`az ad app permission grant` should preserve existing `oauth2PermissionGrant`

[jiasli]

Symptom

In the current az ad app permission grant, to order to keep idempotence, before creating oauth2PermissionGrant, existing grants with matched clientId and resourceId are removed:

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Lines 1012 to 1013 in fd4b5f1

	to_delete = [p.object_id for p in grant_permissions if p.client_id == client_sp_object_id and
	p.resource_id == associated_sp_object_id]

This deletes too many oauth2PermissionGrants as Graph API does support multiple grants with the same clientId and resourceId:

> az ad app permission list-grants --id 2636614c-010c-49b2-ac23-f61d80a5b529 --show-resource-name
[
  {
    "clientId": "b25985a8-9d2b-4fde-9fa7-6c4e43a8ddec",
    "consentType": "AllPrincipals",
    "id": "qIVZsiud3k-fp2xOQ6jd7InI76O38TJFngGR4y0QOfQ",
    "principalId": null,
    "resourceDisplayName": "Microsoft Graph",
    "resourceId": "a3efc889-f1b7-4532-9e01-91e32d1039f4",
    "scope": "user_impersonation User.Read"
  },
  {
    "clientId": "b25985a8-9d2b-4fde-9fa7-6c4e43a8ddec",
    "consentType": "Principal",
    "id": "qIVZsiud3k-fp2xOQ6jd7InI76O38TJFngGR4y0QOfQ0hSwYE_R8SJGjet3IDjXV",
    "principalId": "182c8534-f413-487c-91a3-7addc80e35d5",
    "resourceDisplayName": "Microsoft Graph",
    "resourceId": "a3efc889-f1b7-4532-9e01-91e32d1039f4",
    "scope": "user_impersonation User.Read"
  },
  {
    "clientId": "b25985a8-9d2b-4fde-9fa7-6c4e43a8ddec",
    "consentType": "Principal",
    "id": "qIVZsiud3k-fp2xOQ6jd7InI76O38TJFngGR4y0QOfTTWOHn3HzNR4glWFnXqytV",
    "principalId": "e7e158d3-7cdc-47cd-8825-5859d7ab2b55",
    "resourceDisplayName": "Microsoft Graph",
    "resourceId": "a3efc889-f1b7-4532-9e01-91e32d1039f4",
    "scope": "user_impersonation User.Read"
  }
]

Based on Update a delegated permission grant (oAuth2PermissionGrant) API which only supports updating scope and the above observation, the primary key is the combination of all clientId, consentType, principalId, resourceId.

If the grant exists, the command fails with

Bad Request({"error":{"code":"Request_BadRequest","message":"Permission entry already exists.","innerError":{"date":"2022-01-13T09:57:53","request-id":"3e6a27ff-d875-4737-88d1-cd0a4ef092f7","client-request-id":"3e6a27ff-d875-4737-88d1-cd0a4ef092f7"}}})

Solution

az ad app permission grant should not over-delete existing grants.

[jiasli]

@psignoret, could you help confirm my observation?

Also, is there any documentation describing how id in the grant is computed?

  "id": "qIVZsiud3k-fp2xOQ6jd7InI76O38TJFngGR4y0QOfQ0hSwYE_R8SJGjet3IDjXV",

[psignoret]

@jiasli

How id is generated is an internal implementation detail, and is not publicly documented.

It is true that we currently enforce uniqueness by (clientId, resourceId, consentType, principalId). Strictly speaking, this uniqueness behavior isn't guaranteed (i.e. it's not documented or defined as part of the API contract), but we have no current plans to change this.

[jiasli]

Great! Thanks @psignoret for the confirmation and I will use (clientId, resourceId, consentType, principalId) combination for filtering.