Supports GUID/scope and https://contoso.com//scope

rayluo · rayluo · commit f183da557b50 · 2025-01-25T20:43:18.000-08:00
diff --git a/msal/cloudshell.py b/msal/cloudshell.py
@@ -32,8 +32,12 @@ def _scope_to_resource(scope):  # This is an experimental reasonable-effort appr
         if scope.startswith(a):
             return a
     u = urlparse(scope)
+    if not u.scheme and not u.netloc:  # Typically the "GUID/scope" case
+        return u.path.split("/")[0]
     if u.scheme:
-        return "{}://{}".format(u.scheme, u.netloc)
+        trailer = (  # https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc#trailing-slash-and-default
+            "/" if u.path.startswith("//") else "")
+        return "{}://{}{}".format(u.scheme, u.netloc, trailer)
     return scope  # There is no much else we can do here
 
 
diff --git a/tests/test_cloudshell.py b/tests/test_cloudshell.py
@@ -0,0 +1,21 @@
+import unittest
+from msal.cloudshell import _scope_to_resource
+
+class TestScopeToResource(unittest.TestCase):
+
+    def test_expected_behaviors(self):
+        for scope, expected_resource in {
+            "https://analysis.windows.net/powerbi/api/foo":
+                "https://analysis.windows.net/powerbi/api",  # A special case
+            "https://pas.windows.net/CheckMyAccess/Linux/.default":
+                "https://pas.windows.net/CheckMyAccess/Linux/.default",  # Special case
+            "https://double-slash.com//scope": "https://double-slash.com/",
+            "https://single-slash.com/scope": "https://single-slash.com",
+            "guid/some/scope": "guid",
+            "797f4846-ba00-4fd7-ba43-dac1f8f63013/.default":  # Realistic GUID
+                "797f4846-ba00-4fd7-ba43-dac1f8f63013"
+        }.items():
+            self.assertEqual(_scope_to_resource(scope), expected_resource)
+
+if __name__ == '__main__':
+    unittest.main()
