Skip to content

Federated Identity Credentials + Managed Identity support #2556

New issue
New issue
Open
Feature
#2557
Open
Federated Identity Credentials + Managed Identity support#2556
Feature
#2557
Labels
Enhancement 💡Issues that are feature requests for the drivers we maintain.Up-for-Grabs 🙌Issues that are ready to be picked up for anyone interested. Please self-assign and remove the label
@yiwwan

Description

@yiwwan
yiwwan
opened on Jun 7, 2024

Is your feature request related to a problem? Please describe.

Currently FIC is supported by using workload identity, however it's not compatible with (or is there any existing solutions?) using manage identity directly (FIC + MSI), we need to write our own SqlAuthenticationProvider everywhere and overrides existing authentication method.

Describe the solution you'd like

Add a new authentication method to support FIC + MSI.
Basically we'll need a SqlAuthenticationProvider that get authentication results using ClientAssertionCredential and ManagedIdentityCredential:

internal class FICAuthProvider : SqlAuthenticationProvider
{
    private const string DefaultScopeSuffix = "/.default";

    public override async Task<SqlAuthenticationToken> AcquireTokenAsync(SqlAuthenticationParameters parameters)
    {
        // We can reuse existing environment variables or use new ones
        var msiClientId = Environment.GetEnvironmentVariable("SOME_NEW_ENV_KEY");
        var aadAppClientId = Environment.GetEnvironmentVariable("AZURE_CLIENT_ID");
        var resourceTenantId = Environment.GetEnvironmentVariable("AZURE_TENANT_ID");

        var assertion = new ClientAssertionCredential(
            resourceTenantId,
            aadAppClientId,
            async (token) => await GetManagedIdentityToken(msiClientId));

        var scopes = new[] { parameters.Resource.EndsWith(DefaultScopeSuffix) ? parameters.Resource : parameters.Resource + DefaultScopeSuffix };

        var token = await assertion.GetTokenAsync(new TokenRequestContext(scopes));
        return new SqlAuthenticationToken(token.Token, token.ExpiresOn);

        static async Task<string> GetManagedIdentityToken(string msiClientId)
        {
            return (await new ManagedIdentityCredential(msiClientId).GetTokenAsync(new Azure.Core.TokenRequestContext([$"api://AzureADTokenExchange/.default"])).ConfigureAwait(false)).Token;
        }
    }

    public override bool IsSupported(SqlAuthenticationMethod authenticationMethod)
    {
        // Add new member for SqlAuthenticationMethod
        return authenticationMethod == SqlAuthenticationMethod.FederatedIdentityCredentials;
    }
}

Describe alternatives you've considered

N/A

Additional context

N/A

Metadata

Metadata

Assignees

No one assigned

    Labels

    Enhancement 💡Issues that are feature requests for the drivers we maintain.Up-for-Grabs 🙌Issues that are ready to be picked up for anyone interested. Please self-assign and remove the label

    Type

    Feature

    Projects

    SqlClient Triage Board

    Status

    Ideas for Future

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions