Skip to content

[Identity] connection_verify not working in Azure Identity #11944

New issue
New issue
Closed
#11892
Closed
[Identity] connection_verify not working in Azure Identity#11944
#11892
Assignees
chlowell
Labels
Azure.IdentityClientThis issue points to a problem in the data-plane of the library.bugThis issue requires a change to an existing behavior in the product in order to be resolved.
Milestone
[2020] July
@jiasli

Description

@jiasli
jiasli
opened on Jun 10, 2020
  • Package Name: Identity
  • Package Version: 1.4.0b4
  • Operating System: Windows
  • Python Version: 3.8.3

Describe the bug
When connection_verify=False is used to create any credential, like InteractiveBrowserCredential, RequestsTransport will be configured as self.connection_config.verify=False:

azure-sdk-for-python/sdk/core/azure-core/azure/core/pipeline/transport/_requests_basic.py

Line 197 in 0e82fae

self.connection_config = ConnectionConfiguration(**kwargs)

azure-sdk-for-python/sdk/core/azure-core/azure/core/configuration.py

Line 114 in 5ec0b1d

self.verify = kwargs.pop('connection_verify', True)

However, when a real request is made:

azure-sdk-for-python/sdk/identity/azure-identity/azure/identity/_internal/msal_transport_adapter.py

Lines 104 to 112 in b299320

def get(self, url, headers=None, params=None, timeout=None, verify=None, **kwargs):
# type: (str, Optional[Mapping[str, str]], Optional[Dict[str, str]], float, bool, Any) -> MsalTransportResponse
request = HttpRequest("GET", url, headers=headers)
if params:
request.format_parameters(params)
response = self._pipeline.run(
request, stream=False, connection_timeout=timeout, connection_verify=verify, **kwargs
)
return MsalTransportResponse(response)

verify will default to None, resulting in connection_verify=None being sent to self._pipeline.run. This causes self.connection_config.verify being overridden.

azure-sdk-for-python/sdk/core/azure-core/azure/core/pipeline/transport/_requests_basic.py

Line 265 in 0e82fae

verify=kwargs.pop('connection_verify', self.connection_config.verify),

image

verify=None will be considered as verify=True by requests.

https://github.com/psf/requests/blob/9ed5db8ed28e816b597dafd328b342ec95466afa/requests/sessions.py#L389-L390

        #: SSL Verification default.
        self.verify = True

https://github.com/psf/requests/blob/9ed5db8ed28e816b597dafd328b342ec95466afa/requests/sessions.py#L710

        verify = merge_setting(verify, self.verify)

Possible solutions:

  • Azure Core needs to use the is not None approach for a more robust parameter resolution: 
    verify = kwargs.pop('connection_verify', None)
response = self.session.request(  # type: ignore
    ...
    verify=verify if verify is not None else self.connection_config.verify,
    @lmazuel
  • Azure Identity stops passing connection_verify=None when verify is not given. @chlowell

Metadata

Metadata

Assignees

Labels

Azure.IdentityClientThis issue points to a problem in the data-plane of the library.bugThis issue requires a change to an existing behavior in the product in order to be resolved.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions