feat(tables): Add audience option to TableServiceClientOptions #33802
Conversation
via `audience` client option (by copilot)
…ace and support in both clients This change adds an audience option to the TableServiceClientOptions interface that allows customers to pass a custom scope to override the default scope when using token authentication. - Updated TableServiceClient to use the custom audience if provided - Updated TableClient to use the custom audience if provided - Added unit tests for both client classes to verify the audience option works correctly - Used nullish coalescing operator (??) for more precise handling of audience option
There was a problem hiding this comment.
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Comments suppressed due to low confidence (1)
sdk/tables/data-tables/test/public/endpoint.spec.ts:19
- [nitpick] The outer describe block 'Endpoint tests' is somewhat generic given that the inner tests target both Cosmos and Storage endpoints. Consider using a more descriptive title that encompasses both endpoint types for clarity.
describe(`Endpoint tests`, () => {
|
API change check APIView has identified API level changes in this PR and created following API reviews. |
|
For #33719 |
| @@ -31,6 +31,12 @@ export type TransactionAction = CreateDeleteEntityAction | UpdateEntityAction; | |||
| export type TableServiceClientOptions = CommonClientOptions & { | |||
| endpoint?: string; | |||
| version?: string; | |||
| /** | |||
There was a problem hiding this comment.
It looks like you're deviating from existing patterns, as there's no KnownTablesAudience enum with the scopes. Was that intentional?
Prior art:
There was a problem hiding this comment.
Storage doesn't have a Known* enum. We could add that support if we have a list of known values.
There was a problem hiding this comment.
When we added the support for container registry, we really wished that the service could support a static scope and figured out the proper ones to use by themselves. I bet the work item is still in their backlog somewhere
There was a problem hiding this comment.
Agreed. It would have been a much better experience if there was an approach available to allow any service to infer the proper scope. Unfortunately, the folks who were working on guidance could not come to agreement on a design and the burden remains on callers when using sovereign clouds.
There was a problem hiding this comment.
I asked copilot to ensure "/.default" is appended. Known*Audience can be additive to provide convenience.
This change ensures that when a custom audience is provided for token authentication, it always ends with '/.default'. The fix modifies both TableClient and TableServiceClient to check if the user-provided audience already ends with '/.default', and if not, append it automatically. This improves authentication reliability when working with custom audiences in Azure Tables SDK.
(note from Jeremy: all except this note are created by GitHub CoPilot)
This PR adds an audience option to the TableServiceClientOptions interface that allows customers to pass a custom scope to override the default scope when using token authentication.
Feature
Testing
Unit tests have been added to verify both the default scope selection logic and the custom audience option work as expected.
Documentation
Added JSDoc to explain the new audience option. The option is optional and defaults to the existing behavior.