Azure-cli: az ad app update needs to support set/add of oauth2AllowIdTokenImplicitFlow

Created on 19 Sep 2019  路  4Comments  路  Source: Azure/azure-cli

This is autogenerated. Please review and update as needed.

Describe the bug

Now that oauth2AllowIdTokenImplicitFlow is split out of oauth2AllowImplicitFlow, azure-cli needs to support oauth2AllowIdTokenImplicitFlow. Trying to --set or --add the oauth2AllowIdTokenImplicitFlow property results in the errors below.

Command Name
az ad app update

Errors:
1:

pop from empty list
Traceback (most recent call last):
Temp\pip-install-rg707cll\knack\knack\cli.py, ln 206, in invoke
azure\cli\core\commands\__init__.py, ln 603, in execute
azure\cli\core\commands\__init__.py, ln 661, in _run_jobs_serially
azure\cli\core\commands\__init__.py, ln 652, in _run_job
azure\cli\command_modules\role\commands.py, ln 69, in graph_err_handler
azure\cli\core\commands\__init__.py, ln 631, in _run_job
azure\cli\core\commands\__init__.py, ln 306, in __call__
azure\cli\core\commands\arm.py, ln 525, in handler
azure\cli\core\commands\arm.py, ln 806, in set_properties
azure\cli\core\commands\arm.py, ln 968, in _get_name_path
IndexError: pop from empty list

2: 

Couldn't find 'oauth2AllowIdTokenImplicitFlow' in ''. Available options: ['allowGuestsSignIn', 'allowPassthroughUsers', 'appLogoUrl', 'appPermissions', 'appRoles', 'availableToOtherTenants', 'displayName', 'errorUrl', 'groupMembershipClaims', 'homepage', 'identifierUris', 'informationalUrls', 'isDeviceOnlyAuthSupported', 'keyCredentials', 'knownClientApplications', 'logoutUrl', 'oauth2AllowImplicitFlow', 'oauth2AllowUrlPathMatching', 'oauth2Permissions', 'oauth2RequirePostResponse', 'optionalClaims', 'orgRestrictions', 'passwordCredentials', 'preAuthorizedApplications', 'publicClient', 'publisherDomain', 'replyUrls', 'requiredResourceAccess', 'samlMetadataUrl', 'signInAudience', 'wwwHomepage']

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

  • _Put any pre-requisite steps here..._
  • az ad app update --id {} --set "oauth2AllowIdTokenImplicitFlow"="true"
  • az ad app update --id {} --add "oauth2AllowIdTokenImplicitFlow"="true"

Expected Behavior

Environment Summary

Windows-10-10.0.18362-SP0
Python 3.6.6
Shell: powershell.exe

azure-cli 2.0.73
azure-cli-iot-ext 0.8.0

Extensions:
azure-cli-iot-ext 0.8.0

Additional Context


Graph Service Attention
Source
picture shaunco

Most helpful comment

Apologize for the delay. Of course you can use Azure CLI. 馃槉

The MS Graph equivalents of oauth2AllowImplicitFlow and oauth2AllowIdTokenImplicitFlow specified in the app manifest doc are enableAccessTokenIssuance and enableIdTokenIssuance from the implicitGrantSettings resource type.

You may use az rest to call the Update application REST API from MS Graph:

# pwsh
az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001' --headers 'Content-Type=application/json' --body '{\"web\":{\"implicitGrantSettings\":{\"enableIdTokenIssuance\":true,\"enableAccessTokenIssuance\":true}}}'

# bash
az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001' --headers 'Content-Type=application/json' --body '{"web":{"implicitGrantSettings":{"enableIdTokenIssuance":true,"enableAccessTokenIssuance":true}}}'

You may use one of them or both in the request body. Please note that the ID part in the URL is the object ID of the application. You can retrieve it with application ID using

az ad app show --id 93dde3da-9fca-47dd-aee2-409b402ffed3 --query objectId
picture jiasli on 20 Mar 2020
👍3

All 4 comments

Similar to https://github.com/Azure/azure-cli/issues/9992. oauth2AllowIdTokenImplicitFlow is defined in AAD doc
https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest
but missing from REST API
https://github.com/Azure/azure-rest-api-specs/blob/master/specification/graphrbac/data-plane/Microsoft.GraphRbac/stable/1.6/graphrbac.json

We will work with AAD team to fix it.

jiasli picture jiasli on 20 Sep 2019

Is this issue being looked at? the workarounds to use graph instead of the az cli is not fantastic at all.

william-liebenberg picture william-liebenberg on 17 Feb 2020

Apologize for the delay. Of course you can use Azure CLI. 馃槉

The MS Graph equivalents of oauth2AllowImplicitFlow and oauth2AllowIdTokenImplicitFlow specified in the app manifest doc are enableAccessTokenIssuance and enableIdTokenIssuance from the implicitGrantSettings resource type.

You may use az rest to call the Update application REST API from MS Graph:

# pwsh
az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001' --headers 'Content-Type=application/json' --body '{\"web\":{\"implicitGrantSettings\":{\"enableIdTokenIssuance\":true,\"enableAccessTokenIssuance\":true}}}'

# bash
az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001' --headers 'Content-Type=application/json' --body '{"web":{"implicitGrantSettings":{"enableIdTokenIssuance":true,"enableAccessTokenIssuance":true}}}'

You may use one of them or both in the request body. Please note that the ID part in the URL is the object ID of the application. You can retrieve it with application ID using

az ad app show --id 93dde3da-9fca-47dd-aee2-409b402ffed3 --query objectId
jiasli picture jiasli on 20 Mar 2020
👍3

We will track MS Graph issues at https://github.com/Azure/azure-cli/issues/12946

jiasli picture jiasli on 10 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

idkjs picture idkjs  路  3Comments
FumiakiNagano picture FumiakiNagano  路  3Comments
PrHar picture PrHar  路  3Comments
troydai picture troydai  路  3Comments
mmacy picture mmacy  路  3Comments