Add support for Azure Cosmos DB for Table Entra auth (#38121)

Author: seesharprun

sdk/tables/azure-data-tables/CHANGELOG.md

@@ -6,6 +6,7 @@
 * Added to support custom encoder in entity CRUD operations.
 * Added to support custom Entity type.
 * Added to support Entity property in Tuple and Enum types.
+* Added support for Microsoft Entra auth with Azure Cosmos DB for Table's OAuth scope (`https://cosmos.azure.com/.default`).
 
 ### Bugs Fixed
 * Fixed a bug in encoder when Entity property has "@odata.type" provided.

sdk/tables/azure-data-tables/assets.json

@@ -2,5 +2,5 @@
   "AssetsRepo": "Azure/azure-sdk-assets",
   "AssetsRepoPrefixPath": "python",
   "TagPrefix": "python/tables/azure-data-tables",
-  "Tag": "python/tables/azure-data-tables_1fb1a4af1a"
+  "Tag": "python/tables/azure-data-tables_032477adf3"
 }

sdk/tables/azure-data-tables/azure/data/tables/_authentication.py

@@ -19,7 +19,7 @@
 
 from ._common_conversion import _sign_string
 from ._error import _wrap_exception
-from ._constants import STORAGE_OAUTH_SCOPE
+from ._constants import STORAGE_OAUTH_SCOPE, COSMOS_OAUTH_SCOPE
 
 
 class AzureSigningError(ClientAuthenticationError):
@@ -236,11 +236,15 @@ def _configure_credential(credential: None) -> None: ...
 
 
 def _configure_credential(
-    credential: Optional[Union[AzureNamedKeyCredential, AzureSasCredential, TokenCredential, SharedKeyCredentialPolicy]]
+    credential: Optional[
+        Union[AzureNamedKeyCredential, AzureSasCredential, TokenCredential, SharedKeyCredentialPolicy]
+    ],
+    cosmos_endpoint: bool = False,
 ) -> Optional[Union[BearerTokenChallengePolicy, AzureSasCredentialPolicy, SharedKeyCredentialPolicy]]:
     if hasattr(credential, "get_token"):
         credential = cast(TokenCredential, credential)
-        return BearerTokenChallengePolicy(credential, STORAGE_OAUTH_SCOPE)
+        scope = COSMOS_OAUTH_SCOPE if cosmos_endpoint else STORAGE_OAUTH_SCOPE
+        return BearerTokenChallengePolicy(credential, scope)
     if isinstance(credential, SharedKeyCredentialPolicy):
         return credential
     if isinstance(credential, AzureSasCredential):

sdk/tables/azure-data-tables/azure/data/tables/_base_client.py

@@ -223,7 +223,7 @@ def _format_url(self, hostname):
         return f"{self.scheme}://{hostname}{self._query_str}"
 
     def _configure_policies(self, **kwargs):
-        credential_policy = _configure_credential(self.credential)
+        credential_policy = _configure_credential(self.credential, self._cosmos_endpoint)
         return [
             RequestIdPolicy(**kwargs),
             StorageHeadersPolicy(**kwargs),

sdk/tables/azure-data-tables/azure/data/tables/_constants.py

@@ -13,6 +13,7 @@
 DEFAULT_COSMOS_ENDPOINT_SUFFIX = "cosmos.azure.com"
 
 STORAGE_OAUTH_SCOPE = "https://storage.azure.com/.default"
+COSMOS_OAUTH_SCOPE = "https://cosmos.azure.com/.default"
 
 NEXT_TABLE_NAME = "x-ms-continuation-NextTableName"
 NEXT_PARTITION_KEY = "x-ms-continuation-NextPartitionKey"

sdk/tables/azure-data-tables/azure/data/tables/aio/_authentication_async.py

@@ -10,7 +10,7 @@
 from azure.core.pipeline import PipelineResponse, PipelineRequest
 from azure.core.pipeline.policies import AsyncBearerTokenCredentialPolicy
 
-from .._constants import STORAGE_OAUTH_SCOPE
+from .._constants import STORAGE_OAUTH_SCOPE, COSMOS_OAUTH_SCOPE
 from .._authentication import _HttpChallenge, AzureSasCredentialPolicy, SharedKeyCredentialPolicy
 
