-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Discover Key Vault auth scope from challenges #6271
Comments
@chlowell KeyVault has its own challenge-based authentication policy (deriving from BearerTokenAuthenticationPolicy). Lines 69 to 91 in 1243b29
From what I can tell at a quick glance, the initial scope being set here, after calling azure-sdk-for-cpp/sdk/keyvault/azure-security-keyvault-keys/src/key_client.cpp Lines 76 to 81 in 1243b29
It is basically only used in this TokenNeedsRefresh check:azure-sdk-for-cpp/sdk/core/azure-core/src/http/bearer_token_authentication_policy.cpp Lines 67 to 77 in 1243b29
Could you please take a look at the |
Never mind, it looks like that scope is actually being used in the first
And mi cred will throw:
For this step 2 (sending the first request), what should the scope be set to? In GoLang, is it set to nothing/empty string? |
The client doesn't need to call |
Today, Key Vault clients use a heuristic to guess the scope for access tokens given a vault URL:
azure-sdk-for-cpp/sdk/keyvault/azure-security-keyvault-shared/inc/azure/keyvault/shared/keyvault_shared.hpp
Line 27 in 4efb0fc
Clients should instead follow this protocol to discover the scope when sending their first request:
Authorization
headerBearer
challenge from the response'sWWW-Authenticate
headerGetToken
is the challenge'sscope
parameter, or itsresource
parameter +/.default
GetToken
is the first path segment of theauthorization
parameter, which is a URLBearer
challenge or the challenge doesn't containscope
orresource
(see other SDKs' Key Vault auth policies for example implementations)
The text was updated successfully, but these errors were encountered: