Skip to content

fix: resolve EntraOBOToken dependency injection through MultiAuth#3609

Merged
jlowin merged 8 commits intoPrefectHQ:mainfrom
jer805:fix-dependency-injection
Mar 25, 2026
Merged

fix: resolve EntraOBOToken dependency injection through MultiAuth#3609
jlowin merged 8 commits intoPrefectHQ:mainfrom
jer805:fix-dependency-injection

Conversation

@jer805
Copy link
Copy Markdown
Contributor

@jer805 jer805 commented Mar 24, 2026

Description

Closes #3605

This PR adds a helper to unwrap MultiAuth before retrieving OBO credentials, so that injecting EntraOBOToken as a dependency no longer fails at runtime.

Root cause

_EntraOBOToken performs a strict isinstance(server.auth, AzureProvider) check that rejects MultiAuth even when it wraps an AzureProvider.

Changes

Adds _find_azure_provider() in azure.py that returns an AzureProvider directly if the auth provider is one, or unwraps it from MultiAuth.server. _EntraOBOToken.__aenter__ now uses this helper instead of the strict isinstance check.

Tests

Added unit tests for _find_azure_provider covering direct, wrapped, None, and non-Azure cases.

Contribution type

  • Bug fix (simple, well-scoped fix for a clearly broken behavior)
  • Documentation improvement
  • Enhancement (maintainers typically implement enhancements — see CONTRIBUTING.md)

Checklist

  • This PR addresses an existing issue (or fixes a self-evident bug)
  • I have read CONTRIBUTING.md
  • I have added tests that cover my changes
  • I have run uv run prek run --all-files and all checks pass
  • I have self-reviewed my changes
  • If I used an LLM, it followed the repo's contributing conventions (not generic output)

@marvin-context-protocol marvin-context-protocol Bot added bug Something isn't working. Reports of errors, unexpected behavior, or broken functionality. auth Related to authentication (Bearer, JWT, OAuth, WorkOS) for client or server. labels Mar 24, 2026
jlowin
jlowin requested changes Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jlowin jlowin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this!

Minor stylistic point - unless it causes a circular import (I don't think it will) repo convention requires imports at the top of the file.

In addition note this only applies to one level of multiauth nesting, which is probably fine in practice.

