From 799c18f26fe4ad3854c374d9f8a899769905c363 Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Thu, 6 Nov 2025 08:43:09 +0000 Subject: [PATCH] chore(deps): update module github.com/azuread/microsoft-authentication-library-for-go to v1.6.0 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 +- .../apps/confidential/confidential.go | 103 +++++++++++++++++- .../apps/internal/base/base.go | 47 +++++--- .../apps/internal/base/storage/items.go | 17 ++- .../apps/internal/base/storage/storage.go | 51 ++++++--- .../oauth/ops/accesstokens/accesstokens.go | 17 +++ .../internal/oauth/ops/authority/authority.go | 84 +++++++++++--- .../apps/public/public.go | 4 +- vendor/modules.txt | 2 +- 10 files changed, 277 insertions(+), 54 deletions(-) diff --git a/go.mod b/go.mod index 9ee61b3cc..59cca87ad 100644 --- a/go.mod +++ b/go.mod @@ -37,7 +37,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.12.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect - github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect github.com/BurntSushi/toml v1.5.0 // indirect github.com/MakeNowJust/heredoc v1.0.0 // indirect github.com/Masterminds/goutils v1.1.1 // indirect diff --git a/go.sum b/go.sum index 21a3dbe81..31942665f 100644 --- a/go.sum +++ b/go.sum @@ -20,8 +20,8 @@ github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEK github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE= -github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 h1:XkkQbfMyuH2jTSjQjSoihryI8GINRcs4xp8lNawg0FI= -github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk= +github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs= +github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk= github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg= github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ= diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go index 549d68ab9..29c004320 100644 --- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go +++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go @@ -596,6 +596,11 @@ func (cca Client) AcquireTokenSilent(ctx context.Context, scopes []string, opts return AuthResult{}, errors.New("call another AcquireToken method to request a new token having these claims") } + // For service principal scenarios, require WithSilentAccount for public API + if o.account.IsZero() { + return AuthResult{}, errors.New("WithSilentAccount option is required") + } + silentParameters := base.AcquireTokenSilentParameters{ Scopes: scopes, Account: o.account, @@ -604,8 +609,15 @@ func (cca Client) AcquireTokenSilent(ctx context.Context, scopes []string, opts IsAppCache: o.account.IsZero(), TenantID: o.tenantID, AuthnScheme: o.authnScheme, + Claims: o.claims, } + return cca.acquireTokenSilentInternal(ctx, silentParameters) +} + +// acquireTokenSilentInternal is the internal implementation shared by AcquireTokenSilent and AcquireTokenByCredential +func (cca Client) acquireTokenSilentInternal(ctx context.Context, silentParameters base.AcquireTokenSilentParameters) (AuthResult, error) { + return cca.base.AcquireTokenSilent(ctx, silentParameters) } @@ -708,8 +720,10 @@ func (cca Client) AcquireTokenByAuthCode(ctx context.Context, code string, redir // acquireTokenByCredentialOptions contains optional configuration for AcquireTokenByCredential type acquireTokenByCredentialOptions struct { - claims, tenantID string - authnScheme AuthenticationScheme + claims, tenantID string + authnScheme AuthenticationScheme + extraBodyParameters map[string]string + cacheKeyComponents map[string]string } // AcquireByCredentialOption is implemented by options for AcquireTokenByCredential @@ -719,7 +733,7 @@ type AcquireByCredentialOption interface { // AcquireTokenByCredential acquires a security token from the authority, using the client credentials grant. // -// Options: [WithClaims], [WithTenantID] +// Options: [WithClaims], [WithTenantID], [WithFMIPath], [WithAttribute] func (cca Client) AcquireTokenByCredential(ctx context.Context, scopes []string, opts ...AcquireByCredentialOption) (AuthResult, error) { o := acquireTokenByCredentialOptions{} err := options.ApplyOptions(&o, opts) @@ -736,6 +750,29 @@ func (cca Client) AcquireTokenByCredential(ctx context.Context, scopes []string, if o.authnScheme != nil { authParams.AuthnScheme = o.authnScheme } + authParams.ExtraBodyParameters = o.extraBodyParameters + authParams.CacheKeyComponents = o.cacheKeyComponents + if o.claims == "" { + silentParameters := base.AcquireTokenSilentParameters{ + Scopes: scopes, + Account: Account{}, // empty account for app token + RequestType: accesstokens.ATConfidential, + Credential: cca.cred, + IsAppCache: true, + TenantID: o.tenantID, + AuthnScheme: o.authnScheme, + Claims: o.claims, + ExtraBodyParameters: o.extraBodyParameters, + CacheKeyComponents: o.cacheKeyComponents, + } + + // Use internal method with empty account (service principal scenario) + cache, err := cca.acquireTokenSilentInternal(ctx, silentParameters) + if err == nil { + return cache, nil + } + } + token, err := cca.base.Token.Credential(ctx, authParams, cca.cred) if err != nil { return AuthResult{}, err @@ -781,3 +818,63 @@ func (cca Client) Account(ctx context.Context, accountID string) (Account, error func (cca Client) RemoveAccount(ctx context.Context, account Account) error { return cca.base.RemoveAccount(ctx, account) } + +// WithFMIPath specifies the path to a federated managed identity. +// The path should point to a valid FMI configuration file that contains the necessary +// identity information for authentication. +func WithFMIPath(path string) interface { + AcquireByCredentialOption + options.CallOption +} { + return struct { + AcquireByCredentialOption + options.CallOption + }{ + CallOption: options.NewCallOption( + func(a any) error { + switch t := a.(type) { + case *acquireTokenByCredentialOptions: + if t.extraBodyParameters == nil { + t.extraBodyParameters = make(map[string]string) + } + if t.cacheKeyComponents == nil { + t.cacheKeyComponents = make(map[string]string) + } + t.cacheKeyComponents["fmi_path"] = path + t.extraBodyParameters["fmi_path"] = path + default: + return fmt.Errorf("unexpected options type %T", a) + } + return nil + }, + ), + } +} + +// WithAttribute specifies an identity attribute to include in the token request. +// The attribute is sent as "attributes" in the request body and returned as "xmc_attr" +// in the access token claims. This is sometimes used withFMIPath +func WithAttribute(attrValue string) interface { + AcquireByCredentialOption + options.CallOption +} { + return struct { + AcquireByCredentialOption + options.CallOption + }{ + CallOption: options.NewCallOption( + func(a any) error { + switch t := a.(type) { + case *acquireTokenByCredentialOptions: + if t.extraBodyParameters == nil { + t.extraBodyParameters = make(map[string]string) + } + t.extraBodyParameters["attributes"] = attrValue + default: + return fmt.Errorf("unexpected options type %T", a) + } + return nil + }, + ), + } +} diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go index 61c1c4cec..abf54f7e5 100644 --- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go +++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go @@ -46,16 +46,18 @@ type accountManager interface { // AcquireTokenSilentParameters contains the parameters to acquire a token silently (from cache). type AcquireTokenSilentParameters struct { - Scopes []string - Account shared.Account - RequestType accesstokens.AppType - Credential *accesstokens.Credential - IsAppCache bool - TenantID string - UserAssertion string - AuthorizationType authority.AuthorizeType - Claims string - AuthnScheme authority.AuthenticationScheme + Scopes []string + Account shared.Account + RequestType accesstokens.AppType + Credential *accesstokens.Credential + IsAppCache bool + TenantID string + UserAssertion string + AuthorizationType authority.AuthorizeType + Claims string + AuthnScheme authority.AuthenticationScheme + ExtraBodyParameters map[string]string + CacheKeyComponents map[string]string } // AcquireTokenAuthCodeParameters contains the parameters required to acquire an access token using the auth code flow. @@ -327,7 +329,12 @@ func (b Client) AcquireTokenSilent(ctx context.Context, silent AcquireTokenSilen if silent.AuthnScheme != nil { authParams.AuthnScheme = silent.AuthnScheme } - + if silent.CacheKeyComponents != nil { + authParams.CacheKeyComponents = silent.CacheKeyComponents + } + if silent.ExtraBodyParameters != nil { + authParams.ExtraBodyParameters = silent.ExtraBodyParameters + } m := b.pmanager if authParams.AuthorizationType != authority.ATOnBehalfOf { authParams.AuthorizationType = authority.ATRefreshToken @@ -367,8 +374,19 @@ func (b Client) AcquireTokenSilent(ctx context.Context, silent AcquireTokenSilen // If the token is not same, we don't need to refresh it. // Which means it refreshed. if str, err := m.Read(ctx, authParams); err == nil && str.AccessToken.Secret == ar.AccessToken { - if tr, er := b.Token.Credential(ctx, authParams, silent.Credential); er == nil { - return b.AuthResultFromToken(ctx, authParams, tr) + switch silent.RequestType { + case accesstokens.ATConfidential: + if tr, er := b.Token.Credential(ctx, authParams, silent.Credential); er == nil { + return b.AuthResultFromToken(ctx, authParams, tr) + } + case accesstokens.ATPublic: + token, err := b.Token.Refresh(ctx, silent.RequestType, authParams, silent.Credential, storageTokenResponse.RefreshToken) + if err != nil { + return ar, err + } + return b.AuthResultFromToken(ctx, authParams, token) + case accesstokens.ATUnknown: + return ar, errors.New("silent request type cannot be ATUnknown") } } } @@ -446,6 +464,9 @@ func (b Client) AcquireTokenOnBehalfOf(ctx context.Context, onBehalfOfParams Acq authParams.Claims = onBehalfOfParams.Claims authParams.Scopes = onBehalfOfParams.Scopes authParams.UserAssertion = onBehalfOfParams.UserAssertion + if authParams.ExtraBodyParameters != nil { + authParams.ExtraBodyParameters = silentParameters.ExtraBodyParameters + } token, err := b.Token.OnBehalfOf(ctx, authParams, onBehalfOfParams.Credential) if err == nil { ar, err = b.AuthResultFromToken(ctx, authParams, token) diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/items.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/items.go index 7379e2233..b7d1a670b 100644 --- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/items.go +++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/items.go @@ -79,6 +79,7 @@ type AccessToken struct { UserAssertionHash string `json:"user_assertion_hash,omitempty"` TokenType string `json:"token_type,omitempty"` AuthnSchemeKeyID string `json:"keyid,omitempty"` + ExtCacheKey string `json:"ext_cache_key,omitempty"` AdditionalFields map[string]interface{} } @@ -105,15 +106,21 @@ func NewAccessToken(homeID, env, realm, clientID string, cachedAt, refreshOn, ex // Key outputs the key that can be used to uniquely look up this entry in a map. func (a AccessToken) Key() string { ks := []string{a.HomeAccountID, a.Environment, a.CredentialType, a.ClientID, a.Realm, a.Scopes} - key := strings.Join( - ks, - shared.CacheKeySeparator, - ) + // add token type to key for new access tokens types. skip for bearer token type to // preserve fwd and back compat between a common cache and msal clients if !strings.EqualFold(a.TokenType, authority.AccessTokenTypeBearer) { - key = strings.Join([]string{key, a.TokenType}, shared.CacheKeySeparator) + ks = append(ks, a.TokenType) } + // add extra body param hash to key if present + if a.ExtCacheKey != "" { + ks[2] = "atext" // if the there is extra cache we add "atext" to the key replacing accesstoken + ks = append(ks, a.ExtCacheKey) + } + key := strings.Join( + ks, + shared.CacheKeySeparator, + ) return strings.ToLower(key) } diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go index 84a234967..825d8a0f6 100644 --- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go +++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go @@ -135,7 +135,8 @@ func (m *Manager) Read(ctx context.Context, authParameters authority.AuthParams) aliases = metadata.Aliases } - accessToken := m.readAccessToken(homeAccountID, aliases, realm, clientID, scopes, tokenType, authnSchemeKeyID) + accessToken := m.readAccessToken(homeAccountID, aliases, realm, clientID, scopes, tokenType, authnSchemeKeyID, authParameters.CacheExtKeyGenerator()) + tr.AccessToken = accessToken if homeAccountID == "" { @@ -203,6 +204,7 @@ func (m *Manager) Write(authParameters authority.AuthParams, tokenResponse acces authnSchemeKeyID, ) + accessToken.ExtCacheKey = authParameters.CacheExtKeyGenerator() // Since we have a valid access token, cache it before moving on. if err := accessToken.Validate(); err == nil { if err := m.writeAccessToken(accessToken); err != nil { @@ -291,26 +293,49 @@ func (m *Manager) aadMetadata(ctx context.Context, authorityInfo authority.Info) return m.aadCache[authorityInfo.Host], nil } -func (m *Manager) readAccessToken(homeID string, envAliases []string, realm, clientID string, scopes []string, tokenType, authnSchemeKeyID string) AccessToken { +func (m *Manager) readAccessToken(homeID string, envAliases []string, realm, clientID string, scopes []string, tokenType, authnSchemeKeyID, extCacheKey string) AccessToken { m.contractMu.RLock() - // TODO: linear search (over a map no less) is slow for a large number (thousands) of tokens. - // this shows up as the dominating node in a profile. for real-world scenarios this likely isn't - // an issue, however if it does become a problem then we know where to look. - for k, at := range m.contract.AccessTokens { + + tokensToSearch := m.contract.AccessTokens + + for k, at := range tokensToSearch { + // TODO: linear search (over a map no less) is slow for a large number (thousands) of tokens. + // this shows up as the dominating node in a profile. for real-world scenarios this likely isn't + // an issue, however if it does become a problem then we know where to look. if at.HomeAccountID == homeID && at.Realm == realm && at.ClientID == clientID { - if (strings.EqualFold(at.TokenType, tokenType) && at.AuthnSchemeKeyID == authnSchemeKeyID) || (at.TokenType == "" && (tokenType == "" || tokenType == "Bearer")) { - if checkAlias(at.Environment, envAliases) && isMatchingScopes(scopes, at.Scopes) { - m.contractMu.RUnlock() - if needsUpgrade(k) { - m.contractMu.Lock() - defer m.contractMu.Unlock() - at = upgrade(m.contract.AccessTokens, k) + // Match token type and authentication scheme + tokenTypeMatch := (strings.EqualFold(at.TokenType, tokenType) && at.AuthnSchemeKeyID == authnSchemeKeyID) || + (at.TokenType == "" && (tokenType == "" || tokenType == "Bearer")) + environmentAndScopesMatch := checkAlias(at.Environment, envAliases) && isMatchingScopes(scopes, at.Scopes) + + if tokenTypeMatch && environmentAndScopesMatch { + // For hashed tokens, check that the key contains the hash + if extCacheKey != "" { + if !strings.Contains(k, extCacheKey) { + continue // Skip this token if the key doesn't contain the hash + } + } else { + // If no extCacheKey is provided, only match tokens that also have no extCacheKey + if at.ExtCacheKey != "" { + continue // Skip tokens that require a hash when no hash is provided } + } + // Handle token upgrade if needed + if needsUpgrade(k) { + m.contractMu.RUnlock() + m.contractMu.Lock() + at = upgrade(tokensToSearch, k) + m.contractMu.Unlock() return at } + + m.contractMu.RUnlock() + return at } } } + + // No token found, unlock and return empty token m.contractMu.RUnlock() return AccessToken{} } diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/accesstokens/accesstokens.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/accesstokens/accesstokens.go index d738c7591..481f9e434 100644 --- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/accesstokens/accesstokens.go +++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/accesstokens/accesstokens.go @@ -281,6 +281,9 @@ func (c Client) FromClientSecret(ctx context.Context, authParameters authority.A qv.Set(clientID, authParameters.ClientID) addScopeQueryParam(qv, authParameters) + // Add extra body parameters if provided + addExtraBodyParameters(ctx, qv, authParameters) + return c.doTokenResp(ctx, authParameters, qv) } @@ -296,6 +299,9 @@ func (c Client) FromAssertion(ctx context.Context, authParameters