 
@@ -94,11 +94,13 @@ def _configure_credential(credential: None) -> None: ...
 def _configure_credential(
     credential: Optional[
         Union[AzureNamedKeyCredential, AzureSasCredential, AsyncTokenCredential, SharedKeyCredentialPolicy]
-    ]
+    ],
+    cosmos_endpoint: bool = False,
 ) -> Optional[Union[AsyncBearerTokenChallengePolicy, AzureSasCredentialPolicy, SharedKeyCredentialPolicy]]:
     if hasattr(credential, "get_token"):
         credential = cast(AsyncTokenCredential, credential)
-        return AsyncBearerTokenChallengePolicy(credential, STORAGE_OAUTH_SCOPE)
+        scope = COSMOS_OAUTH_SCOPE if cosmos_endpoint else STORAGE_OAUTH_SCOPE
+        return AsyncBearerTokenChallengePolicy(credential, scope)
     if isinstance(credential, SharedKeyCredentialPolicy):
         return credential
     if isinstance(credential, AzureSasCredential):

sdk/tables/azure-data-tables/azure/data/tables/aio/_base_client_async.py

@@ -216,7 +216,7 @@ def _format_url(self, hostname):
         return f"{self.scheme}://{hostname}{self._query_str}"
 
     def _configure_policies(self, **kwargs):
-        credential_policy = _configure_credential(self.credential)
+        credential_policy = _configure_credential(self.credential, self._cosmos_endpoint)
         return [
             RequestIdPolicy(**kwargs),
             StorageHeadersPolicy(**kwargs),

sdk/tables/azure-data-tables/tests/test_table_client_async.py

@@ -518,7 +518,6 @@ async def test_table_service_client_with_token_credential(
 
         async with TableServiceClient(base_url, credential=default_azure_credential) as client:
             await client.create_table(table_name)
-            name_filter = "TableName eq '{}'".format(table_name)
             count = 0
             result = client.query_tables(name_filter)
             async for table in result:

sdk/tables/azure-data-tables/tests/test_table_client_cosmos.py

@@ -362,11 +362,10 @@ def test_table_service_client_with_sas_token_credential(
     @cosmos_decorator
     @recorded_by_proxy
     def test_table_client_with_token_credential(self, tables_cosmos_account_name, tables_primary_cosmos_account_key):
-        # DefaultAzureCredential doesn't work on Cosmos
         base_url = self.account_url(tables_cosmos_account_name, "cosmos")
         table_name = self.get_resource_name("mytable")
         default_azure_credential = self.get_token_credential()
-        sas_token = self.generate_sas(
+        self.sas_token = self.generate_sas(
             generate_account_sas,
             tables_primary_cosmos_account_key,
             resource_types=ResourceTypes.from_string("sco"),
@@ -375,41 +374,50 @@ def test_table_client_with_token_credential(self, tables_cosmos_account_name, ta
         )
 
         with TableClient(base_url, table_name, credential=default_azure_credential) as client:
-            with pytest.raises(HttpResponseError) as ex:
-                client.create_table()
-            ex_msg = "Authorization header doesn't confirm to the required format. Please verify and try again."
-            assert ex_msg in str(ex.value)
+            table = client.create_table()
+            assert table.name == table_name
 
         with TableClient.from_table_url(f"{base_url}/{table_name}", credential=default_azure_credential) as client:
-            with pytest.raises(HttpResponseError) as ex:
-                client.create_table()
-            ex_msg = "Authorization header doesn't confirm to the required format. Please verify and try again."
-            assert ex_msg in str(ex.value)
+            entities = client.query_entities(
+                query_filter="PartitionKey eq @pk",
+                parameters={"pk": "dummy-pk"},
+            )
+            for e in entities:
+                pass
 
-        with TableClient(f"{base_url}/?{sas_token}", table_name, credential=default_azure_credential) as client:
-            with pytest.raises(HttpResponseError) as ex:
-                client.create_table()
-            ex_msg = "Authorization header doesn't confirm to the required format. Please verify and try again."
-            assert ex_msg in str(ex.value)
+        # DefaultAzureCredential is actually in use
+        with TableClient(f"{base_url}/?{self.sas_token}", table_name, credential=default_azure_credential) as client:
+            entities = client.query_entities(
+                query_filter="PartitionKey eq @pk",
+                parameters={"pk": "dummy-pk"},
+                raw_request_hook=self.check_request_auth,
+            )
+            for e in entities:
+                pass
 
+        # DefaultAzureCredential is actually in use
         with TableClient.from_table_url(
-            f"{base_url}/{table_name}?{sas_token}", credential=default_azure_credential
+            f"{base_url}/{table_name}?{self.sas_token}", credential=default_azure_credential
         ) as client:
-            with pytest.raises(HttpResponseError) as ex:
-                client.create_table()
-            ex_msg = "Authorization header doesn't confirm to the required format. Please verify and try again."
-            assert ex_msg in str(ex.value)
+            entities = client.query_entities(
+                query_filter="PartitionKey eq @pk",
+                parameters={"pk": "dummy-pk"},
+                raw_request_hook=self.check_request_auth,
+            )
+            for e in entities:
+                pass
+            client.delete_table()
 
     @cosmos_decorator
     @recorded_by_proxy
     def test_table_service_client_with_token_credential(
         self, tables_cosmos_account_name, tables_primary_cosmos_account_key
     ):
-        # DefaultAzureCredential doesn't work on Cosmos
         base_url = self.account_url(tables_cosmos_account_name, "cosmos")
         table_name = self.get_resource_name("mytable")
         default_azure_credential = self.get_token_credential()
-        sas_token = self.generate_sas(
+        name_filter = "TableName eq '{}'".format(table_name)
+        self.sas_token = self.generate_sas(
             generate_account_sas,
             tables_primary_cosmos_account_key,
             resource_types=ResourceTypes.from_string("sco"),
@@ -418,16 +426,24 @@ def test_table_service_client_with_token_credential(
         )
 
         with TableServiceClient(base_url, credential=default_azure_credential) as client:
-            with pytest.raises(HttpResponseError) as ex:
-                client.create_table(table_name)
-            ex_msg = "Authorization header doesn't confirm to the required format. Please verify and try again."
-            assert ex_msg in str(ex.value)
-
-        with TableServiceClient(f"{base_url}/?{sas_token}", credential=default_azure_credential) as client:
-            with pytest.raises(HttpResponseError) as ex:
-                client.create_table(table_name)
-            ex_msg = "Authorization header doesn't confirm to the required format. Please verify and try again."
-            assert ex_msg in str(ex.value)
+            client.create_table(table_name)
+            result = client.query_tables(name_filter)
+            assert len(list(result)) == 1
+
+        # DefaultAzureCredential is actually in use
+        with TableServiceClient(f"{base_url}/?{self.sas_token}", credential=default_azure_credential) as client:
+            entities = client.get_table_client(table_name).query_entities(
+                query_filter="PartitionKey eq @pk",
+                parameters={"pk": "dummy-pk"},
+                raw_request_hook=self.check_request_auth,
+            )
+            for e in entities:
+                pass
+            client.delete_table(table_name)
+
+    def check_request_auth(self, pipeline_request):
+        assert self.sas_token not in pipeline_request.http_request.url
+        assert pipeline_request.http_request.headers.get("Authorization") is not None
 
     @cosmos_decorator
     @recorded_by_proxy

sdk/tables/azure-data-tables/tests/test_table_client_cosmos_async.py

@@ -376,11 +376,10 @@ async def test_table_service_client_with_sas_token_credential(
     async def test_table_client_with_token_credential(
         self, tables_cosmos_account_name, tables_primary_cosmos_account_key
     ):
-        # DefaultAzureCredential doesn't work on Cosmos
         base_url = self.account_url(tables_cosmos_account_name, "cosmos")
         table_name = self.get_resource_name("mytable")
         default_azure_credential = self.get_token_credential()
-        sas_token = self.generate_sas(
+        self.sas_token = self.generate_sas(
             generate_account_sas,
             tables_primary_cosmos_account_key,
             resource_types=ResourceTypes.from_string("sco"),
@@ -389,43 +388,52 @@ async def test_table_client_with_token_credential(
         )
 
         async with TableClient(base_url, table_name, credential=default_azure_credential) as client:
-            with pytest.raises(HttpResponseError) as ex:
-                await client.create_table()
-            ex_msg = "Authorization header doesn't confirm to the required format. Please verify and try again."
-            assert ex_msg in str(ex.value)
+            table = await client.create_table()
+            assert table.name == table_name
 
         async with TableClient.from_table_url(
             f"{base_url}/{table_name}", credential=default_azure_credential
         ) as client:
-            with pytest.raises(HttpResponseError) as ex:
-                await client.create_table()
-            ex_msg = "Authorization header doesn't confirm to the required format. Please verify and try again."
-            assert ex_msg in str(ex.value)
+            entities = client.query_entities(
+                query_filter="PartitionKey eq @pk",
+                parameters={"pk": "dummy-pk"},
+            )
+            async for e in entities:
+                pass
 
