Skip to content

[Profile] az account get-access-token: Show expiresOn for Managed Identity#14128

Merged
jiasli merged 5 commits intoAzure:devfrom
jiasli:expires-on
Jul 6, 2020
Merged

[Profile] az account get-access-token: Show expiresOn for Managed Identity#14128
jiasli merged 5 commits intoAzure:devfrom
jiasli:expires-on

Conversation

@jiasli
Copy link
Member

@jiasli jiasli commented Jun 29, 2020
edited
Loading

Description

Currently, az account get-access-token shows "expiresOn": "N/A" for Managed Identity:

> az login --identity
> az account get-access-token
{
  "accessToken": "eyJ0eXAi...",
  "expiresOn": "N/A",
  "subscription": "0b1f6471-1bf0-4dda-aec3-cb9272f09590",
  "tenant": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
  "tokenType": "Bearer"
}

It works for a user account:

> az login
> az account get-access-token
{
  "accessToken": "eyJ0eXAi...",
  "expiresOn": "2020-06-29 17:22:16.443545",
  "subscription": "a18897a6-7e44-457d-9260-f2854c0aca42",
  "tenant": "72f988bf-86f1-41af-91ab-2d7cd011db47",
  "tokenType": "Bearer"
}

This is because msrestazure.azure_active_directory.MSIAuthentication's token entry has expires_on, while ADAL's token entry has expiresOn.

This PRs fixes this by converting the epoch expires_on to ISO expiresOn:

> az account get-access-token
{
  "accessToken": "eyJ0eXAi...",
  "expiresOn": "2020-06-30 06:14:41.000000",
  "subscription": "0b1f6471-1bf0-4dda-aec3-cb9272f09590",
  "tenant": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
  "tokenType": "Bearer"
}

Testing Guide

az login --identity
az account get-access-token

More info

In fact, the REST call in ADAL for token retrieval is:

Request:

POST https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token HTTP/1.1

Response:

{
    "token_type": "Bearer",
    "scope": "user_impersonation",
    "expires_in": "3595",
    "ext_expires_in": "3595",
    "expires_on": "1593413327",
    "not_before": "1593409427",
    "resource": "https://management.core.windows.net/",
    "access_token": "...",
    "refresh_token": "...",
    "foci": "1"
}

ADAL ignores expires_on, but calculates expiresOn based on the current time and expires_in.

https://github.com/AzureAD/azure-activedirectory-library-for-python/blob/6f0c4755658fbbacf50de684c16eb378d1dbfb92/adal/oauth2_client.py#L187

now = datetime.now()
soon = timedelta(seconds=expires_in)
wire_response[OAuth2.ResponseParameters.EXPIRES_ON] = str(now + soon)

This is why the microsecond 443545 appears in "expiresOn": "2020-06-29 17:22:16.443545", while expires_on is an integer 1593413327.

@jiasli jiasli requested a review from arrownj as a code owner June 29, 2020 07:03
@jiasli jiasli requested a review from qianwens June 29, 2020 07:03
@jiasli jiasli self-assigned this Jun 29, 2020
@yonzhan
Copy link
Collaborator

yonzhan commented Jun 29, 2020

add to S172

@yonzhan yonzhan added this to the S172 milestone Jun 29, 2020
@jiasli jiasli requested review from yonzhan and yungezz June 30, 2020 03:58
jiasli
jiasli commented Jun 30, 2020
View reviewed changes
.github/CODEOWNERS
/src/azure-cli/azure/cli/command_modules/privatedns/ @MyronFanQiu @haroldrandom
/src/azure-cli/azure/cli/command_modules/policyinsights/ @cheggert
/src/azure-cli/azure/cli/command_modules/profile/ @jiasli @arrownj
/src/azure-cli/azure/cli/command_modules/profile/ @jiasli @arrownj @qianwens
Copy link
Member Author

@jiasli jiasli Jun 30, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yungezz @yonzhan , I am adding @qianwens as the code owner too.

yonzhan
yonzhan approved these changes Jun 30, 2020
View reviewed changes
Copy link
Collaborator

@yonzhan yonzhan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

arrownj
arrownj approved these changes Jul 3, 2020
View reviewed changes
Copy link
Contributor

@arrownj arrownj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

jiasli
jiasli commented Jul 3, 2020
View reviewed changes
@yonzhan
Copy link
Collaborator

yonzhan commented Jul 3, 2020

add to S172

@jiasli jiasli merged commit 231bd55 into Azure:dev Jul 6, 2020
@jiasli jiasli deleted the expires-on branch July 6, 2020 05:05
@jiasli jiasli mentioned this pull request Sep 14, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Juliehzl Juliehzl Juliehzl approved these changes

@yonzhan yonzhan yonzhan approved these changes

@yungezz yungezz Awaiting requested review from yungezz

+2 more reviewers

@arrownj arrownj arrownj approved these changes

@qianwens qianwens qianwens approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jiasli jiasli

Labels

None yet

Projects

None yet

Milestone

S172

Development

Successfully merging this pull request may close these issues.

5 participants

@jiasli @yonzhan @arrownj @qianwens @Juliehzl