@@ -308,6 +308,10 @@ def get_session(lab_app, scopes): # BTW, this infrastructure tests the confiden
308
308
309
309
class LabBasedTestCase (E2eTestCase ):
310
310
_secrets = {}
311
+ adfs2019_scopes = ["placeholder" ] # Need this to satisfy MSAL API surface.
312
+ # Internally, MSAL will also append more scopes like "openid" etc..
313
+ # ADFS 2019 will issue tokens for valid scope only, by default "openid".
314
+ # https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-faq#what-permitted-scopes-are-supported-by-ad-fs
311
315
312
316
@classmethod
313
317
def setUpClass (cls ):
@@ -366,6 +370,47 @@ def test_adfs2019_fed_user(self):
366
370
self ._test_username_password (
367
371
password = self .get_lab_user_secret (config ["lab_name" ]), ** config )
368
372
373
+ def test_ropc_adfs2019_onprem (self ):
374
+ config = self .get_lab_user (usertype = "onprem" , federationProvider = "ADFSv2019" )
375
+ config ["authority" ] = "https://fs.%s.com/adfs" % config ["lab_name" ]
376
+ config ["client_id" ] = "PublicClientId"
377
+ config ["scope" ] = self .adfs2019_scopes
378
+ self ._test_username_password (
379
+ password = self .get_lab_user_secret (config ["lab_name" ]), ** config )
380
+
381
+ @unittest .skipIf (os .getenv ("TRAVIS" ), "Browser automation is not yet implemented" )
382
+ def test_adfs2019_onprem_acquire_token_by_auth_code (self ):
383
+ """When prompted, you can manually login using this account:
384
+
385
+ # https://msidlab.com/api/user?usertype=onprem&federationprovider=ADFSv2019
386
+ username = "..." # The upn from the link above
387
+ password="***" # From https://aka.ms/GetLabUserSecret?Secret=msidlabXYZ
388
+ """
389
+ scopes = self .adfs2019_scopes
390
+ config = self .get_lab_user (usertype = "onprem" , federationProvider = "ADFSv2019" )
391
+ (self .app , ac , redirect_uri ) = _get_app_and_auth_code (
392
+ # Configuration is derived from https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/4.7.0/tests/Microsoft.Identity.Test.Common/TestConstants.cs#L250-L259
393
+ "PublicClientId" ,
394
+ authority = "https://fs.%s.com/adfs" % config ["lab_name" ],
395
+ port = 8080 ,
396
+ scopes = scopes ,
397
+ )
398
+ result = self .app .acquire_token_by_authorization_code (
399
+ ac , scopes , redirect_uri = redirect_uri )
400
+ logger .debug (
401
+ "%s: cache = %s, id_token_claims = %s" ,
402
+ self .id (),
403
+ json .dumps (self .app .token_cache ._cache , indent = 4 ),
404
+ json .dumps (result .get ("id_token_claims" ), indent = 4 ),
405
+ )
406
+ self .assertIn (
407
+ "access_token" , result ,
408
+ "{error}: {error_description}" .format (
409
+ # Note: No interpolation here, cause error won't always present
410
+ error = result .get ("error" ),
411
+ error_description = result .get ("error_description" )))
412
+ self .assertCacheWorksForUser (result , scopes , username = None )
413
+
369
414
@unittest .skipUnless (
370
415
os .getenv ("OBO_CLIENT_SECRET" ),
371
416
"Need OBO_CLIENT_SECRET from https://buildautomation.vault.azure.net/secrets/IdentityDivisionDotNetOBOServiceSecret" )
0 commit comments