authority.Auth qv.Set(clientInfo, clientInfoVal) addScopeQueryParam(qv, authParameters) + // Add extra body parameters if provided + addExtraBodyParameters(ctx, qv, authParameters) + return c.doTokenResp(ctx, authParameters, qv) } @@ -329,6 +335,8 @@ func (c Client) FromUserAssertionClientCertificate(ctx context.Context, authPara qv.Set("requested_token_use", "on_behalf_of") addScopeQueryParam(qv, authParameters) + // Add extra body parameters if provided + addExtraBodyParameters(ctx, qv, authParameters) return c.doTokenResp(ctx, authParameters, qv) } @@ -466,3 +474,12 @@ func addScopeQueryParam(queryParams url.Values, authParameters authority.AuthPar scopes := AppendDefaultScopes(authParameters) queryParams.Set("scope", strings.Join(scopes, " ")) } + +// addExtraBodyParameters evaluates and adds extra body parameters to the request +func addExtraBodyParameters(ctx context.Context, v url.Values, ap authority.AuthParams) { + for key, value := range ap.ExtraBodyParameters { + if value != "" { + v.Set(key, value) + } + } +} diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go index 3f4037464..debd465db 100644 --- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go +++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go @@ -15,6 +15,7 @@ import ( "net/url" "os" "path" + "sort" "strings" "time" @@ -47,6 +48,8 @@ type jsonCaller interface { } // For backward compatibility, accept both old and new China endpoints for a transition period. +// This list is derived from the AAD instance discovery metadata and represents all known trusted hosts +// across different Azure clouds (Public, China, Germany, US Government, etc.) var aadTrustedHostList = map[string]bool{ "login.windows.net": true, // Microsoft Azure Worldwide - Used in validation scenarios where host is not this list "login.partner.microsoftonline.cn": true, // Microsoft Azure China (new) @@ -55,6 +58,9 @@ var aadTrustedHostList = map[string]bool{ "login-us.microsoftonline.com": true, // Microsoft Azure US Government - Legacy "login.microsoftonline.us": true, // Microsoft Azure US Government "login.microsoftonline.com": true, // Microsoft Azure Worldwide + "login.microsoft.com": true, + "sts.windows.net": true, + "login.usgovcloudapi.net": true, } // TrustedHost checks if an AAD host is trusted/valid. @@ -103,36 +109,46 @@ func (r *TenantDiscoveryResponse) Validate() error { // ValidateIssuerMatchesAuthority validates that the issuer in the TenantDiscoveryResponse matches the authority. // This is used to identity security or configuration issues in authorities and the OIDC endpoint func (r *TenantDiscoveryResponse) ValidateIssuerMatchesAuthority(authorityURI string, aliases map[string]bool) error { - if authorityURI == "" { return errors.New("TenantDiscoveryResponse: empty authorityURI provided for validation") } + if r.Issuer == "" { + return errors.New("TenantDiscoveryResponse: empty issuer in response") + } - // Parse the issuer URL issuerURL, err := url.Parse(r.Issuer) if err != nil { return fmt.Errorf("TenantDiscoveryResponse: failed to parse issuer URL: %w", err) } + authorityURL, err := url.Parse(authorityURI) + if err != nil { + return fmt.Errorf("TenantDiscoveryResponse: failed to parse authority URL: %w", err) + } + + // Fast path: exact scheme + host match + if issuerURL.Scheme == authorityURL.Scheme && issuerURL.Host == authorityURL.Host { + return nil + } - // Even if it doesn't match the authority, issuers from known and trusted hosts are valid + // Alias-based acceptance if aliases != nil && aliases[issuerURL.Host] { return nil } - // Parse the authority URL for comparison - authorityURL, err := url.Parse(authorityURI) - if err != nil { - return fmt.Errorf("TenantDiscoveryResponse: failed to parse authority URL: %w", err) + issuerHost := issuerURL.Host + authorityHost := authorityURL.Host + + // Accept if issuer host is trusted + if TrustedHost(issuerHost) { + return nil } - // Check if the scheme and host match (paths can be ignored when validating the issuer) - if issuerURL.Scheme == authorityURL.Scheme && issuerURL.Host == authorityURL.Host { + // Accept if authority is a regional variant ending with "." + if strings.HasSuffix(authorityHost, "."