-        async with TableClient(f"{base_url}/?{sas_token}", table_name, credential=default_azure_credential) as client:
-            with pytest.raises(HttpResponseError) as ex:
-                await client.create_table()
-            ex_msg = "Authorization header doesn't confirm to the required format. Please verify and try again."
-            assert ex_msg in str(ex.value)
+        async with TableClient(
+            f"{base_url}/?{self.sas_token}", table_name, credential=default_azure_credential
+        ) as client:
+            entities = client.query_entities(
+                query_filter="PartitionKey eq @pk",
+                parameters={"pk": "dummy-pk"},
+                raw_request_hook=self.check_request_auth,
+            )
+            async for e in entities:
+                pass
 
         async with TableClient.from_table_url(
-            f"{base_url}/{table_name}?{sas_token}", credential=default_azure_credential
+            f"{base_url}/{table_name}?{self.sas_token}", credential=default_azure_credential
         ) as client:
-            with pytest.raises(HttpResponseError) as ex:
-                await client.create_table()
-            ex_msg = "Authorization header doesn't confirm to the required format. Please verify and try again."
-            assert ex_msg in str(ex.value)
+            entities = client.query_entities(
+                query_filter="PartitionKey eq @pk",
+                parameters={"pk": "dummy-pk"},
+                raw_request_hook=self.check_request_auth,
+            )
+            async for e in entities:
+                pass
+            await client.delete_table()
 
     @cosmos_decorator_async
     @recorded_by_proxy_async
     async def test_table_service_client_with_token_credential(
         self, tables_cosmos_account_name, tables_primary_cosmos_account_key
     ):
-        # DefaultAzureCredential doesn't work on Cosmos
         base_url = self.account_url(tables_cosmos_account_name, "cosmos")
         table_name = self.get_resource_name("mytable")
         default_azure_credential = self.get_token_credential()
-        sas_token = self.generate_sas(
+        name_filter = "TableName eq '{}'".format(table_name)
+        self.sas_token = self.generate_sas(
             generate_account_sas,
             tables_primary_cosmos_account_key,
             resource_types=ResourceTypes.from_string("sco"),
@@ -434,16 +442,28 @@ async def test_table_service_client_with_token_credential(
         )
 
         async with TableServiceClient(base_url, credential=default_azure_credential) as client:
-            with pytest.raises(HttpResponseError) as ex:
-                await client.create_table(table_name)
-            ex_msg = "Authorization header doesn't confirm to the required format. Please verify and try again."
-            assert ex_msg in str(ex.value)
-
-        async with TableServiceClient(f"{base_url}/?{sas_token}", credential=default_azure_credential) as client:
-            with pytest.raises(HttpResponseError) as ex:
-                await client.create_table(table_name)
-            ex_msg = "Authorization header doesn't confirm to the required format. Please verify and try again."
-            assert ex_msg in str(ex.value)
+            await client.create_table(table_name)
+            name_filter = "TableName eq '{}'".format(table_name)
+            count = 0
+            result = client.query_tables(name_filter)
+            async for table in result:
+                count += 1
+            assert count == 1
+
+        # DefaultAzureCredential is actually in use
+        async with TableServiceClient(f"{base_url}/?{self.sas_token}", credential=default_azure_credential) as client:
+            entities = client.get_table_client(table_name).query_entities(
+                query_filter="PartitionKey eq @pk",
+                parameters={"pk": "dummy-pk"},
+                raw_request_hook=self.check_request_auth,
+            )
+            async for e in entities:
+                pass
+            client.delete_table(table_name)
+
+    def check_request_auth(self, pipeline_request):
+        assert self.sas_token not in pipeline_request.http_request.url
+        assert pipeline_request.http_request.headers.get("Authorization") is not None
 
     @cosmos_decorator_async
     @recorded_by_proxy_async