App service support for MI

apps/internal/oauth/ops/accesstokens/accesstokens_test.go

@@ -768,7 +768,29 @@ func TestTokenResponseUnmarshal(t *testing.T) {
 				}`,
 			want: TokenResponse{
 				AccessToken:   "secret",
-				ExpiresOn:     internalTime.DurationTime{T: time.Unix(86399, 0)},
+				ExpiresOn:     internalTime.DurationTime{T: time.Now().Add(time.Second * 86399)},
+				ExtExpiresOn:  internalTime.DurationTime{T: time.Unix(86399, 0)},
+				GrantedScopes: Scopes{Slice: []string{"openid", "profile"}},
+				ClientInfo: ClientInfo{
+					UID:  "uid",
+					UTID: "utid",
+				},
+			},
+			jwtDecoder: jwtDecoderFake,
+		},
+		{
+			desc: "Success",
+			payload: fmt.Sprintf(`
+				{
+					"access_token": "secret",
+					"expires_on": %d,
+					"ext_expires_in": 86399,
+					"client_info": {"uid":  "uid","utid": "utid"},
+					"scope": "openid profile"
+				}`, time.Now().Add(time.Hour).Unix()),
+			want: TokenResponse{
+				AccessToken:   "secret",
+				ExpiresOn:     internalTime.DurationTime{T: time.Now().Add(time.Hour)},
 				ExtExpiresOn:  internalTime.DurationTime{T: time.Unix(86399, 0)},
 				GrantedScopes: Scopes{Slice: []string{"openid", "profile"}},
 				ClientInfo: ClientInfo{
@@ -795,7 +817,9 @@ func TestTokenResponseUnmarshal(t *testing.T) {
 		case err != nil:
 			continue
 		}
-
+		if got.ExpiresOn.T.Unix() != test.want.ExpiresOn.T.Unix() {
+			t.Errorf("TestCreateTokenResponse: got %v, want %v", got.ExpiresOn.T.Unix(), test.want.ExpiresOn.T.Unix())
+		}
 		// Note: IncludeUnexported prevents minor differences in time.Time due to internal fields.
 		if diff := (&pretty.Config{IncludeUnexported: false}).Compare(test.want, got); diff != "" {
 			t.Errorf("TestCreateTokenResponse: -want/+got:\n%s", diff)

apps/internal/oauth/ops/accesstokens/tokens.go

@@ -173,7 +173,7 @@ type TokenResponse struct {
 	FamilyID       string                    `json:"foci"`
 	IDToken        IDToken                   `json:"id_token"`
 	ClientInfo     ClientInfo                `json:"client_info"`
-	ExpiresOn      internalTime.DurationTime `json:"expires_in"`
+	ExpiresOn      internalTime.DurationTime `json:"-"`
 	ExtExpiresOn   internalTime.DurationTime `json:"ext_expires_in"`
 	GrantedScopes  Scopes                    `json:"scope"`
 	DeclinedScopes []string                  // This is derived
@@ -183,6 +183,64 @@ type TokenResponse struct {
 	scopesComputed bool
 }
 
+func (tr *TokenResponse) UnmarshalJSON(data []byte) error {
+	type Alias TokenResponse
+	aux := &struct {
+		ExpiresIn json.Number `json:"expires_in"`
+		ExpiresOn json.Number `json:"expires_on"`
+		*Alias
+	}{
+		Alias: (*Alias)(tr),
+	}
+
+	// Unmarshal the JSON data into the aux struct
+	if err := json.Unmarshal(data, &aux); err != nil {
+		return err
+	}
+
+	// Helper function to parse JSON number into int64
+	parseDuration := func(num json.Number) (int64, error) {
+		if num == "" {
+			return 0, nil
+		}
+		return num.Int64()
+	}
+
+	// Try to parse ExpiresIn first, then fallback to ExpiresOn
+	if duration, err := parseDuration(aux.ExpiresIn); err != nil {
+		println("122121@@")
+		return err
+	} else if duration > 0 {
+		println("122121@")
+
+		tr.ExpiresOn = internalTime.DurationTime{T: time.Now().Add(time.Duration(duration) * time.Second)}
+	} else if duration == 0 || aux.ExpiresOn != "" {
+		println("122121@@@@@")
+		// If ExpiresIn is zero, check ExpiresOn
+		if duration, err := parseDuration(aux.ExpiresOn); err != nil {
+			println("122121@@@@@!")
+
+			return err
+		} else if duration > 0 {
+			println("122121@@@@@!!")
+
+			tr.ExpiresOn = internalTime.DurationTime{T: time.Unix(duration, 0)}
+			println(tr.ExpiresOn.T.String())
+
+		} else {
+			println("122121@@@@@!!!!!")
+
+			return errors.New("expires_in and expires_on are both missing or invalid")
+		}
+	} else {
+		println("122121")
+
+		return errors.New("expires_in or expires_on must be present in the response")
+	}
+
+	return nil
+}
+
 // ComputeScope computes the final scopes based on what was granted by the server and
 // what our AuthParams were from the authority server. Per OAuth spec, if no scopes are returned, the response should be treated as if all scopes were granted
 // This behavior can be observed in client assertion flows, but can happen at any time, this check ensures we treat

