | |||
|
|
|||
| // AssignTokenIssuancePolicy assigns tokenIssuancePolicies to a service principal | |||
| func (c *ServicePrincipalsClient) AssignTokenIssuancePolicy(ctx context.Context, servicePrincipal *ServicePrincipal) (int, error) { | |||
There was a problem hiding this comment.
@manicminer
As you have said in #215 (comment), I have made the interface like AssignClaimsMappingPolicy.
However, I would like to be sure that my current changes are not a problem for the overall design policy of ServicePrincipalClient, as it differs from your opinion.
There was a problem hiding this comment.
@kenchan0130 Thanks for updating. As per my earlier comment, I think it would be best to use a function signature like:
func (c *ServicePrincipalsClient) AssignTokenIssuancePolicy(ctx context.Context, servicePrincipalId string, TokenIssuancePolicy) (int, error) {
// ...
}or, if multiple policies can be assigned in one operation:
func (c *ServicePrincipalsClient) AssignTokenIssuancePolicy(ctx context.Context, servicePrincipalId string, []TokenIssuancePolicy) (int, error) {
// ...
}The reason we differ from this in the case of Owners, Members etc is that these are relational rather than child objects and as such they require the full OData ID to construct a link field. For an example of child objects have a look at the ApplicationsClient{}.AddPassword() method.
Secondly, for the question of whether this operation should happen for applications or service principals, I note that the docs only seem to cover the /applications/{id}/tokenIssuancePolicies endpoint - could it be that these are applicable to both /applications/{id}/tokenIssuancePolicies and /servicePrincipals/{id}/tokenIssuancePolicies? If so, it would be nice to add methods to both clients here to offers users the choice. But if this is a case of the docs being wrong, I am happy to defer to your experience here.
There was a problem hiding this comment.
Thanks for updating. As per my earlier comment, I think it would be best to use a function signature like
OK, I understand.
I changed interfaces bd28117.
Secondly, for the question of whether this operation should happen for applications or service principals, I note that the docs only seem to cover the
/applications/{id}/tokenIssuancePoliciesendpoint - could it be that these are applicable to both/applications/{id}/tokenIssuancePolicies and /servicePrincipals/{id}/tokenIssuancePolicies?
I have tried to apply a policy to the application as follows and found that this request results in an error.
curl 'https://graph.microsoft.com/v1.0/applications/a191c3d6-9371-446a-a4aa-647226be2f1b/tokenIssuancePolicies/$ref' \
-H 'Authorization: Bearer xxxxx' \
--data-raw '{"@odata.id":"https://graph.microsoft.com/v1.0/policies/tokenIssuancePolicies/8efb6001-1369-4c68-be2d-04182c8edd76"}'{
"error": {
"code": "Request_BadRequest",
"message": "Policy operations on v2 application are disabled.",
"innerError": {
"date": "2023-03-02T14:55:42",
"request-id": "3ce11a1a-d63a-4100-9bf8-c83ca1666fbd",
"client-request-id": "663c72ad-ccc3-2eef-38aa-3ea17b11a44b"
}
}
}Therefore, I chose not to implement it for the application.
|
The fail in this test does not appear to be related to any change in my code. |
kenchan0130
force-pushed
the
patch-token-issuance-policy
branch
2 times, most recently
from
537c1b1
to
e42673e
Compare
|
I rebased it to remove the conflict with the main branch. |
This adds initial support for the TokenIssuancePolicy resource. Graph API Reference: https://learn.microsoft.com/en-us/graph/api/resources/tokenissuancepolicy?view=graph-rest-1.0
This adds tokenIssuancePolicy assignment support for Applications and implements Assign, List and Remove. Graph API Reference: https://learn.microsoft.com/en-us/graph/api/application-post-tokenissuancepolicies?view=graph-rest-1.0 https://learn.microsoft.com/en-us/graph/api/application-list-tokenissuancepolicies?view=graph-rest-1.0 https://learn.microsoft.com/en-us/graph/api/application-delete-tokenissuancepolicies?view=graph-rest-1.0
kenchan0130
force-pushed
the
patch-token-issuance-policy
branch
from
e42673e
to
bd28117
Compare
|
@manicminer |
|
@manicminer |
There was a problem hiding this comment.
@kenchan0130 Many thanks for clarifying and updating. Sorry for the delay, this LGTM 🚀
This adds initial support for the TokenIssuancePolicy resource.
Represents the policy to specify the characteristics of SAML tokens issued by Azure AD. You can use token issuance policies to:
I believe it will also be useful for adding resources to azure ad terraform in the future, as it will be used to configure the SAML signature algorithm, etc.
https://learn.microsoft.com/en-us/graph/api/resources/tokenissuancepolicy?view=graph-rest-1.0