Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Azure.Identity Improvements for .NET (June - October 2021) #19404

Closed
4 of 7 tasks
joshfree opened this issue Mar 9, 2021 · 1 comment
Closed
4 of 7 tasks

Azure.Identity Improvements for .NET (June - October 2021) #19404

joshfree opened this issue Mar 9, 2021 · 1 comment
Assignees
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library.

Comments

@joshfree
Copy link
Member

joshfree commented Mar 9, 2021

Azure.Identity June - October 2021 Releases

June Release Cycle - Start Early Feature Design for Nickel Beta-1

Design: Beta-1 Features

  1. Feature: Support Tenant Id Challenges / Hints tenant-hint.md

    • Support Key Vaults across multiple tenants
    • Address common issues when customers use VS/VSCode credentials with multiple credentials signed in
  2. Feature: Add support for Managed Identity regional AAD authentication endpoints #20027
    - The [guidance] from the Azure IAM wiki for service teams using MI is to authenticate using a regional endpoint (e.g. https://eastus2euap.login.microsoft.com). However, the MSAL example given in the wiki uses APIs that are not currently exposed/used by [MsalConfidentialClient], namely WithAuthority(Uri, bool) and WithInstanceDicoveryMetadata(string).
    - Today, when using the regional AAD endpoint with Azure.Identity (using a [ClientCertificateCredential]), we see an error Application error - the login request was malformed and could not be matched with an existing authentication endpoint or instance. The error goes away when using a global endpoint (https://login.microsoftonline.com/).

  3. Feature: Support overriding MSI_ENDPOINT for dev-time debugging for the Azure Kubernetes Service team #670
    - The Bridge to Kubernetes enables a user to natively debug one microservice on their local machine when "bridged" to other microservices running in Kubernetes. AKS is looking for an environment variable that can be overridden to specify a custom managed identity endpoint. This is required so that when the user's locally running code tries to call the managed identity endpoint for a token, they are able to intercept it and redirect the call to the cluster so that the token can be fetched from the endpoint on the cluster.

  4. Feature: Allow Pre-populated account name in browser during interactive login #16983

  5. Nickel Community Feature Requests related to StaticTokenCredential / token helper methods

  • Feature: Expose Credential type for DefaultAzureCredential and ChainedTokenCredential
    - Enables users know which credential type is being used. #8948
  • Feature: Add new StaticTokenCredential type (prototype PR)
    - Encapsulate an AAD credential with a prefetched token for an AAD application.
  • Request: Add support for fetching an access token from a refresh token
  • Request: provide the functionality of building a token credential from (a: existing credential, b: tenant id) for refresh token based credentials: InteractiveBrowserCredential and DeviceCodeCredential, VisualStudioCodeCredential (request)
  • Request: provide the functionality of setting tenant id for AzureCliCredential (request)
  • Request: provide a valid token in VisualStudioCodeCredentialBuilder without tenant id, use this token we can list the tenants (request)
  • Request: provide the functionality of listing cached account(azure environment, tenant id, user name, client id) for SharedTokenCacheCredential (request)

July Release Cycle - Beta-1 Feature Development

Code: Beta-1 Features

  1. Support Tenant Id Challenges / Hints
  2. Add support for Managed Identity regional AAD authentication endpoints
  3. MSI_ENDPOINT override via an API for the AKS team
  4. Allow Pre-populated account name in browser during interactive login

Design: Beta-2 Features

  1. Feature: Add On-Behalf-Of (OBO) Auth Flow for the Microsoft Graph Team tracking issue

  2. Feature: Create AzureApplicationCredential for the MS Graph Team #20364

August Release Cycle - Beta-2 Feature Development

Code: Beta-2 Features

  1. Create AzureApplicationCredential

September Release Cycle - Beta-3 Feature Development

  1. On-Behalf-Of (OBO) Auth Flow Support

  2. Support exchanging k8s token to AAD token

  3. Community Feature Requests related to StaticTokenCredential / Token convenience methods

October Release Cycle - GA Release

  1. Final Review of README.md / Quick Starts / Samples / Documentation for cross-language consistency

November Release Cycle - Buffer

Related Work Items

@joshfree joshfree added Client This issue points to a problem in the data-plane of the library. Epic Azure.Identity labels Mar 9, 2021
@joshfree joshfree added this to the [2021] August milestone Mar 9, 2021
@joshfree joshfree changed the title Azure.Identity Improvements for .NET (May - August 2021) Azure.Identity Improvements for .NET (June - September 2021) May 3, 2021
@ericsampson
Copy link

Regarding the Tenant ID Challenge feature, are there tickets needed for for services that need to send the tenant ID in the challenge header in order to light up this feature? Like SQL Server, Postgres, Service Bus, etc

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library.
Projects
None yet
Development

No branches or pull requests

5 participants