fix(authentication-azure): derive token scope from hostname, not netloc.#644
Open
peombwa wants to merge 3 commits into
Open
fix(authentication-azure): derive token scope from hostname, not netloc.#644peombwa wants to merge 3 commits into
peombwa wants to merge 3 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR fixes how AzureIdentityAccessTokenProvider.get_authorization_token() derives the default /.default OAuth scope by basing it on the request host (not netloc) and by avoiding caching the derived scope on the provider instance, preventing incorrect audiences and leakage of userinfo/ports into scopes and telemetry.
Changes:
- Derive the default scope from
urlparse(uri).hostnameper call (instead ofnetlocand caching intoself._scopes). - Add tests to ensure userinfo/port are stripped and that derived scopes are not reused across different hosts.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| packages/authentication/azure/kiota_authentication_azure/azure_identity_access_token_provider.py | Updates default scope derivation to use per-call hostname-based scope instead of cached netloc-derived scope. |
| packages/authentication/azure/tests/test_azure_identity_access_token_provider.py | Adds regression tests for stripping userinfo/port and ensuring derived scopes are not cached across hosts. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
Fixes a correctness bug in
AzureIdentityAccessTokenProvider.get_authorization_token()where the default.defaultOAuth scope was derived fromurlparse(uri).netlocinstead of.hostname, and was cached on the provider instance.Behaviors fixed
For a request URI passed to the auth provider:
https://graph.microsoft.com/v1.0/mehttps://graph.microsoft.com/.defaulthttps://graph.microsoft.com/.defaulthttps://graph.microsoft.com:8443/v1.0/mehttps://graph.microsoft.com:8443/.default(rejected by Entra ID)https://graph.microsoft.com/.defaulthttps://alice:secret@graph.microsoft.com/v1.0/mehttps://alice:secret@graph.microsoft.com/.default(creds sent to STS and written to OTel span)https://graph.microsoft.com/.defaulthttps://graph.microsoft.us/...after a first call tohttps://graph.microsoft.com/...https://graph.microsoft.com/.default(sticky from first call)https://graph.microsoft.us/.defaultRelated Issue
Fixes # (issue)
Demo
Optional. Screenshots,
curlexamples, etc.Notes
Related to MSRC case.
Testing Instructions