Fix authentication with client secret (#1300)

* Fix authenticatio
2025-06-16 20:08:09 +00:00 · 2021-09-29 15:56:32 -07:00
parent fb29d8946a
commit ddd82f9931
1 changed files with 10 additions and 4 deletions
--- a/src/cli/onefuzz/backend.py
+++ b/src/cli/onefuzz/backend.py
@ -178,11 +178,14 @@ class Backend:
            endpoint = urlparse(self.config.endpoint).netloc.split(".")[0]
            scopes = [
                f"api://{self.config.tenant_domain}/{endpoint}/.default",
-                f"https://{self.config.tenant_domain}/{endpoint}/.default",
+                f"https://{self.config.tenant_domain}/{endpoint}/.default",  # before 3.0.0 release
            ]
        else:
            netloc = urlparse(self.config.endpoint).netloc
-            scopes = [f"api://{netloc}/.default", f"https://{netloc}/.default"]
+            scopes = [
+                f"api://{netloc}/.default",
+                f"https://{netloc}/.default",  # before 3.0.0 release
+            ]

        if self.config.client_secret:
            return self.client_secret(scopes)
@ -197,13 +200,16 @@ class Backend:
                token_cache=self.token_cache,
            )

+        # try each scope until we successfully get an access token
        for scope in scopes:
            result = self.app.acquire_token_for_client(scopes=[scope])
+            if "error" not in result:
+                break
+
            # AADSTS500011: The resource principal named ... was not found in the tenant named ...
            # This error is caused by a by mismatch between the identifierUr and the scope provided in the request.
-            if "error" in result and "AADSTS500011" in result["error_description"]:
+            if "AADSTS500011" in result["error_description"]:
                LOGGER.warning(f"failed to get access token with scope {scope}")
-                continue

        if "error" in result:
            raise Exception(