Skip to content

Commit

Permalink
[Identity] Update instance discovery error message (#36932)
Browse files Browse the repository at this point in the history 
Signed-off-by: Paul Van Eck <paulvaneck@microsoft.com>
  • Loading branch information
@pvaneck
pvaneck authored Sep 13, 2024
1 parent c78042e commit b2043fa
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 12 deletions.
33 changes: 21 additions & 12 deletions sdk/identity/azure-identity/azure/identity/_internal/msal_credentials.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ def __init__(
disable_instance_discovery: Optional[bool] = None,
tenant_id: Optional[str] = None,
enable_support_logging: Optional[bool] = None,
**kwargs: Any
**kwargs: Any,
) -> None:
self._instance_discovery = None if disable_instance_discovery is None else not disable_instance_discovery
self._authority = normalize_authority(authority) if authority else get_default_authority()
Expand Down Expand Up @@ -104,17 +104,26 @@ def _get_app(self, **kwargs: Any) -> msal.ClientApplication:
token_cache = self._initialize_cache(is_cae=bool(kwargs.get("enable_cae")))

if tenant_id not in client_applications_map:
client_applications_map[tenant_id] = app_class(
client_id=self._client_id,
client_credential=self._client_credential,
client_capabilities=capabilities,
authority="{}/{}".format(self._authority, tenant_id),
azure_region=self._regional_authority,
token_cache=token_cache,
http_client=self._client,
instance_discovery=self._instance_discovery,
enable_pii_log=self._enable_support_logging,
)
try:
client_applications_map[tenant_id] = app_class(
client_id=self._client_id,
client_credential=self._client_credential,
client_capabilities=capabilities,
authority="{}/{}".format(self._authority, tenant_id),
azure_region=self._regional_authority,
token_cache=token_cache,
http_client=self._client,
instance_discovery=self._instance_discovery,
enable_pii_log=self._enable_support_logging,
)
except ValueError as ex:
if "invalid_instance" in str(ex):
raise ValueError( # pylint: disable=raise-missing-from
f"The authority provided, {self._authority}, is not well-known. If this authority is valid "
"and trustworthy, you can disable this check by passing in "
"'disable_instance_discovery=True' when constructing the credential."
)
raise

return client_applications_map[tenant_id]

Expand Down
24 changes: 24 additions & 0 deletions sdk/identity/azure-identity/tests/test_instance_discovery.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,10 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
# ------------------------------------
import pytest

from azure.identity._internal.msal_credentials import MsalCredential
from azure.core.exceptions import ServiceRequestError


def test_instance_discovery():
Expand All @@ -19,3 +22,24 @@ def test_instance_discovery():
)
app = credential._get_app()
assert app._instance_discovery


def test_unknown_authority():
credential = MsalCredential(
client_id="CLIENT_ID",
authority="unknown.authority",
)
with pytest.raises(ValueError) as ex:
credential._get_app()
assert "disable_instance_discovery" in str(ex)

credential = MsalCredential(
client_id="CLIENT_ID",
authority="unknown.authority",
disable_instance_discovery=True,
)

with pytest.raises(ServiceRequestError):
# Instance discovery is disabled, so the credential should not attempt to validate the authority, and instead
# attempt to use the authority as given. This is fail since unknown.authority is not resolvable.
credential._get_app()

0 comments on commit b2043fa

Please sign in to comment.