Skip to content

[@azure/cosmos] Add AAD Scope Override and fallback #36024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 18 commits into from
Oct 9, 2025
Merged

[@azure/cosmos] Add AAD Scope Override and fallback #36024

merged 18 commits into from
Oct 9, 2025

Conversation

@amanrao23
Copy link
Member

@amanrao23 amanrao23 commented Sep 23, 2025

Packages impacted by this PR

@azure/cosmos

Issues associated with this PR

#36015

Describe the problem that is addressed by this PR

Added support for overriding AAD authentication scope via the new aadScope option in CosmosClientOptions. When no custom scope is provided, the system uses the account-specific scope for authentication and implements a fallback mechanism to https://cosmos.azure.com/.default in case of AADSTS500011 errors. When a custom scope is explicitly provided via the aadScope option, no fallback occurs.

What are the possible designs available to address the problem? If there are more than one possible design, why was the one in this PR chosen?

Are there test cases added in this PR? (If not, why?)

Yes

Provide a list of related PRs (if any)

Command used to generate this PR:**(Applicable only to SDK release request PRs)

Checklists

  • Added impacted package name to the issue description
  • Does this PR needs any fixes in the SDK Generator?** (If so, create an Issue in the Autorest/typescript repository and link it here)
  • Added a changelog (if necessary)

Copilot AI review requested due to automatic review settings September 23, 2025 21:45
Copilot AI reviewed Sep 23, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for AAD scope override functionality to the Azure Cosmos DB client. The implementation allows users to specify a custom AAD authentication scope while providing a fallback mechanism when using the default account-specific scope.

Key changes include:

  • Addition of the aadScope option to CosmosClientOptions for custom scope specification
  • Implementation of a fallback mechanism from account-specific scope to the default Cosmos scope when encountering AADSTS500011 errors
  • Comprehensive test coverage for the new functionality and sample code demonstrating usage

Reviewed Changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
src/CosmosClientOptions.ts Adds the new aadScope optional property to the client options interface
src/ClientContext.ts Implements the core authentication logic with scope selection and fallback mechanism
src/common/constants.ts Defines the default AAD scope constant
src/CosmosClient.ts Updates JSDoc with example usage of the new AAD scope feature
test/internal/unit/aadScopeOverride.spec.ts Comprehensive unit tests covering scope selection, fallback behavior, and token handling
test/snippets.spec.ts Adds a snippet test demonstrating the AAD scope override usage
samples/ Sample files showing practical usage of the AAD scope override feature
review/cosmos-node.api.md API surface update reflecting the new aadScope option
CHANGELOG.md Documents the new feature addition

@github-actions
Copy link

github-actions bot commented Sep 23, 2025
edited
Loading

API Change Check

APIView identified API level changes in this PR and created the following API reviews

@azure/cosmos

topshot99
topshot99 reviewed Oct 7, 2025
View reviewed changes
topshot99
topshot99 reviewed Oct 7, 2025
View reviewed changes
topshot99
topshot99 reviewed Oct 7, 2025
View reviewed changes
topshot99
topshot99 reviewed Oct 7, 2025
View reviewed changes
topshot99
topshot99 reviewed Oct 7, 2025
View reviewed changes
topshot99
topshot99 reviewed Oct 7, 2025
View reviewed changes
topshot99
topshot99 reviewed Oct 7, 2025
View reviewed changes
Copy link
Member

@topshot99 topshot99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

overall LGTM.
added some comments and also check sdk/cosmosdb/cosmos/test/internal/unit/aadScopeOverride.spec.ts
the test cases there is a scope of refactoring them.

@amanrao23 amanrao23 requested a review from topshot99 October 7, 2025 11:42
@amanrao23 amanrao23 requested a review from topshot99 October 9, 2025 08:10
topshot99
topshot99 approved these changes Oct 9, 2025
View reviewed changes
Copy link
Member

@topshot99 topshot99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@amanrao23 amanrao23 merged commit db79bca into main Oct 9, 2025
10 checks passed
@amanrao23 amanrao23 deleted the cosmosdb/overrride-aad-scope branch October 9, 2025 10:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sourabh1007 sourabh1007 sourabh1007 approved these changes

@topshot99 topshot99 topshot99 approved these changes

@aditishree1 aditishree1 Awaiting requested review from aditishree1 aditishree1 is a code owner

@sajeetharan sajeetharan Awaiting requested review from sajeetharan sajeetharan is a code owner

Assignees

No one assigned

Labels

Cosmos

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@amanrao23 @sourabh1007 @topshot99