Skip to content

Commit 8a0b6eb

Browse files
Avery-DunnAvery-Dunn
committed
Adjust OBO test structure
1 parent ae2a00e commit 8a0b6eb

2 files changed

Lines changed: 15 additions & 16 deletions

File tree

tests/lab_config.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -95,6 +95,7 @@ class AppSecrets:
9595
B2C_CLIENT = "MSAL-App-B2C-JSON"
9696
CIAM_CLIENT = "MSAL-App-CIAM-JSON"
9797
ARLINGTON_CLIENT = "MSAL-App-Arlington-JSON"
98+
OBO_CLIENT_SECRET = "IdentityDivisionDotNetOBOServiceSecret"
9899

99100
# =============================================================================
100101
# Data Classes

tests/test_e2e.py

Lines changed: 14 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -902,30 +902,28 @@ def test_acquire_token_obo(self):
902902
"""Test On-Behalf-Of flow.
903903
904904
Flow:
905-
1. PCA acquires token for user to access the WebAPI (scope: api://<app_id>/access_as_user)
906-
2. WebAPI (CCA) uses that token as assertion to get token for downstream service (Graph)
905+
1. S2S app (PCA) acquires token for user, targeting the WebAPI
906+
2. WebAPI (CCA) uses that token as assertion to get token for downstream (Graph)
907907
"""
908908
user = get_user_config(UserSecrets.PUBLIC_CLOUD)
909909
password = get_user_password(user)
910+
s2s_app = get_app_config(AppSecrets.S2S_CLIENT)
910911
web_api_app = get_app_config(AppSecrets.WEB_API_CLIENT)
911912

912-
# Step 1: PCA gets token for user to access the WebAPI
913913
config_pca = {
914914
"authority": user.authority,
915-
"client_id": web_api_app.app_id,
915+
"client_id": s2s_app.app_id,
916916
"username": user.upn,
917917
"password": password,
918-
"scope": ["api://%s/access_as_user" % web_api_app.app_id],
918+
"scope": [web_api_app.defaultscopes],
919919
}
920920

921-
# Step 2: WebAPI (CCA) exchanges the token via OBO for Graph access
922-
# Note: web_api_app.client_secret contains the Key Vault secret name,
923-
# which we pass to get_secret() to retrieve the actual secret value.
924921
config_cca = {
925922
"authority": user.authority,
926923
"client_id": web_api_app.app_id,
927-
"client_secret": get_secret(web_api_app.client_secret, vault="msal_team"),
928-
"scope": ["https://graph.microsoft.com/.default"],
924+
"client_secret": get_secret(
925+
AppSecrets.OBO_CLIENT_SECRET, vault="msal_team"),
926+
"scope": ["User.Read"],
929927
"username": user.upn,
930928
}
931929

@@ -1242,23 +1240,23 @@ def test_cca_obo_should_bypass_regional_endpoint_therefore_still_work(self):
12421240
"""
12431241
user = get_user_config(UserSecrets.PUBLIC_CLOUD)
12441242
password = get_user_password(user)
1243+
s2s_app = get_app_config(AppSecrets.S2S_CLIENT)
12451244
web_api_app = get_app_config(AppSecrets.WEB_API_CLIENT)
12461245

1247-
# Step 1: PCA gets token for user to access the WebAPI
12481246
config_pca = {
12491247
"authority": user.authority,
1250-
"client_id": web_api_app.app_id,
1248+
"client_id": s2s_app.app_id,
12511249
"username": user.upn,
12521250
"password": password,
1253-
"scope": ["api://%s/access_as_user" % web_api_app.app_id],
1251+
"scope": [web_api_app.defaultscopes],
12541252
}
12551253

1256-
# Step 2: WebAPI (CCA) exchanges the token via OBO for Graph access
12571254
config_cca = {
12581255
"authority": user.authority,
12591256
"client_id": web_api_app.app_id,
1260-
"client_secret": get_secret(web_api_app.client_secret, vault="msal_team"),
1261-
"scope": ["https://graph.microsoft.com/.default"],
1257+
"client_secret": get_secret(
1258+
AppSecrets.OBO_CLIENT_SECRET, vault="msal_team"),
1259+
"scope": ["User.Read"],
12621260
"username": user.upn,
12631261
}
12641262

0 commit comments

Comments
 (0)