Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implemement OnBehalfOfCredential #22146

Merged
merged 31 commits into from
Sep 4, 2021
Merged

Implemement OnBehalfOfCredential #22146

merged 31 commits into from
Sep 4, 2021

Conversation

christothes
Copy link
Member

@christothes christothes commented Jun 24, 2021
edited
Loading

  • Introduces the OnBehalfOfCredential and the supporting property RefreshOn on AccessToken.
  • Changes to BearerTokenAuthorizationPolicy to bypass internal token cache when RefreshOn is DateTimeOffset.MinValue on the AccessToken

resolves #16264
closes #21941
#19404

@christothes christothes self-assigned this Jun 24, 2021
pakrym
pakrym reviewed Jun 24, 2021
View reviewed changes
sdk/identity/Azure.Identity/CHANGELOG.md
@@ -7,6 +7,7 @@
- Added support to `ManagedIdentityCredential` for Bridge to Kubernetes local development authentication.
- TenantId values returned from service challenge responses can now be used to request tokens from the correct tenantId. To support this feature, there is a new `AllowMultiTenantAuthentication` option on `TokenCredentialOptions`.
- By default, `AllowMultiTenantAuthentication` is false. When this option property is false and the tenant Id configured in the credential options differs from the tenant Id set in the `TokenRequestContext` sent to a credential, an `AuthorizationFailedException` will be thrown. This is potentially breaking change as it could be a different exception than what was thrown previously. This exception behavior can be overridden by either setting an `AppContext` switch named "Azure.Identity.EnableLegacyTenantSelection" to `true` or by setting the environment variable "AZURE_IDENTITY_ENABLE_LEGACY_TENANT_SELECTION" to "true". Note: AppContext switches can also be configured via configuration like below:
- Added `OnBehalfOfFlowCredential` which enables support for AAD On-Behalf-Of (OBO) flow. See the [Azure Active Directory documentation](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow) to learn more about OBO flow scenarios.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this feature deserves a sample.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed - I plan to add one in a follow up PR

@christothes christothes marked this pull request as draft June 29, 2021 23:07
@sadasant sadasant mentioned this pull request Jul 13, 2021
Closed
@Azure Azure deleted a comment from check-enforcer bot Aug 18, 2021
@Azure Azure deleted a comment from check-enforcer bot Aug 27, 2021
schaabs
schaabs reviewed Sep 3, 2021
View reviewed changes
sdk/identity/Azure.Identity/src/OnBehalfOfCredentialOptions.cs
/// <summary>
/// Will include x5c header in client claims when acquiring a token to enable subject name / issuer based authentication for the <see cref="ClientCertificateCredential"/>.
/// </summary>
public bool SendCertificateChain { get; set; }
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we throw if this option is set and the OnBehalfOfCredential is being constructed with a client secret? If we don't will MSAL throw when we request the token?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we go down a different constructor path that doesn't read that option if you use the client secret public ctor.

@check-enforcer
Copy link

check-enforcer bot commented Sep 3, 2021

This pull request is protected by Check Enforcer.

What is Check Enforcer?

Check Enforcer helps ensure all pull requests are covered by at least one check-run (typically an Azure Pipeline). When all check-runs associated with this pull request pass then Check Enforcer itself will pass.

Why am I getting this message?

You are getting this message because Check Enforcer did not detect any check-runs being associated with this pull request within five minutes. This may indicate that your pull request is not covered by any pipelines and so Check Enforcer is correctly blocking the pull request being merged.

What should I do now?

If the check-enforcer check-run is not passing and all other check-runs associated with this PR are passing (excluding license-cla) then you could try telling Check Enforcer to evaluate your pull request again. You can do this by adding a comment to this pull request as follows:
/check-enforcer evaluate
Typically evaulation only takes a few seconds. If you know that your pull request is not covered by a pipeline and this is expected you can override Check Enforcer using the following command:
/check-enforcer override
Note that using the override command triggers alerts so that follow-up investigations can occur (PRs still need to be approved as normal).

What if I am onboarding a new service?

Often, new services do not have validation pipelines associated with them. In order to bootstrap pipelines for a new service, please perform following steps:

For data-plane/track 2 SDKs Issue the following command as a pull request comment:

/azp run prepare-pipelines
This will run a pipeline that analyzes the source tree and creates the pipelines necessary to build and validate your pull request. Once the pipeline has been created you can trigger the pipeline using the following comment:
/azp run net - [service] - ci

For track 1 management-plane SDKs

Please open a separate PR and to your service SDK path in this file. Once that PR has been merged, you can re-run the pipeline to trigger the verification.

schaabs
schaabs reviewed Sep 3, 2021
View reviewed changes
sdk/identity/Azure.Identity/src/OnBehalfOfCredential.cs
string clientId,
string clientSecret,
string userAssertion,
OnBehalfOfCredentialOptions options = null)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: why does this ctor use a default parameter where the ctor which takes an X509Cert has an explicit overload?

@christothes christothes merged commit 7649803 into Azure:main Sep 4, 2021
@scottaddie scottaddie mentioned this pull request Jun 3, 2022
Merged
azure-sdk pushed a commit to azure-sdk/azure-sdk-for-net that referenced this pull request Jan 12, 2023
CodeGen from PR 22146 in Azure/azure-rest-api-specs
f732e23 
fix cadl sample (Azure#22146)

* fix

* Update Widgets_ListWidgetsSample.json

* Update Widgets_ListWidgetsSample.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@scottaddie scottaddie scottaddie left review comments

@g2vinay g2vinay g2vinay left review comments

@pakrym pakrym pakrym left review comments

@schaabs schaabs schaabs approved these changes

@KrzysztofCwalina KrzysztofCwalina Awaiting requested review from KrzysztofCwalina

@tg-msft tg-msft Awaiting requested review from tg-msft

Assignees

@christothes christothes

Labels
Azure.Core Azure.Identity
Projects
None yet
Milestone
No milestone
5 participants
@christothes @pakrym @g2vinay @scottaddie @schaabs