-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE REQ] [Identity] Support non-microsoft tenants #19443
Comments
Related draft PR jongio/azidext#41 |
@andboyer this is an area we plan to improve starting in our upcoming May release |
HI @joshfree , I tried the PR, both the StaticTokenCredential and OnBehalfOfFlowCredential are not what I want, for StaticTokenCredential in the PR, it is a simple wrapper for access token only, it lacks the ability to acquire new token when access token is expired, for OnBehalfOfFlowCredential in the PR, it requires clientSecret which is supposed to be a AAD application. |
I also noticed the new changes in 1.3.0-Beta2: Added new APIs for authenticating users with DeviceCodeCredential, InteractiveBrowserCredential and UsernamePasswordCredential. I want to convert AuthenticationRecord to a profile saved at intellij plugin side(authority/environment, client id, tenant id, email) and save the AuthenticationRecord/refresh_token in TokenCache(by azure-identity), and when next time the intellij idea restarts, I can use the saved profile to create a new credential, seems SharedTokenCacheCredential is the right one, but if I use SharedTokenCacheCredential, the tenant id might be tricky, the tenant id passed to SharedTokenCacheCredential is a filter that will filter the exact tenant id when saving the AuthenticationRecord, but the refresh token in AuthenticationRecord may support multiple tenants, so I have no way of generate the access token for another tenant with an existing AuthenticationRecord/refresh_token with an alternative tenant id. |
@andxu support for multi tenant authentication has been released in version 1.4.0 of azure-identity. You can pass in tenant id to the TokenRequestContext trc = new TokenRequestContext()
.addScopes("<Scopes>")
.setTenantId("<Tenant-Id>");
tokenCredential.getToken(trc); Let us know if you've any further questions. |
@g2vinay great, thank you for the good news |
new VisualStudioCodeCredentialBuilder().build()
while in vscode I signed in a account which is not a microsoft tenant(72f988bf-86f1-41af-91ab-2d7cd011db47) will report error for listing tenants:The third case, the azure cli credential doesn't support tenant, actually we can get access token through:
az account get-access-token -t xxxx
The 4th case, for SharedTokenCacheCredential, we cannot list the accounts saved in TokenCache, I have to use very strange logic to get the cached accounts: https://github.com/microsoft/azure-maven-plugins/blob/andy-wip2/azure-toolkit-libs/azure-toolkit-auth-lib/src/main/java/com/microsoft/azure/toolkit/lib/auth/core/visualstudio/VisualStudioAccountEntityBuilder.java#L61
Summary
To provide an access token, we need to specify the following properties:
TokenCredential has enveloped the D, in most cases, the client id is implied, but for tenant id, it is hard for apps using azure-identity to provide and it can be populated through the listing tenant call, so I want azure identity:
The text was updated successfully, but these errors were encountered: