ExternalVendorCode/onefuzz
1
0
Fork 0
mirror of https://github.com/microsoft/onefuzz.git synced 2025-06-14 11:08:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Move to using api:// for AAD Application "identifier uris" (#1243)

Browse Source
This commit is contained in:
Stas
2021-09-17 11:04:19 -07:00
committed by GitHub
parent 3f891e5572
commit 2e267a894f
4 changed files with 108 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
src/deployment/deploy.py
View File

@ -310,7 +310,7 @@ class Client:
params = ApplicationCreateParameters(
display_name=self.application_name,
identifier_uris=[url],
identifier_uris=[f"api://{self.application_name}.azurewebsites.net"],
reply_urls=[url + "/.auth/login/aad/callback"],
optional_claims=OptionalClaims(id_token=[], access_token=[]),
required_resource_access=[
@ -362,6 +362,22 @@ class Client:
else:
app = existing[0]
if self.multi_tenant_domain:
api_id = "api://%s/%s" % (
self.multi_tenant_domain,
self.application_name,
)
else:
api_id = "api://%s.azurewebsites.net" % self.application_name
if api_id not in app.identifier_uris:
identifier_uris = app.identifier_uris
identifier_uris.append(api_id)
client.applications.patch(
app.object_id,
ApplicationUpdateParameters(identifier_uris=identifier_uris),
)
existing_role_values = [app_role.value for app_role in app.app_roles]
has_missing_roles = any(
[role.value not in existing_role_values for role in app_roles]
@ -383,23 +399,12 @@ class Client:
)
if self.multi_tenant_domain and app.sign_in_audience == "AzureADMyOrg":
url = "https://%s/%s" % (
self.multi_tenant_domain,
self.application_name,
)
client.applications.patch(
app.object_id, ApplicationUpdateParameters(identifier_uris=[url])
)
set_app_audience(app.object_id, "AzureADMultipleOrgs")
elif (
not self.multi_tenant_domain
and app.sign_in_audience == "AzureADMultipleOrgs"
):
set_app_audience(app.object_id, "AzureADMyOrg")
url = "https://%s.azurewebsites.net" % self.application_name
client.applications.patch(
app.object_id, ApplicationUpdateParameters(identifier_uris=[url])
)
else:
logger.debug("No change to App Registration signInAudence setting")
@ -471,20 +476,31 @@ class Client:
if self.multi_tenant_domain:
# clear the value in the Issuer Url field:
# https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient-enterpriseapi-multitenant
app_func_audience = "https://%s/%s" % (
self.multi_tenant_domain,
self.application_name,
)
app_func_audiences = [
"api://%s/%s"
% (
self.multi_tenant_domain,
self.application_name,
),
"https://%s/%s"
% (
self.multi_tenant_domain,
self.application_name,
),
]
app_func_issuer = ""
multi_tenant_domain = {"value": self.multi_tenant_domain}
else:
app_func_audience = "https://%s.azurewebsites.net" % self.application_name
app_func_audiences = [
"api://%s.azurewebsites.net" % self.application_name,
"https://%s.azurewebsites.net" % self.application_name,
]
tenant_oid = str(self.cli_config["authority"]).split("/")[-1]
app_func_issuer = "https://sts.windows.net/%s/" % tenant_oid
multi_tenant_domain = {"value": ""}
params = {
"app_func_audience": {"value": app_func_audience},
"app_func_audiences": {"value": app_func_audiences},
"name": {"value": self.application_name},
"owner": {"value": self.owner},
"clientId": {"value": self.results["client_id"]},