[Key Vault] Add support for multi-tenant authentication#21290

Merged

mccoyp merged 15 commits intoAzure:mainfrom

mccoyp:kv-multitenant

Nov 10, 2021

Member

mccoyp commented Oct 15, 2021 •

edited

Loading

Resolves #20698.

Context: now that azure-identity supports providing a tenant ID to token requests, we can allow Key Vault clients to make use of tenant discovery. This updates the challenge authentication policy to parse out the tenant ID provided in a challenge and authenticate requests with that tenant. Based off of work Charles did in his fork of the repo, this also updates the challenge auth policy to inherit from azure-core's BearerTokenCredentialPolicy instead of re-implementing the wheel. As a result, doing so also requires azure-core >= 1.15.0 (see changelog).

mccoyp added KeyVault Client labels

mccoyp changed the title ~~[Key Vault] Add support for multitenant authentication~~ [Key Vault] Add support for multi-tenant authentication

mccoyp added 4 commits

November 4, 2021 17:40


          Added support in keys

bc7c6e9


          Update policies in certs, secrets

0b999e6


          Add live tests

9c4f089


          Use BearerTokenCredentialPolicy

e50dfb1

mccoyp force-pushed the kv-multitenant branch from 882eae0 to e50dfb1 Compare

November 5, 2021 01:38

mccoyp requested review from YalinLi0312, chlowell and xiangyan99

November 5, 2021 01:41

xiangyan99 reviewed

View reviewed changes

...yvault-administration/azure/keyvault/administration/_internal/async_challenge_auth_policy.py



		class AsyncChallengeAuthPolicy(ChallengeAuthPolicyBase, AsyncHTTPPolicy):
		class AsyncChallengeAuthPolicy(AsyncBearerTokenCredentialPolicy):

Member

xiangyan99 Nov 5, 2021

Could you give more context about this change?

Member Author

mccoyp Nov 5, 2021

Just updated the PR description with more context!

mccoyp requested a review from xiangyan99

November 5, 2021 16:36

mccoyp added 2 commits

November 5, 2021 09:48


          Tenant discovery on by default

c3f17b9


          Test recordings

788bd24

mccoyp marked this pull request as ready for review

November 5, 2021 16:56

mccoyp requested a review from schaabs as a code owner

November 5, 2021 16:56

mccoyp added 2 commits

November 5, 2021 11:14


          Fix tests for playback issues/updates

757368b


          Update shared_requirements for core

f4a7203

chlowell reviewed

View reviewed changes

...yvault-administration/azure/keyvault/administration/_internal/async_challenge_auth_policy.py Outdated Show resolved Hide resolved

...ault/azure-keyvault-administration/azure/keyvault/administration/_internal/http_challenge.py Outdated Show resolved Hide resolved


          Better parsing, remove _last_tenant_id

697f1f0

mccoyp requested a review from chlowell

November 6, 2021 00:50

chlowell reviewed

View reviewed changes

sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/async_challenge_auth_policy.py Outdated Show resolved Hide resolved


          Handle token requests w/ cached challenge

9b951a8

mccoyp requested a review from chlowell

November 9, 2021 00:09

mccoyp added 2 commits

November 8, 2021 16:12


          Changes in all packages

0c583c5


          mypy/pylint

c323d13

chlowell reviewed

View reviewed changes

...yvault-administration/azure/keyvault/administration/_internal/async_challenge_auth_policy.py Outdated Show resolved Hide resolved

...yvault-administration/azure/keyvault/administration/_internal/async_challenge_auth_policy.py Outdated Show resolved Hide resolved


          Remove extra response handling

e7be78f

mccoyp requested a review from chlowell

November 9, 2021 19:49

chlowell reviewed

View reviewed changes

sdk/keyvault/azure-keyvault-certificates/CHANGELOG.md Outdated Show resolved Hide resolved

...ure-keyvault-certificates/azure/keyvault/certificates/_shared/async_challenge_auth_policy.py Outdated Show resolved Hide resolved