apps/managedidentity/managedidentity.go

@@ -46,9 +46,10 @@ const (
 	wwwAuthenticateHeaderName    = "www-authenticate"
 
 	// UAMI query parameter name
-	miQueryParameterClientId   = "client_id"
-	miQueryParameterObjectId   = "object_id"
-	miQueryParameterResourceId = "msi_res_id"
+	miQueryParameterClientId       = "client_id"
+	miQueryParameterObjectId       = "object_id"
+	miQueryParameterResourceIdIMDS = "msi_res_id"
+	miQueryParameterResourceId     = "mi_res_id"
 
 	// IMDS
 	imdsDefaultEndpoint           = "http://169.254.169.254/metadata/identity/oauth2/token"
@@ -66,6 +67,9 @@ const (
 	himdsExecutableName            = "himds.exe"
 	tokenName                      = "Tokens"
 
+	// App Service
+	appServiceAPIVersion = "2019-08-01"
+
 	// Environment Variables
 	identityEndpointEnvVar              = "IDENTITY_ENDPOINT"
 	identityHeaderEnvVar                = "IDENTITY_HEADER"
@@ -213,6 +217,7 @@ func New(id ID, options ...ClientOption) (Client, error) {
 	for _, option := range options {
 		option(&opts)
 	}
+
 	switch t := id.(type) {
 	case UserAssignedClientID:
 		if len(string(t)) == 0 {
@@ -290,36 +295,49 @@ func (c Client) AcquireToken(ctx context.Context, resource string, options ...Ac
 			return ar, err
 		}
 	}
-
 	switch c.source {
 	case AzureArc:
-		return acquireTokenForAzureArc(ctx, c, resource)
+		return c.acquireTokenForAzureArc(ctx, resource)
 	case DefaultToIMDS:
-		return acquireTokenForIMDS(ctx, c, resource)
+		return c.acquireTokenForIMDS(ctx, resource)
+	case AppService:
+		return c.acquireTokenForAppService(ctx, resource)
 	default:
 		return base.AuthResult{}, fmt.Errorf("unsupported source %q", c.source)
 	}
 }
 
-func acquireTokenForIMDS(ctx context.Context, client Client, resource string) (base.AuthResult, error) {
-	req, err := createIMDSAuthRequest(ctx, client.miType, resource)
+func (c Client) acquireTokenForAppService(ctx context.Context, resource string) (base.AuthResult, error) {
+	req, err := createAppServiceAuthRequest(ctx, c.miType, resource)
 	if err != nil {
 		return base.AuthResult{}, err
 	}
-	tokenResponse, err := client.getTokenForRequest(req)
+	tokenResponse, err := c.getTokenForRequest(req)
 	if err != nil {
 		return base.AuthResult{}, err
 	}
-	return authResultFromToken(client.authParams, tokenResponse)
+	return authResultFromToken(c.authParams, tokenResponse)
 }
 
