ckaczor/azuredatastudio
1
0
Fork 0
mirror of https://github.com/ckaczor/azuredatastudio.git synced 2026-03-27 07:10:30 -04:00
Code Issues Packages Projects Releases Wiki Activity

Revert "Verify the token belongs to the proper user. (#11593)" (#13321)

Browse Source 
This reverts commit 45cbaca31f.
This commit is contained in:
Karl Burtram
2020-11-09 15:32:21 -08:00
committed by GitHub
parent 9d766198b5
commit 8cf5e4c9fd
2 changed files with 15 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
extensions/azurecore/src/account-provider/auths/azureAuth.ts
View File

@@ -145,10 +145,6 @@ export abstract class AzureAuth implements vscode.Disposable {
return account;
}
private verifyCorrectToken(responseToken: OAuthTokenResponse, account: AzureAccount): boolean {
return this.getUserKey(responseToken.tokenClaims) === account.key.accountId;
}
public async getAccountSecurityToken(account: AzureAccount, tenantId: string, azureResource: azdata.AzureResource): Promise<Token | undefined> {
if (account.isStale === true) {
Logger.log('Account was stale. No tokens being fetched.');
@@ -185,11 +181,6 @@ export abstract class AzureAuth implements vscode.Disposable {
if (remainingTime < maxTolerance) {
const result = await this.refreshToken(tenant, resource, cachedTokens.refreshToken);
// Verify that the user logged into this account
if (!this.verifyCorrectToken(result, account)) {
return undefined;
}
accessToken = result.accessToken;
}
// Let's just return here.
@@ -212,10 +203,6 @@ export abstract class AzureAuth implements vscode.Disposable {
}
// Let's try to convert the access token type, worst case we'll have to prompt the user to do an interactive authentication.
const result = await this.refreshToken(tenant, resource, baseTokens.refreshToken);
// Verify that the user logged into this account
if (!this.verifyCorrectToken(result, account)) {
return undefined;
}
if (result.accessToken) {
return {
...result.accessToken,
@@ -271,26 +258,6 @@ export abstract class AzureAuth implements vscode.Disposable {
return this.getTokenHelper(tenant, resource, accessTokenString, refreshTokenString, expiresOnString);
}
public getUserKey(tokenClaims: TokenClaims): string {
// Personal accounts don't have an oid when logging into the `common` tenant, but when logging into their home tenant they end up having an oid.
// This makes the key for the same account be different.
// We need to special case personal accounts.
let userKey: string;
if (tokenClaims.idp === 'live.com') { // Personal account
userKey = tokenClaims.unique_name ?? tokenClaims.email ?? tokenClaims.sub;
} else {
userKey = tokenClaims.home_oid ?? tokenClaims.oid ?? tokenClaims.unique_name ?? tokenClaims.email ?? tokenClaims.sub;
}
if (!userKey) {
Logger.pii(tokenClaims);
throw new AzureAuthError(localize('azure.userKeyUndefined', "User key was undefined - could not create a userKey from the tokenClaims"), 'user key undefined', undefined);
}
return userKey;
}
public async getTokenHelper(tenant: Tenant, resource: Resource, accessTokenString: string, refreshTokenString: string, expiresOnString: string): Promise<OAuthTokenResponse> {
if (!accessTokenString) {
const msg = localize('azure.accessTokenEmpty', 'No access token returned from Microsoft OAuth');
@@ -298,7 +265,16 @@ export abstract class AzureAuth implements vscode.Disposable {
}
const tokenClaims: TokenClaims = this.getTokenClaims(accessTokenString);
const userKey = this.getUserKey(tokenClaims);
let userKey: string;
// Personal accounts don't have an oid when logging into the `common` tenant, but when logging into their home tenant they end up having an oid.
// This makes the key for the same account be different.
// We need to special case personal accounts.
if (tokenClaims.idp === 'live.com') { // Personal account
userKey = tokenClaims.unique_name ?? tokenClaims.email ?? tokenClaims.sub;
} else {
userKey = tokenClaims.home_oid ?? tokenClaims.oid ?? tokenClaims.unique_name ?? tokenClaims.email ?? tokenClaims.sub;
}
if (!userKey) {
const msg = localize('azure.noUniqueIdentifier', "The user had no unique identifier within AAD");
@@ -439,6 +415,7 @@ export abstract class AzureAuth implements vscode.Disposable {
if (shouldOpen) {
const result = await this.login(tenant, resource);
result?.authComplete?.resolve();
return result?.response;
}
return undefined;
}