@jer805 jer805 requested a review from jlowin March 25, 2026 07:53
@jlowin jlowin merged commit 492db99 into PrefectHQ:main Mar 25, 2026
7 checks passed
jlowin added a commit that referenced this pull request Mar 30, 2026
@jlowin @claude
@voidborne-d @marvin-context-protocol @dependabot @strawgate @Sumanshu-Nankana @ericrobinson-indeed @martimfasantos @mtthidoteu @saschabuehrle @hkc5 @nightcityblade @mhallo @zzstoatzz @shulkx @radoshi @shigechika @jer805 @pandego @4444J99 @mostafa6765
Publish docs for v3.2.0 (#3713)
3a9717e 
Co-authored-by: Claude Opus 4.6 <[email protected]>
Co-authored-by: Jeremiah Lowin <[email protected]>
Co-authored-by: Marvin Context Protocol <41898282+Marvin Context [email protected]>
Co-authored-by: voidborne-d <[email protected]>
Co-authored-by: marvin-context-protocol[bot] <225465937+marvin-context-protocol[bot]@users.noreply.github.com>
Co-authored-by: Claude <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: d 🔹 <[email protected]>
Co-authored-by: Jeremiah Lowin <[email protected]>
Co-authored-by: nightcityblade <[email protected]>
Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
Co-authored-by: Claude Sonnet 4.6 <[email protected]>
Co-authored-by: Bill Easton <[email protected]>
Co-authored-by: Sumanshu Nankana <[email protected]>
Co-authored-by: Eric Robinson <[email protected]>
Co-authored-by: Martim Santos <[email protected]>
Co-authored-by: d 🔹 <[email protected]>
Co-authored-by: Matthieu B <[email protected]>
Co-authored-by: Sascha Buehrle <[email protected]>
Co-authored-by: Hakancan <[email protected]>
Co-authored-by: nightcityblade <[email protected]>
Co-authored-by: Matt Hallowell <[email protected]>
Co-authored-by: nate nowack <[email protected]>
Co-authored-by: Bill Easton <[email protected]>
Co-authored-by: Marcus Shu <[email protected]>
Co-authored-by: Rushabh Doshi <[email protected]>
Co-authored-by: AIKAWA Shigechika <[email protected]>
Co-authored-by: Jeremy Simon <[email protected]>
Co-authored-by: Miguel Miranda Dias <[email protected]>
Co-authored-by: Anthony James Padavano <[email protected]>
Co-authored-by: Mostafa Kamal <[email protected]>
Fix auto-close MRE script posting comment without closing (#3386)
Fix WorkOS token scope verification bypass 🤖 Generated with Codex (#3407)
Fix initialize McpError fallthrough 🤖 Generated with Codex (#3413)
Fix transform arg collisions with passthrough params (#3431)
Fix get_* returning None when latest version is disabled (#3439)
Fix get_* returning None when latest version is disabled (#3421)
Fix server lifespan overlap teardown (#3415)
Fix $ref output schema object detection regression (#3420)
resolved annotations (#3429)
Fix async partial callables rejected by iscoroutinefunction (#3438)
Fix async partial callables rejected by iscoroutinefunction (#3423)
fix: add version to components (#3458)
fix: use intent-based flag for OIDC scope patch in load_access_token (#3465)
Fixes #3461
fix: normalize Google scope shorthands and surface valid_scopes (#3477)
fix: resolve ty 0.0.23 type-checking errors and bump pin (#3481)
fix: shield lifespan teardown from cancellation (#3480)
fix: forward custom_route endpoints from mounted servers (#3462)
fix updates _get_additional_http_routes() to traverse providers,
Fixes #3457
fix: remove hardcoded version from CLI help text (#3456)
fix: monty 0.0.8 compatibility, drop external_functions from constructor (#3468)
fix: task test teardown hanging 5s per test (#3499)
Closes #3498
fix: validate workspace path is a directory before cursor install (#3440)
Fixes #3426
fix: handle re.error from malformed URI templates in build_regex (#3501)
fix: reject empty/OIDC-only required_scopes in AzureProvider (#3503)
fix: restrict $ref resolution to local refs only (SSRF/LFI) (#3502)
fix warnings and timeouts (#3504)
close upgrade check issue when build passes (#3505)
Closes #3484
fix: URL-encode path params to prevent SSRF/path traversal (GHSA-vv7q-7jx5-f767) (#3507)
fix: prevent path traversal in skill download (#3493)
fix: prefer IdP-granted scopes over client-requested scopes in OAuthProxy (#3492)
fix: remove unrelated transform and http.py changes from PR scope
fix: remove forced follow_redirects from httpx_client_factory calls (#3496)
fix: stop passing follow_redirects to httpx_client_factory
fix: restore follow_redirects=True for custom httpx client factories
Closes #3509
fix: CSRF double-submit cookie check in consent flow (#3519)
fix: validate server names in install commands (#3522)
fix: use raw strings for regex in pytest.raises match (#3523)
fix: reject refresh tokens used as Bearer access tokens (#3524)
fix: route ResourcesAsTools/PromptsAsTools through server middleware (#3495)
fix: resolve Pyright "Module is not callable" on @tool, @resource, @prompt decorators (#3540)
fix: filter warnings by message in KEY_PREFIX test (#3549)
fix: suppress output schema for ToolResult subclass annotations (#3548)
fix: increase sleep duration in proxy cache tests (#3567)
fix: store absolute token expiry to prevent stale expires_in on reload (#3572)
fix: preserve tool properties named 'title' during schema compression (#3582)
Fix loopback redirect URI port matching per RFC 8252 §7.3 (#3589)
Fix app tool routing: visibility check and middleware propagation (#3591)
Fix query parameter serialization to respect OpenAPI explode/style settings (#3595)
Fix dev apps form: union types, textarea support, JSON parsing (#3597)
fix(google): replace deprecated /oauth2/v1/tokeninfo with /oauth2/v3/userinfo (#3603)
fix: resolve EntraOBOToken dependency injection through MultiAuth (#3609)
fix(docs): correct misleading stateless_http header (#3622)
fix: filesystem provider import machinery (#3626)
Closes #3625 (issues 2, 3, 6)
fix: recover StdioTransport after subprocess exits (#3630)
fix(server): preserve mounted tool task metadata (#3632)
fix: scope deprecation warning filter to FastMCPDeprecationWarning (#3649)
fix imports, add PrefabAppConfig (#3650)
fix: resolve CurrentFastMCP/ctx.fastmcp to child server in mounted background tasks (#3651)
Fix blocking docs issues: chart imports, Select API, Rx consistency (#3652)
closed by default (#3657)
Fix prompt caching middleware missing wrap/unwrap round-trip (#3666)
fix: serialize object query params per OpenAPI style/explode rules (#3662)
Fixes #2857
fix: HTTP request headers not accessible in background task workers (#3631)
fix: restore HTTP headers in worker execution path for background tasks (#3681)
fix: strip discriminator after dereferencing schemas (#3682)
fix: remove stale ty:ignore directives for ty 0.0.26 (#3684)
Fix docs gaps in app provider pages (#3690)
fix: dev apps log panel UX improvements (#3698)
fix dev server empty string args (#3700)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jlowin jlowin jlowin approved these changes

Assignees

No one assigned

Labels

auth Related to authentication (Bearer, JWT, OAuth, WorkOS) for client or server. bug Something isn't working. Reports of errors, unexpected behavior, or broken functionality.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

MultiAuth breaks EntraOBOToken dependency injection

2 participants

@jer805 @jlowin