-func acquireTokenForAzureArc(ctx context.Context, client Client, resource string) (base.AuthResult, error) {
+func (c Client) acquireTokenForIMDS(ctx context.Context, resource string) (base.AuthResult, error) {
+	req, err := createIMDSAuthRequest(ctx, c.miType, resource)
+	if err != nil {
+		return base.AuthResult{}, err
+	}
+	tokenResponse, err := c.getTokenForRequest(req)
+	if err != nil {
+		return base.AuthResult{}, err
+	}
+	return authResultFromToken(c.authParams, tokenResponse)
+}
+
+func (c Client) acquireTokenForAzureArc(ctx context.Context, resource string) (base.AuthResult, error) {
 	req, err := createAzureArcAuthRequest(ctx, resource, "")
 	if err != nil {
 		return base.AuthResult{}, err
 	}
 
-	response, err := client.httpClient.Do(req)
+	response, err := c.httpClient.Do(req)
 	if err != nil {
 		return base.AuthResult{}, err
 	}
@@ -329,7 +347,7 @@ func acquireTokenForAzureArc(ctx context.Context, client Client, resource string
 		return base.AuthResult{}, fmt.Errorf("expected a 401 response, received %d", response.StatusCode)
 	}
 
-	secret, err := client.getAzureArcSecretKey(response, runtime.GOOS)
+	secret, err := c.getAzureArcSecretKey(response, runtime.GOOS)
 	if err != nil {
 		return base.AuthResult{}, err
 	}
@@ -339,11 +357,11 @@ func acquireTokenForAzureArc(ctx context.Context, client Client, resource string
 		return base.AuthResult{}, err
 	}
 
-	tokenResponse, err := client.getTokenForRequest(secondRequest)
+	tokenResponse, err := c.getTokenForRequest(secondRequest)
 	if err != nil {
 		return base.AuthResult{}, err
 	}
-	return authResultFromToken(client.authParams, tokenResponse)
+	return authResultFromToken(c.authParams, tokenResponse)
 }
 
 func authResultFromToken(authParams authority.AuthParams, token accesstokens.TokenResponse) (base.AuthResult, error) {
@@ -377,7 +395,7 @@ func (c Client) retry(maxRetries int, req *http.Request) (*http.Response, error)
 	var resp *http.Response
 	var err error
 	for attempt := 0; attempt < maxRetries; attempt++ {
-		tryCtx, tryCancel := context.WithTimeout(req.Context(), time.Second*15)
+		tryCtx, tryCancel := context.WithTimeout(req.Context(), time.Minute)
 		defer tryCancel()
 		if resp != nil && resp.Body != nil {
 			_, _ = io.Copy(io.Discard, resp.Body)
@@ -446,6 +464,31 @@ func (c Client) getTokenForRequest(req *http.Request) (accesstokens.TokenRespons
 	return r, err
 }
 
+func createAppServiceAuthRequest(ctx context.Context, id ID, resource string) (*http.Request, error) {
+	identityEndpoint := os.Getenv(identityEndpointEnvVar)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, identityEndpoint, nil)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("X-IDENTITY-HEADER", os.Getenv(identityHeaderEnvVar))
+	q := req.URL.Query()
+	q.Set("api-version", appServiceAPIVersion)
+	q.Set("resource", resource)
+	switch t := id.(type) {
+	case UserAssignedClientID:
+		q.Set(miQueryParameterClientId, string(t))
+	case UserAssignedResourceID:
+		q.Set(miQueryParameterResourceId, string(t))
+	case UserAssignedObjectID:
+		q.Set(miQueryParameterObjectId, string(t))
+	case systemAssignedValue:
+	default:
+		return nil, fmt.Errorf("unsupported type %T", id)
+	}
+	req.URL.RawQuery = q.Encode()
+	return req, nil
+}
+
 func createIMDSAuthRequest(ctx context.Context, id ID, resource string) (*http.Request, error) {
 	msiEndpoint, err := url.Parse(imdsDefaultEndpoint)
 	if err != nil {
@@ -459,7 +502,7 @@ func createIMDSAuthRequest(ctx context.Context, id ID, resource string) (*http.R
 	case UserAssignedClientID:
 		msiParameters.Set(miQueryParameterClientId, string(t))
 	case UserAssignedResourceID:
-		msiParameters.Set(miQueryParameterResourceId, string(t))
+		msiParameters.Set(miQueryParameterResourceIdIMDS, string(t))
 	case UserAssignedObjectID:
 		msiParameters.Set(miQueryParameterObjectId, string(t))
 	case systemAssignedValue: // not adding anything