...yvault-administration/azure/keyvault/administration/_internal/async_challenge_auth_policy.py Outdated Show resolved Hide resolved


          readme; cleaner parent class division

d47cb3f

mccoyp requested a review from chlowell

November 9, 2021 23:21

mccoyp commented

View reviewed changes

...yvault-administration/azure/keyvault/administration/_internal/async_challenge_auth_policy.py

                   """policy for handling HTTP authentication challenges"""
-                  def __init__(self, credential: "AsyncTokenCredential", **kwargs: "Any") -> None:
+                  def __init__(self, credential: "AsyncTokenCredential", *scopes: str, **kwargs: "Any") -> None:

Member Author

mccoyp Nov 9, 2021

I added an __init__ back in because _need_new_token made me realize that we shouldn't add any dependencies on private parent class fields. I had been referencing self._credential and self._token from the parent class before

...yvault-administration/azure/keyvault/administration/_internal/async_challenge_auth_policy.py

+                  @property
+                  def _need_new_token(self) -> bool:
+                      # pylint:disable=invalid-overridden-method

Member Author

mccoyp Nov 9, 2021

I debated internally a bit over adding this override as a property. I suppressed this warning because the situation in azure-core is likely unintentional, where _need_new_token is a property for BearerTokenCredentialPolicy but a method for AsyncBearerTokenCredentialPolicy. Assuming that will be changed in the future, we can remove this suppression, but I figured that makes more sense than re-implementing the property/method pattern here for the sake of consistency

chlowell approved these changes

View reviewed changes

...ure-keyvault-administration/azure/keyvault/administration/_internal/challenge_auth_policy.py Outdated Show resolved Hide resolved

sdk/keyvault/azure-keyvault-keys/CHANGELOG.md Outdated Show resolved Hide resolved

sdk/keyvault/azure-keyvault-secrets/CHANGELOG.md Outdated Show resolved Hide resolved

sdk/keyvault/azure-keyvault-certificates/CHANGELOG.md Outdated Show resolved Hide resolved


          Thanks, Charles!

241de3f

mccoyp merged commit 0a0cc97 into Azure:main

mccoyp deleted the kv-multitenant branch

November 10, 2021 17:52

iscai-msft added a commit to iscai-msft/azure-sdk-for-python that referenced this pull request


          Merge branch 'main' of https://github.com/Azure/azure-sdk-for-python …

fbb680e

…into add_webpubsub_tests

* 'main' of https://github.com/Azure/azure-sdk-for-python:
  [Key Vault] Add support for multi-tenant authentication (Azure#21290)
  [webpubsub] regen with hub as a client parameter (Azure#21688)
  update automatic close mechanism (Azure#21580)
  [Test Proxy] Add fixture to automatically start/stop Docker container (Azure#21538)
  Update Monitor Query API ref link (Azure#21683)
  Migration Guide from Azure-loganalytics (Azure#21674)
  Update docs for Web PubSub GA (Azure#21659)
  Update CHANGELOG.md (Azure#21681)
  Increment version for formrecognizer releases (Azure#21678)
  Increment version for videoanalyzer releases (Azure#21455)
  Increment version for cognitivelanguage releases (Azure#21566)
  Increment version for storage releases (Azure#21652)
  Increment version for communication releases (Azure#21667)
  raise decode error instead of ContentDecodingError (Azure#19433)
  Update CHANGELOG.md (Azure#21679)
  resolve mac agent failure (Azure#21677)
  Re-add get-codeowners.ps1 (Azure#21676)
  [SchemaRegistry] remove schema prefix in params (Azure#21675)
  Validate python docs packages using docker (Azure#21657)
  update git helper (Azure#21670)

jiasli mentioned this pull request

{Keyvault} Pin azure-keyvault-keys==4.5.0b4 Azure/azure-cli#20880

Merged

This was referenced Feb 10, 2022

{Core} Discard tenant_id in get_token Azure/azure-cli#21244

Merged

[Feature Request] Support tenant_id kwarg in get_token Azure/azure-cli#21289

Open

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Client KeyVault