Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ManagedIdentityCredential should not do in-place mutation of Scopes #15308

Closed
kostrse opened this issue Aug 17, 2021 · 2 comments · Fixed by #15331
Closed

ManagedIdentityCredential should not do in-place mutation of Scopes #15308

kostrse opened this issue Aug 17, 2021 · 2 comments · Fixed by #15331
Assignees
@jhendrixMSFT @chlowell @schaabs
Labels
Azure.Identity bug This issue requires a change to an existing behavior in the product in order to be resolved. Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization.
Milestone
[2021] September

Comments

@kostrse
Copy link

kostrse commented Aug 17, 2021

Bug Report

ManagedIdentityCredential receives a list of scopes as input and internally converts them to a resource ID (#14693).

There's a problem that ManagedIdentityCredential is actually mutates the original array, which creates an unexpected side-effect for the calling code:

var credential azcore.TokenCredential
var token *azcore.AccessToken
var err error

clientId := ""
scopes := []string { "htttps://management.azure.com/.default" }

if credential, err = azidentity.NewManagedIdentityCredential(clientId, nil); err != nil {
	return err
}

fmt.Printf("scopes: %s\n", scopes)
// scopes: [htttps://management.azure.com/.default]

if token, err = c.credential.GetToken(ctx, azcore.TokenRequestOptions{Scopes: scopes}); err != nil {
	return err
}

fmt.Printf("scopes: %s\n", scopes)
// scopes: [htttps://management.azure.com] <-- INPUT ARRAY HAS CHANGED

This line is responsible for in-place mutation of the input array.

Mutation should not happen since conversion from scopes to resource ID is implementation detail which should not affect calling code.
@ghost ghost added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Aug 17, 2021
@kostrse kostrse mentioned this issue Aug 17, 2021
Merged
@RickWinter RickWinter added Azure.Identity bug This issue requires a change to an existing behavior in the product in order to be resolved. Client This issue points to a problem in the data-plane of the library. labels Aug 18, 2021
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Aug 18, 2021
@RickWinter RickWinter removed the question The issue doesn't require a change to the product in order to be resolved. Most issues start as that label Aug 18, 2021
@RickWinter RickWinter assigned jhendrixMSFT and chlowell and unassigned antkmsft Aug 18, 2021
@kostrse
Copy link
Author

kostrse commented Aug 19, 2021
edited
Loading

I my opinion you should not do any transformations with scopes in ManagedIdentityCredential and instead convert the scopes to resource ID in createXxxRequest methods of managed_identity_client.

managed_identity_client supports several implementations of token endpoints and whether a given token endpoint supports scopes or not is implementation detail of that particular endpoint. It just happens now that today no one endpoint actually supports scopes, but it may change in future.

So, createXxxRequest impelementations that actually support scopes (in future), would be able to pass scopes as is, and endpoints which still do not support scopes, would continue converting them to resource ID, on case by case basis.

@chlowell chlowell mentioned this issue Aug 20, 2021
Merged
@chlowell
Copy link
Member

Thanks, that's a good suggestion. I also find the division of responsibilities between ManagedIdentityCredential and managedIdentityClient somewhat awkward. I left that division alone in my PR because I would probably want to refactor more than the scope -> resource conversion, and there's no need for that today. One endpoint diverging from the others in the way you describe would be a good excuse for a larger refactoring though.

@kostrse kostrse mentioned this issue Sep 7, 2021
Merged
@github-actions github-actions bot locked and limited conversation to collaborators Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jhendrixMSFT jhendrixMSFT

@chlowell chlowell

@schaabs schaabs

Labels
Azure.Identity bug This issue requires a change to an existing behavior in the product in order to be resolved. Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization.
Projects
None yet
Milestone
[2021] September
Development

Successfully merging a pull request may close this issue.

Prevent ManagedIdentityCredential mutating GetToken arguments chlowell/azure-sdk-for-go
6 participants
@kostrse @RickWinter @jhendrixMSFT @chlowell @schaabs @antkmsft