diff --git a/setup.cfg b/setup.cfg index b2164fff..b7477e06 100644 --- a/setup.cfg +++ b/setup.cfg @@ -53,7 +53,7 @@ install_requires = # And we will use the cryptography (X+3).0.0 as the upper bound, # based on their latest deprecation policy # https://cryptography.io/en/latest/api-stability/#deprecation - cryptography>=2.5,<50 + cryptography>=2.5,<51 [options.extras_require] diff --git a/tests/lab_config.py b/tests/lab_config.py index 8b692e3f..6f048357 100644 --- a/tests/lab_config.py +++ b/tests/lab_config.py @@ -95,6 +95,7 @@ class AppSecrets: B2C_CLIENT = "MSAL-App-B2C-JSON" CIAM_CLIENT = "MSAL-App-CIAM-JSON" ARLINGTON_CLIENT = "MSAL-App-Arlington-JSON" + OBO_CLIENT_SECRET = "IdentityDivisionDotNetOBOServiceSecret" # ============================================================================= # Data Classes diff --git a/tests/test_e2e.py b/tests/test_e2e.py index 37632ee7..e6cb999a 100644 --- a/tests/test_e2e.py +++ b/tests/test_e2e.py @@ -902,31 +902,28 @@ def test_acquire_token_obo(self): """Test On-Behalf-Of flow. Flow: - 1. PCA acquires token for user to access the WebAPI (scope: api:///access_as_user) - 2. WebAPI (CCA) uses that token as assertion to get token for downstream service (Graph) + 1. S2S app (PCA) acquires token for user, targeting the WebAPI + 2. WebAPI (CCA) uses that token as assertion to get token for downstream (Graph) """ user = get_user_config(UserSecrets.PUBLIC_CLOUD) password = get_user_password(user) + s2s_app = get_app_config(AppSecrets.S2S_CLIENT) web_api_app = get_app_config(AppSecrets.WEB_API_CLIENT) - # Step 1: PCA gets token for user to access the WebAPI - # Note: Java test uses "organizations" authority for PCA config_pca = { - "authority": "https://login.microsoftonline.com/organizations", - "client_id": web_api_app.app_id, + "authority": user.authority, + "client_id": s2s_app.app_id, "username": user.upn, "password": password, - "scope": ["api://%s/access_as_user" % web_api_app.app_id], + "scope": [web_api_app.defaultscopes], } - # Step 2: WebAPI (CCA) exchanges the token via OBO for Graph access - # Note: web_api_app.client_secret contains the Key Vault secret name, - # which we pass to get_secret() to retrieve the actual secret value. config_cca = { - "authority": user.authority, # Tenant-specific authority + "authority": user.authority, "client_id": web_api_app.app_id, - "client_secret": get_secret(web_api_app.client_secret, vault="msal_team"), - "scope": ["https://graph.microsoft.com/.default"], + "client_secret": get_secret( + AppSecrets.OBO_CLIENT_SECRET, vault="msal_team"), + "scope": ["User.Read"], "username": user.upn, } @@ -1243,23 +1240,23 @@ def test_cca_obo_should_bypass_regional_endpoint_therefore_still_work(self): """ user = get_user_config(UserSecrets.PUBLIC_CLOUD) password = get_user_password(user) + s2s_app = get_app_config(AppSecrets.S2S_CLIENT) web_api_app = get_app_config(AppSecrets.WEB_API_CLIENT) - # Step 1: PCA gets token for user to access the WebAPI config_pca = { - "authority": "https://login.microsoftonline.com/organizations", - "client_id": web_api_app.app_id, + "authority": user.authority, + "client_id": s2s_app.app_id, "username": user.upn, "password": password, - "scope": ["api://%s/access_as_user" % web_api_app.app_id], + "scope": [web_api_app.defaultscopes], } - # Step 2: WebAPI (CCA) exchanges the token via OBO for Graph access config_cca = { "authority": user.authority, "client_id": web_api_app.app_id, - "client_secret": get_secret(web_api_app.client_secret, vault="msal_team"), - "scope": ["https://graph.microsoft.com/.default"], + "client_secret": get_secret( + AppSecrets.OBO_CLIENT_SECRET, vault="msal_team"), + "scope": ["User.Read"], "username": user.upn, }