Merge pull request #207 from AzureAD/release-0.2.0

MSAL Go 0.2.0

.github/workflows/go.yml

@@ -4,7 +4,6 @@ on:
   push:
     branches: [dev]
   pull_request:
-    branches: [dev]
     # This guards against unknown PR until a community member vet it and label it.
     types: [ labeled ]
 

README.md

@@ -8,8 +8,8 @@ The first public preview of this library is yet to be released, until then, the
 
 Quick links:
 
-| [Getting Started](https://docs.microsoft.com/azure/active-directory/develop/#quickstarts) | [GoDoc](https://pkg.go.dev/github.com/AzureAD/microsoft-authentication-library-for-go/apps) | [Wiki](https://github.com/AzureAD/microsoft-authentication-library-for-go/wiki) | [Samples](https://github.com/AzureAD/microsoft-authentication-library-for-go/tree/dev/apps/tests/devapps) | [Support](README.md#community-help-and-support) |
-| ------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------ |
+| [Getting Started](https://docs.microsoft.com/azure/active-directory/develop/#quickstarts) | [GoDoc](https://pkg.go.dev/github.com/AzureAD/microsoft-authentication-library-for-go/apps) | [Wiki](https://github.com/AzureAD/microsoft-authentication-library-for-go/wiki) | [Samples](https://github.com/AzureAD/microsoft-authentication-library-for-go/tree/dev/apps/tests/devapps) | [Support](README.md#community-help-and-support) | [Feedback](https://forms.office.com/r/s4waBAytFJ) | 
+| ------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------- |
 
 ## Build Status
 
@@ -93,6 +93,9 @@ We use [Stack Overflow](http://stackoverflow.com/questions/tagged/msal) to work
 
 If you find and bug or have a feature request, please raise the issue on [GitHub Issues](https://github.com/AzureAD/microsoft-authentication-library-for-go/issues).
 
+## Submit Feedback
+We'd like your thoughts on this library. Please complete [this short survey.](https://forms.office.com/r/s4waBAytFJ)
+
 ## Contributing
 
 This project welcomes contributions and suggestions.  Most contributions require you to agree to a

apps/confidential/confidential.go

@@ -135,14 +135,16 @@ type Credential struct {
 
 	cert *x509.Certificate
 	key  crypto.PrivateKey
+
+	assertion string
 }
 
 // toInternal returns the accesstokens.Credential that is used internally. The current structure of the
 // code requires that client.go, requests.go and confidential.go share a credential type without
 // having import recursion. That requires the type used between is in a shared package. Therefore
 // we have this.
 func (c Credential) toInternal() *accesstokens.Credential {
-	return &accesstokens.Credential{Secret: c.secret, Cert: c.cert, Key: c.key}
+	return &accesstokens.Credential{Secret: c.secret, Cert: c.cert, Key: c.key, Assertion: c.assertion}
 }
 
 // NewCredFromSecret creates a Credential from a secret.
@@ -153,6 +155,14 @@ func NewCredFromSecret(secret string) (Credential, error) {
 	return Credential{secret: secret}, nil
 }
 
+// NewCredFromAssertion creates a Credential from a signed assertion.
+func NewCredFromAssertion(assertion string) (Credential, error) {
+	if assertion == "" {
+		return Credential{}, errors.New("assertion can't be empty string")
+	}
+	return Credential{assertion: assertion}, nil
+}
+
 // NewCredFromCert creates a Credential from an x509.Certificate and a PKCS8 DER encoded private key.
 // CertFromPEM() can be used to get these values from a PEM file storing a PKCS8 private key.
 func NewCredFromCert(cert *x509.Certificate, key crypto.PrivateKey) Credential {

apps/confidential/confidential_test.go

@@ -83,8 +83,8 @@ const (
 
 var tokenScope = []string{"the_scope"}
 
-func fakeClient(tk accesstokens.TokenResponse) (Client, error) {
-	cred, err := NewCredFromSecret("fake_secret")
+func fakeClient(tk accesstokens.TokenResponse, credential string) (Client, error) {
+	cred, err := NewCredFromSecret(credential)
 	if err != nil {
 		return Client{}, err
 	}
@@ -123,34 +123,50 @@ func fakeClient(tk accesstokens.TokenResponse) (Client, error) {
 }
 
 func TestAcquireTokenByCredential(t *testing.T) {
-	client, err := fakeClient(accesstokens.TokenResponse{
-		AccessToken:   token,
-		ExpiresOn:     internalTime.DurationTime{T: time.Now().Add(1 * time.Hour)},
-		ExtExpiresOn:  internalTime.DurationTime{T: time.Now().Add(1 * time.Hour)},
-		GrantedScopes: accesstokens.Scopes{Slice: tokenScope},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	_, err = client.AcquireTokenSilent(context.Background(), tokenScope)
-	// first attempt should fail
-	if err == nil {
-		t.Fatal("unexpected nil error from AcquireTokenSilent")
-	}
-	tk, err := client.AcquireTokenByCredential(context.Background(), tokenScope)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if tk.AccessToken != token {
-		t.Fatalf("unexpected access token %s", tk.AccessToken)
-	}
-	// second attempt should return the cached token
-	tk, err = client.AcquireTokenSilent(context.Background(), tokenScope)
-	if err != nil {
-		t.Fatal(err)
+	tests := []struct {
+		desc string
+		cred string
+	}{
+		{
+			desc: "Secret",
+			cred: "fake_secret",
+		},
+		{
+			desc: "Signed Assertion",
+			cred: "fake_assertion",
+		},
 	}
-	if tk.AccessToken != token {
-		t.Fatalf("unexpected access token %s", tk.AccessToken)
+
+	for _, test := range tests {
+		client, err := fakeClient(accesstokens.TokenResponse{
+			AccessToken:   token,
+			ExpiresOn:     internalTime.DurationTime{T: time.Now().Add(1 * time.Hour)},
+			ExtExpiresOn:  internalTime.DurationTime{T: time.Now().Add(1 * time.Hour)},
+			GrantedScopes: accesstokens.Scopes{Slice: tokenScope},
+		}, test.cred)
+		if err != nil {
+			t.Fatal(err)
+		}
+		_, err = client.AcquireTokenSilent(context.Background(), tokenScope)
+		// first attempt should fail
+		if err == nil {
+			t.Errorf("TestAcquireTokenByCredential(%s): unexpected nil error from AcquireTokenSilent", test.desc)
+		}
+		tk, err := client.AcquireTokenByCredential(context.Background(), tokenScope)
+		if err != nil {
+			t.Errorf("TestAcquireTokenByCredential(%s): got err == %s, want err == nil", test.desc, err)
+		}
+		if tk.AccessToken != token {
+			t.Errorf("TestAcquireTokenByCredential(%s): unexpected access token %s", test.desc, tk.AccessToken)
+		}
+		// second attempt should return the cached token
+		tk, err = client.AcquireTokenSilent(context.Background(), tokenScope)
+		if err != nil {
+			t.Errorf("TestAcquireTokenByCredential(%s): got err == %s, want err == nil", test.desc, err)
+		}
+		if tk.AccessToken != token {
+			t.Errorf("TestAcquireTokenByCredential(%s): unexpected access token %s", test.desc, tk.AccessToken)
+		}
 	}
 }
 
@@ -180,7 +196,7 @@ func TestAcquireTokenByAuthCode(t *testing.T) {
 			UID:  "123-456",
 			UTID: "fake",
 		},
-	})
+	}, "fake_secret")
 	if err != nil {
 		t.Fatal(err)
 	}

apps/internal/base/internal/storage/storage.go

@@ -101,10 +101,6 @@ func (m *Manager) Read(ctx context.Context, authParameters authority.AuthParams,
 		return TokenResponse{}, err
 	}
 
-	if err := accessToken.Validate(); err != nil {
-		return TokenResponse{}, err
-	}
-
 	if account.IsZero() {
 		return TokenResponse{
 			AccessToken:  accessToken,

apps/internal/oauth/oauth.go

@@ -97,9 +97,11 @@ func (t *Client) Credential(ctx context.Context, authParams authority.AuthParams
 	if cred.Secret != "" {
 		return t.AccessTokens.FromClientSecret(ctx, authParams, cred.Secret)
 	}
-
-	jwt, err := cred.JWT(authParams)
-	if err != nil {
+	var jwt string
+	var err error
+	if cred.Assertion != "" {
+		jwt = cred.Assertion
+	} else if jwt, err = cred.JWT(authParams); err != nil {
 		return accesstokens.TokenResponse{}, err
 	}
 	return t.AccessTokens.FromAssertion(ctx, authParams, jwt)

apps/internal/oauth/ops/accesstokens/accesstokens.go

@@ -94,8 +94,7 @@ type Credential struct {
 
 	// mu protects everything below.
 	mu sync.Mutex
-	// Assertion is the JWT assertion if we have retrieved it. Public to allow faking in tests.
-	// Any use outside msal is not supported by a compatibility promise.
+	// Assertion is the signed JWT assertion if we have retrieved it or if it was passed.
 	Assertion string
 	// Expires is when the Assertion expires. Public to allow faking in tests.
 	// Any use outside msal is not supported by a compatibility promise.

apps/internal/version/version.go

@@ -5,4 +5,4 @@
 package version
 
 // Version is the version of this client package that is communicated to the server.
-const Version = "0.1.0"
+const Version = "0.2.0"