Support CAE #16852
Support CAE #16852
Conversation
|
/azp run azure-powershell - windows-powershell |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run azure-powershell - powershell-core |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s). |
|
Request @dolauli to review the part related to autorest-based cmdlets ( |
src/Accounts/Authentication/Authentication/AuthenticationFailedExceptionExtention.cs
Outdated
Show resolved
Hide resolved
| private bool TryParseUnknownAuthenticationException(AuthenticationFailedException exception, out string message) | ||
| { | ||
|
|
There was a problem hiding this comment.
Shall we move the method out of this class because (1) this class is already very long (2) the logic of parsing MsalServiceException is not strongly tied to Connect-AzAccount (3) it's easier to test
We can have a static helper class that handles details of authentication exceptions.
There was a problem hiding this comment.
Currently no other place to use the TryParseUnknownAuthenticationException and its logic is very specific for login. We can extract it when we find other place can share the logic.
src/Accounts/Accounts/ChangeLog.md
Outdated
| * Implemented CAE by adding handler to http pipeline | ||
| * Improved error message when login is blocked by AAD | ||
| * Improved error message when silent reauthentication failed | ||
| * Enabled CAE for Get-AzTenant and Get-AzSubcription | ||
| * Enabled CAE for MSGraph | ||
| * Added test cases |
There was a problem hiding this comment.
A few suggestions on the changelogs: (1) use the full term "continuous access evaluation" for the first appearance of "CAE" (2) hide implementation details that are not so useful to the customers (such as adding handler and test cases)
| @@ -115,8 +117,7 @@ public void OnNewRequest(InvocationInfo invocationInfo, string correlationId, st | |||
| { | |||
| endpointResourceIdKey = endpointResourceIdKey ?? AzureEnvironment.Endpoint.ResourceManager; | |||
| var context = GetDefaultContext(_provider, invocationInfo); | |||
| await AuthorizeRequest(context, request, cancelToken, endpointResourceIdKey, endpointSuffixKey, tokenAudienceConverter); | |||
| return await next(request, cancelToken, cancelAction, signal); | |||
There was a problem hiding this comment.
As we disscussed in today's meeting, we would like to revisit the part of the design related to autorest -- instead of adding CAE logic to the AddAuthorizeRequestHandler method, which has little to do with CAE, it seems better to spilt that into a new handler specially for CAE.
However, redoing authentication requires information about the access token (such as environment, audience). If the logic is departed from authentication, how does it get those info?
A second concern is about calling next(). We want to retry the failed request by calling next() for the second time (line 211), however if there are more handlers after this one, those handlers will be called twice against the same http request, which may have side-effect such as duplicated HTTP header. Is there a way allowing us to resend the request without duplicately calling the handlers?
There was a problem hiding this comment.
As we disscussed in today's meeting, we would like to revisit the part of the design related to autorest -- instead of adding CAE logic to the
AddAuthorizeRequestHandlermethod, which has little to do with CAE, it seems better to spilt that into a new handler specially for CAE.However, redoing authentication requires information about the access token (such as environment, audience). If the logic is departed from authentication, how does it get those info?
A second concern is about calling
next(). We want to retry the failed request by callingnext()for the second time (line 211), however if there are more handlers after this one, those handlers will be called twice against the same http request, which may have side-effect such as duplicated HTTP header. Is there a way allowing us to resend the request without duplicately calling the handlers?
Thanks for @isra-fel's conclusions. After the discussion with @dolauli, we find a way to seperate the authentication and reauthentication steps. However, the codes of these 2 parts are coupled, we decide to include them into one step currently.
@dolauli Could you help to review the related codes?
Thanks
* prototype for CAE * CAE issue fix * Improved error message when login is blocked by AAD * Improved error message when silent reauthentication failed * Enable CAE for Get-AzTenant and Get-AzSubcription * Add test case Co-authored-by: Erich(Renyong) Wang <[email protected]>
…r autorest *Enable CAE for MSGraph (Azure#16766)
msJinLei
requested review from
bilaakpan-ms and
grizzlytheodore
as code owners
|
/azp run azure-powershell - powershell-core |
|
Azure Pipelines successfully started running 1 pipeline(s). |
isra-fel
removed request for
grizzlytheodore,
Sandido,
bilaakpan-ms and
haagha
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s). |
|
/azp run azure-powershell - powershell-core |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run azure-powershell - powershell-core |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Description
Related issue
Checklist
CONTRIBUTING.mdChangeLog.mdfile(s) has been updated:ChangeLog.mdfile can be found atsrc/{{SERVICE}}/{{SERVICE}}/ChangeLog.md## Upcoming Releaseheader -- no new version header should be added