Skip to content

Switching to Lab App for OBO testing #163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
abhidnya13 merged 5 commits into from
Feb 27, 2020
Merged

Switching to Lab App for OBO testing #163

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ac7cbf8
Testing changes
abhidnya13 Feb 26, 2020
fffbeec
Switching to lab app from dotnet test app
abhidnya13 Feb 27, 2020
31b394c
Changes
abhidnya13 Feb 27, 2020
72b87d9
Adding lab secret in environment
abhidnya13 Feb 27, 2020
342dd07
Addressing PR comments
abhidnya13 Feb 27, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions tests/test_e2e.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -412,22 +412,22 @@ def test_adfs2019_onprem_acquire_token_by_auth_code(self):
self.assertCacheWorksForUser(result, scopes, username=None)

@unittest.skipUnless(
os.getenv("OBO_CLIENT_SECRET"),
"Need OBO_CLIENT_SECRET from https://buildautomation.vault.azure.net/secrets/IdentityDivisionDotNetOBOServiceSecret")
os.getenv("LAB_OBO_CLIENT_SECRET"),
"Need LAB_OBO_CLIENT SECRET from https://msidlabs.vault.azure.net/secrets/TodoListServiceV2-OBO/c58ba97c34ca4464886943a847d1db56")
def test_acquire_token_obo(self):
# Some hardcoded, pre-defined settings
obo_client_id = "23c64cd8-21e4-41dd-9756-ab9e2c23f58c"
Copy link
Contributor

@rayluo rayluo Feb 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per our earlier discussion, have we investigated why our previous test setup suddenly failed in the first place? Most of those previous settings were obtained from MSAL .Net's OBO test case, which seems to be still working?

Copy link
Contributor Author

@abhidnya13 abhidnya13 Feb 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MSAL .Nets OBO test case is an app set up in Travis's personal tenant. He had preconfigured the apps to work with the lab account we use. There was a change in the cloud accounts returned by lab api recently. The account we end up using to run these tests was not consented on Travis's app. While we can grant this consent for the first app using interactive auth, we will have to rely on Travis to add consent to this account for the second confidential client app in this test case.
I confirmed with Travis that .NET test cases are failing too because of this change.
So, the best thing to do is move to using the accounts provided by lab so that they take care of this consent internally when they add new accounts that are returned by their API.
Aside, I am talking to Gladwin about how these API changes can be communicated so that we dont break the tests.

downstream_scopes = ["https://graph.microsoft.com/User.Read"]
obo_client_id = "f4aa5217-e87c-42b2-82af-5624dd14ee72"
downstream_scopes = ["https://graph.microsoft.com/.default"]
config = self.get_lab_user(usertype="cloud")

# 1. An app obtains a token representing a user, for our mid-tier service
pca = msal.PublicClientApplication(
"be9b0186-7dfd-448a-a944-f771029105bf", authority=config.get("authority"))
"c0485386-1e9a-4663-bc96-7ab30656de7f", authority=config.get("authority"))
pca_result = pca.acquire_token_by_username_password(
config["username"],
self.get_lab_user_secret(config["lab_name"]),
scopes=[ # The OBO app's scope. Yours might be different.
"%s/access_as_user" % obo_client_id],
"api://%s/read" % obo_client_id],
)
self.assertIsNotNone(
pca_result.get("access_token"),
Expand All @@ -436,7 +436,7 @@ def test_acquire_token_obo(self):
# 2. Our mid-tier service uses OBO to obtain a token for downstream service
cca = msal.ConfidentialClientApplication(
obo_client_id,
client_credential=os.getenv("OBO_CLIENT_SECRET"),
client_credential=os.getenv("LAB_OBO_CLIENT_SECRET"),
authority=config.get("authority"),
# token_cache= ..., # Default token cache is all-tokens-store-in-memory.
# That's fine if OBO app uses short-lived msal instance per session.
Expand Down