Update default scope string. #133 #131 (#134)

mgreisen · web-flow · commit aa3acaa18f99 · 2021-02-19T13:15:12.000-08:00
diff --git a/cli/raft-tools/auth/node-js/msal/msal_token.js b/cli/raft-tools/auth/node-js/msal/msal_token.js
@@ -1,7 +1,7 @@
 'use strict';
 var msal = require('@azure/msal-node');
 
-function get_token(client_id, tenant_id, secret, scopes, authority_uri, callback) {
+function get_token(client_id, tenant_id, secret, scopes, authority_uri, callback, audience) {
     let authority;
     if (authority_uri) {
         authority = authority_uri + '/' + tenant_id;
@@ -11,7 +11,12 @@ function get_token(client_id, tenant_id, secret, scopes, authority_uri, callback
     }
 
     if (!scopes) {
-        scopes = [client_id + "/.default"];
+        if (!audience) {
+            scopes = [client_id + "/.default"];
+        }
+        else {
+            scopes = [audience + "/.default"];
+        }
     }
 
     const msalConfig = {
@@ -48,7 +53,7 @@ exports.tokenFromEnvVariable = function (env_variable_name, callback) {
     let auth = JSON.parse(process.env["RAFT_" + env_variable_name] || process.env[env_variable_name]);
     if (auth) {
         console.log("Getting MSAL token");
-        get_token(auth['client'], auth['tenant'], auth['secret'], auth['scopes'], auth['authorityUri'], callback);
+        get_token(auth['client'], auth['tenant'], auth['secret'], auth['scopes'], auth['authorityUri'], callback, auth['audience']);
     }
     else {
         callback(new Error("Authentication parameters are not set in environment variable " + env_variable_name));
diff --git a/cli/raft-tools/auth/python3/msal/msal_token.py b/cli/raft-tools/auth/python3/msal/msal_token.py
@@ -3,24 +3,29 @@
 import json
 import sys
 
-def get_token(client_id, tenant_id, secret, scopes, authority_uri):
+def get_token(client_id, tenant_id, secret, scopes, authority_uri, audience):
 
     if authority_uri:
         authority = f"{authority_uri}/{tenant_id}"
     else:
         authority = f"https://login.microsoftonline.com/{tenant_id}"
 
     if not scopes:
-        scopes = [f"{client_id}/.default"]
+        if not audience:
+            scopes = [f"{client_id}/.default"]
+        else:
+            scopes = [f"{audience}/.default"]
+
     app = msal.ConfidentialClientApplication(client_id, authority=authority, client_credential=secret)
     return app.acquire_token_for_client(scopes)
 
 def token_from_env_variable(env_variable_name):
     auth_params = os.environ.get(f"RAFT_{env_variable_name}") or os.environ.get(env_variable_name)
     if auth_params:
         auth = json.loads(auth_params)
-        token = get_token(auth['client'], auth['tenant'], auth['secret'], auth.get('scopes'), auth.get('authorityUri') )
         print("Getting MSAL token")
+        token = get_token(auth['client'], auth['tenant'], auth['secret'], auth.get('scopes'), auth.get('authorityUri'), auth.get('audience'))
+        print("Token created")
         return f'{token["token_type"]} {token["access_token"]}'
     else:
         print(f"Authentication parameters are not set in environment variable {env_variable_name}")
diff --git a/docs/how-to-deploy.md b/docs/how-to-deploy.md
@@ -112,7 +112,6 @@ of this object type.
 ## Step 3: Choose Configuration Options
 
 To deploy RAFT, you will need to settle on a few configuration options in advance.
-Note that only four of these are required.
 
 | Option | Required? | Description |
 |--------|-------------|--------|
diff --git a/docs/schema/authentication.md b/docs/schema/authentication.md
@@ -37,12 +37,18 @@ The MSAL configuration JSON blob stored in the key vault should be in this form:
   "secret": "<your secret string>"
   "scopes": ["example/.default"]
   "authorityUri" : "<your authority uri>"
+  "audience" : "<applicationId>"
 }
 ```
 The `client`, `tenant`, and `secret` fields are mandatory.
 
 The optional `scopes` field is an array of strings and has a default value of `["{client}/.default"]` 
-where `{client}` is the value of the client field in the structure.
+where `{client}` is the value of the client field in the structure. If you provide the `audience` field,
+the scope will be set to the default value `["{audience}/.default"]`. This is useful when your
+application registration service principal is different from the application you are targeting. 
+
+**If you provide the `scopes` array with your own values, it will be used as you have defined it, no 
+defaults will be applied.**
 
 The optional `authorityUri` field is a string and has a default value of 
 "https://login.microsoftonline.com/{tenant}" where `{tenant}` is the tenant field in the structure. 
diff --git a/src/Agent/AzureAuth/Auth.fs b/src/Agent/AzureAuth/Auth.fs
@@ -69,9 +69,9 @@ type AppRegistration =
         secret : string
         scopes : string array option
         authorityUri :string option
+        audience : string option
     }
 
-
 [<EntryPoint>]
 let main argv =
     async {
@@ -103,7 +103,11 @@ let main argv =
                 let auth : AppRegistration = envVar |> loadSecretEnv |> Json.Compact.deserialize
                 let scopes = 
                     match auth.scopes with
-                    | None -> [|sprintf "%s/.default" auth.client|]
+                    | None -> 
+                        // The audience is the applicationId of the service you will be accessing over REST
+                        match auth.audience with
+                        | None -> [|sprintf "%s/.default" auth.client|]
+                        | Some a -> [|sprintf "%s/.default" a|]
                     | Some s -> s
 
                 let cred =
