def test_shared_cache():
"""The client should return only tokens associated with its own client_id"""
client_id_a = "client-id-a"
client_id_b = "client-id-b"
scope = "scope"
expected_token = "***"
tenant_id = "tenant"
authority = "https://localhost/" + tenant_id
cache = TokenCache()
cache.add({
"response":
build_aad_response(access_token=expected_token),
"client_id":
client_id_a,
"scope": [scope],
"token_endpoint":
"/".join((authority, tenant_id, "oauth2/v2.0/token")),
})
common_args = dict(authority=authority, cache=cache, tenant_id=tenant_id)
client_a = AadClient(client_id=client_id_a, **common_args)
client_b = AadClient(client_id=client_id_b, **common_args)
# A has a cached token
token = client_a.get_cached_access_token([scope])
assert token.token == expected_token
# which B shouldn't return
assert client_b.get_cached_access_token([scope]) is None
def test_multitenant_cache():
client_id = "client-id"
scope = "scope"
expected_token = "***"
tenant_a = "tenant-a"
tenant_b = "tenant-b"
tenant_c = "tenant-c"
authority = "https://localhost/" + tenant_a
cache = TokenCache()
cache.add({
"response":
build_aad_response(access_token=expected_token),
"client_id":
client_id,
"scope": [scope],
"token_endpoint":
"/".join((authority, tenant_a, "oauth2/v2.0/token")),
})
common_args = dict(authority=authority, cache=cache, client_id=client_id)
client_a = AadClient(tenant_id=tenant_a, **common_args)
client_b = AadClient(tenant_id=tenant_b, **common_args)
# A has a cached token
token = client_a.get_cached_access_token([scope])
assert token.token == expected_token
# which B shouldn't return
assert client_b.get_cached_access_token([scope]) is None
# but C allows multitenant auth and should therefore return the token from tenant_a when appropriate
client_c = AadClient(tenant_id=tenant_c,
allow_multitenant_authentication=True,
**common_args)
assert client_c.get_cached_access_token([scope]) is None
token = client_c.get_cached_access_token([scope], tenant_id=tenant_a)
assert token.token == expected_token
with patch.dict("os.environ", {
EnvironmentVariables.AZURE_IDENTITY_ENABLE_LEGACY_TENANT_SELECTION:
"true"
},
clear=True):
assert client_c.get_cached_access_token([scope],
tenant_id=tenant_a) is None
def test_multitenant_cache():
client_id = "client-id"
scope = "scope"
expected_token = "***"
tenant_a = "tenant-a"
tenant_b = "tenant-b"
tenant_c = "tenant-c"
authority = "https://localhost/" + tenant_a
cache = TokenCache()
cache.add({
"response":
build_aad_response(access_token=expected_token),
"client_id":
client_id,
"scope": [scope],
"token_endpoint":
"/".join((authority, tenant_a, "oauth2/v2.0/token")),
})
common_args = dict(authority=authority, cache=cache, client_id=client_id)
client_a = AadClient(tenant_id=tenant_a, **common_args)
client_b = AadClient(tenant_id=tenant_b, **common_args)
# A has a cached token
token = client_a.get_cached_access_token([scope])
assert token.token == expected_token
# which B shouldn't return
assert client_b.get_cached_access_token([scope]) is None
# but C allows multitenant auth and should therefore return the token from tenant_a when appropriate
client_c = AadClient(tenant_id=tenant_c, **common_args)
assert client_c.get_cached_access_token([scope]) is None
token = client_c.get_cached_access_token([scope], tenant_id=tenant_a)
assert token.token == expected_token
