From 2231d4f9e2667d39657fb8fd424e795f8258bbf8 Mon Sep 17 00:00:00 2001 From: avdunn Date: Fri, 8 May 2026 08:28:12 -0700 Subject: [PATCH 1/3] Use tenant-specific authority instead of organizations in certain tests --- tests/test_e2e.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tests/test_e2e.py b/tests/test_e2e.py index 37632ee7..bbf59ea0 100644 --- a/tests/test_e2e.py +++ b/tests/test_e2e.py @@ -910,9 +910,8 @@ def test_acquire_token_obo(self): web_api_app = get_app_config(AppSecrets.WEB_API_CLIENT) # Step 1: PCA gets token for user to access the WebAPI - # Note: Java test uses "organizations" authority for PCA config_pca = { - "authority": "https://login.microsoftonline.com/organizations", + "authority": user.authority, "client_id": web_api_app.app_id, "username": user.upn, "password": password, @@ -923,7 +922,7 @@ def test_acquire_token_obo(self): # Note: web_api_app.client_secret contains the Key Vault secret name, # which we pass to get_secret() to retrieve the actual secret value. config_cca = { - "authority": user.authority, # Tenant-specific authority + "authority": user.authority, "client_id": web_api_app.app_id, "client_secret": get_secret(web_api_app.client_secret, vault="msal_team"), "scope": ["https://graph.microsoft.com/.default"], @@ -1247,7 +1246,7 @@ def test_cca_obo_should_bypass_regional_endpoint_therefore_still_work(self): # Step 1: PCA gets token for user to access the WebAPI config_pca = { - "authority": "https://login.microsoftonline.com/organizations", + "authority": user.authority, "client_id": web_api_app.app_id, "username": user.upn, "password": password, From ae2a00e3964bcf360da4b418cafe8d1f1e2466bd Mon Sep 17 00:00:00 2001 From: avdunn Date: Fri, 8 May 2026 08:47:40 -0700 Subject: [PATCH 2/3] Bump cryptography ceiling --- setup.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.cfg b/setup.cfg index b2164fff..b7477e06 100644 --- a/setup.cfg +++ b/setup.cfg @@ -53,7 +53,7 @@ install_requires = # And we will use the cryptography (X+3).0.0 as the upper bound, # based on their latest deprecation policy # https://cryptography.io/en/latest/api-stability/#deprecation - cryptography>=2.5,<50 + cryptography>=2.5,<51 [options.extras_require] From 8a0b6ebed82cb21a1c00da2f94325b1add474324 Mon Sep 17 00:00:00 2001 From: avdunn Date: Fri, 8 May 2026 09:24:08 -0700 Subject: [PATCH 3/3] Adjust OBO test structure --- tests/lab_config.py | 1 + tests/test_e2e.py | 30 ++++++++++++++---------------- 2 files changed, 15 insertions(+), 16 deletions(-) diff --git a/tests/lab_config.py b/tests/lab_config.py index 8b692e3f..6f048357 100644 --- a/tests/lab_config.py +++ b/tests/lab_config.py @@ -95,6 +95,7 @@ class AppSecrets: B2C_CLIENT = "MSAL-App-B2C-JSON" CIAM_CLIENT = "MSAL-App-CIAM-JSON" ARLINGTON_CLIENT = "MSAL-App-Arlington-JSON" + OBO_CLIENT_SECRET = "IdentityDivisionDotNetOBOServiceSecret" # ============================================================================= # Data Classes diff --git a/tests/test_e2e.py b/tests/test_e2e.py index bbf59ea0..e6cb999a 100644 --- a/tests/test_e2e.py +++ b/tests/test_e2e.py @@ -902,30 +902,28 @@ def test_acquire_token_obo(self): """Test On-Behalf-Of flow. Flow: - 1. PCA acquires token for user to access the WebAPI (scope: api:///access_as_user) - 2. WebAPI (CCA) uses that token as assertion to get token for downstream service (Graph) + 1. S2S app (PCA) acquires token for user, targeting the WebAPI + 2. WebAPI (CCA) uses that token as assertion to get token for downstream (Graph) """ user = get_user_config(UserSecrets.PUBLIC_CLOUD) password = get_user_password(user) + s2s_app = get_app_config(AppSecrets.S2S_CLIENT) web_api_app = get_app_config(AppSecrets.WEB_API_CLIENT) - # Step 1: PCA gets token for user to access the WebAPI config_pca = { "authority": user.authority, - "client_id": web_api_app.app_id, + "client_id": s2s_app.app_id, "username": user.upn, "password": password, - "scope": ["api://%s/access_as_user" % web_api_app.app_id], + "scope": [web_api_app.defaultscopes], } - # Step 2: WebAPI (CCA) exchanges the token via OBO for Graph access - # Note: web_api_app.client_secret contains the Key Vault secret name, - # which we pass to get_secret() to retrieve the actual secret value. config_cca = { "authority": user.authority, "client_id": web_api_app.app_id, - "client_secret": get_secret(web_api_app.client_secret, vault="msal_team"), - "scope": ["https://graph.microsoft.com/.default"], + "client_secret": get_secret( + AppSecrets.OBO_CLIENT_SECRET, vault="msal_team"), + "scope": ["User.Read"], "username": user.upn, } @@ -1242,23 +1240,23 @@ def test_cca_obo_should_bypass_regional_endpoint_therefore_still_work(self): """ user = get_user_config(UserSecrets.PUBLIC_CLOUD) password = get_user_password(user) + s2s_app = get_app_config(AppSecrets.S2S_CLIENT) web_api_app = get_app_config(AppSecrets.WEB_API_CLIENT) - # Step 1: PCA gets token for user to access the WebAPI config_pca = { "authority": user.authority, - "client_id": web_api_app.app_id, + "client_id": s2s_app.app_id, "username": user.upn, "password": password, - "scope": ["api://%s/access_as_user" % web_api_app.app_id], + "scope": [web_api_app.defaultscopes], } - # Step 2: WebAPI (CCA) exchanges the token via OBO for Graph access config_cca = { "authority": user.authority, "client_id": web_api_app.app_id, - "client_secret": get_secret(web_api_app.client_secret, vault="msal_team"), - "scope": ["https://graph.microsoft.com/.default"], + "client_secret": get_secret( + AppSecrets.OBO_CLIENT_SECRET, vault="msal_team"), + "scope": ["User.Read"], "username": user.upn, }