-
Notifications
You must be signed in to change notification settings - Fork 208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IDownstreamApi handles Continuous Access Evaluation (CAE) #2616
Conversation
src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs
Outdated
Show resolved
Hide resolved
tests/Microsoft.Identity.Web.Test.Integration/DownstreamApiForAppCaeTests.cs
Outdated
Show resolved
Hide resolved
tests/Microsoft.Identity.Web.Test.Integration/DownstreamApiForAppCaeTests.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🕐
doesn't seem to be the right approach and would prefer to have E2E test working before we merge.
I've reduced the scope of this PR. It doesn't set CAE flag by default; it only retries downstream API requests if the first response was 401 and contains claims. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There is one question that needs to be solved (do not extract the claims if we don't have a 401)?
src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
thanks @pmaytak
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Completes (partially) #2550
Changes:
IDownstreamApi
for user and app requests. If the resource returns a 401 error, use claims to get a new token and call the resource again.As per offline discussion, users will have to add client capabilities, which can be done like so:
Tests:
/me
endpoint for user flow,/users
endpoint for app flow using the client and service dev apps.Test scenarios:
Manual test steps:
Testing user flow:
await _downstreamApi.GetForUserAsync<TestPoco>("GraphUser", options => options.RelativePath = "me");
5 Internally Id Web uses the user token from the cache and calls Graph with it.
10 Internally Id Web will use the cached token and call Graph with it.
Testing client credentials:
await _downstreamApi.GetForAppAsync<TestPoco>("GraphApp", options => options.RelativePath = "users");