+issuerHost) { return nil } - // If we get here, validation failed - return fmt.Errorf("TenantDiscoveryResponse: issuer from OIDC discovery '%s' does not match authority '%s' or a known pattern", - r.Issuer, authorityURI) + return fmt.Errorf("TenantDiscoveryResponse: issuer '%s' does not match authority '%s' or any trusted/alias rule", r.Issuer, authorityURI) } type InstanceDiscoveryMetadata struct { @@ -256,6 +272,12 @@ type AuthParams struct { DomainHint string // AuthnScheme is an optional scheme for formatting access tokens AuthnScheme AuthenticationScheme + // ExtraBodyParameters are additional parameters to include in token requests. + // The functions are evaluated at request time to get the parameter values. + // These parameters are also included in the cache key. + ExtraBodyParameters map[string]string + // CacheKeyComponents are additional components to include in the cache key. + CacheKeyComponents map[string]string } // NewAuthParams creates an authorization parameters object. @@ -642,8 +664,42 @@ func (a *AuthParams) AssertionHash() string { } func (a *AuthParams) AppKey() string { + baseKey := a.ClientID + "_" if a.AuthorityInfo.Tenant != "" { - return fmt.Sprintf("%s_%s_AppTokenCache", a.ClientID, a.AuthorityInfo.Tenant) + baseKey += a.AuthorityInfo.Tenant + } + + // Include extra body parameters in the cache key + paramHash := a.CacheExtKeyGenerator() + if paramHash != "" { + baseKey = fmt.Sprintf("%s_%s", baseKey, paramHash) + } + + return baseKey + "_AppTokenCache" +} + +// CacheExtKeyGenerator computes a hash of the Cache key components key and values +// to include in the cache key. This ensures tokens acquired with different +// parameters are cached separately. +func (a *AuthParams) CacheExtKeyGenerator() string { + if len(a.CacheKeyComponents) == 0 { + return "" + } + + // Sort keys to ensure consistent hashing + keys := make([]string, 0, len(a.CacheKeyComponents)) + for k := range a.CacheKeyComponents { + keys = append(keys, k) } - return fmt.Sprintf("%s__AppTokenCache", a.ClientID) + sort.Strings(keys) + + // Create a string by concatenating key+value pairs + keyStr := "" + for _, key := range keys { + // Append key followed by its value with no separator + keyStr += key + a.CacheKeyComponents[key] + } + + hash := sha256.Sum256([]byte(keyStr)) + return strings.ToLower(base64.RawURLEncoding.EncodeToString(hash[:])) } diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go index 7beed2617..797c086cb 100644 --- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go +++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go @@ -368,9 +368,9 @@ type AcquireByUsernamePasswordOption interface { acquireByUsernamePasswordOption() } -// AcquireTokenByUsernamePassword acquires a security token from the authority, via Username/Password Authentication. -// NOTE: this flow is NOT recommended. +// Deprecated: This API will be removed in a future release. Use a more secure flow instead. Follow this migration guide: https://aka.ms/msal-ropc-migration // +// AcquireTokenByUsernamePassword acquires a security token from the authority, via Username/Password Authentication. // Options: [WithClaims], [WithTenantID] func (pca Client) AcquireTokenByUsernamePassword(ctx context.Context, scopes []string, username, password string, opts ...AcquireByUsernamePasswordOption) (AuthResult, error) { o := acquireTokenByUsernamePasswordOptions{} diff --git a/vendor/modules.txt b/vendor/modules.txt index c7dacf05c..b4ab3e7a1 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -48,7 +48,7 @@ github.com/Azure/azure-sdk-for-go/sdk/internal/uuid ## explicit; go 1.16 github.com/Azure/go-ansiterm github.com/Azure/go-ansiterm/winterm -# github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 +# github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 ## explicit; go 1.18 github.com/AzureAD/microsoft-authentication-library-for-go/apps/cache github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential