Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Identity] Add support for Managed Identity regional AAD authentication endpoints #15762

Closed
sadasant opened this issue Jun 16, 2021 · 0 comments · Fixed by #15778
Closed

[Identity] Add support for Managed Identity regional AAD authentication endpoints #15762

sadasant opened this issue Jun 16, 2021 · 0 comments · Fixed by #15778
Assignees
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library.
Milestone

Comments

@sadasant
Copy link
Contributor

sadasant commented Jun 16, 2021

From: #14210

Feature: Add support for Managed Identity regional AAD authentication endpoints #20027

  • The [guidance] from the Azure IAM wiki for service teams using MI is to authenticate using a regional endpoint (e.g. https://eastus2euap.login.microsoft.com). However, the MSAL example given in the wiki uses APIs that are not currently exposed/used by [MsalConfidentialClient], namely WithAuthority(Uri, bool) and WithInstanceDicoveryMetadata(string).
  • Today, when using the regional AAD endpoint with Azure.Identity (using a [ClientCertificateCredential]), we see an error Application error - the login request was malformed and could not be matched with an existing authentication endpoint or instance. The error goes away when using a global endpoint (https://login.microsoftonline.com/).

.NET’s PR: Azure/azure-sdk-for-net#21590

@sadasant sadasant added Client This issue points to a problem in the data-plane of the library. Azure.Identity labels Jun 16, 2021
@sadasant sadasant added this to the [2021] July milestone Jun 16, 2021
@sadasant sadasant self-assigned this Jun 16, 2021
@ghost ghost closed this as completed in #15778 Jun 18, 2021
ghost pushed a commit that referenced this issue Jun 18, 2021

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
Added regional STS support to client credential types.
- Added the `RegionalAuthority` type, that allows specifying Azure regions.
- Added `regionalAuthority` property to `ClientSecretCredentialOptions` and `ClientCertificateCredentialOptions`.
- If instead of a region, `autoDiscoverRegion` is specified as the value for `regionalAuthority`, MSAL will be used to attempt to discover the region.
- A region can also be specified through the `AZURE_REGIONAL_AUTHORITY_NAME` environment variable.

Fixes #15762 
Fixes #15714
openapi-sdkautomation bot pushed a commit to AzureSDKAutomation/azure-sdk-for-js that referenced this issue Sep 8, 2021
Use IncidentSeverity in IncidentInfo (Azure#15762)

Co-authored-by: Anat Gilenson <anatgilenson@microsoft.com>
@github-actions github-actions bot locked and limited conversation to collaborators Apr 11, 2023
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant