Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE REQ] Support custom Client App ID in DefaultAzureCredential (currently hard-coded to use the az cli client ID) #17427

Closed
ohadschn opened this issue Dec 9, 2020 · 7 comments
Closed

[FEATURE REQ] Support custom Client App ID in DefaultAzureCredential (currently hard-coded to use the az cli client ID) #17427

ohadschn opened this issue Dec 9, 2020 · 7 comments
Assignees
@schaabs
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. needs-author-feedback Workflow: More information is needed from author to address the issue. no-recent-activity There has been no recent activity on this issue.

Comments

@ohadschn
Copy link

ohadschn commented Dec 9, 2020

Library or service name.
Azure.Identity

Is your feature request related to a problem? Please describe.
We have strict control over some of our AAD apps, where we allow only specific client IDs to access them.
Specifically, we do not allow the Azure CLI Client ID (04b07795-8ddb-461a-bbee-02f9e1bf7b46).

Unfortunately, when using DefaultAzureCredential, there is no way to specify the client ID to use:

azure-sdk-for-net/sdk/identity/Azure.Identity/src/Constants.cs

Line 17 in cd97a7f

public const string DeveloperSignOnClientId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";

Adding something like a ClientAppId property to DefaultAzureCredentialOptions would be great (and I imagine not too hard to implement).
@ghost ghost added the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Dec 9, 2020
@ohadschn ohadschn changed the title [FEATURE REQ] Support custom Client App ID in DefaultAzureCredential (currently hard-coded to use az cli's) [FEATURE REQ] Support custom Client App ID in DefaultAzureCredential (currently hard-coded to use the az cli client ID) Dec 9, 2020
@jsquire jsquire added Azure.Identity Client This issue points to a problem in the data-plane of the library. needs-team-triage Workflow: This issue needs the team to triage. labels Dec 9, 2020
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Dec 9, 2020
@jsquire
Copy link
Member

jsquire commented Dec 9, 2020

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@g2vinay g2vinay mentioned this issue Aug 30, 2021
Closed
10 tasks
@christothes
Copy link
Member

Some credentials used by DefaultAzureCredential can be configured with a ClientId via the options. Is there a specific scenario where you've found this not to be possible?

@christothes christothes added the issue-addressed Workflow: The Azure SDK team believes it to be addressed and ready to close. label Nov 2, 2021
@ghost
Copy link

ghost commented Nov 2, 2021

Hi @ohadschn. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text “/unresolve” to remove the “issue-addressed” label and continue the conversation.

@ghost ghost removed the needs-team-triage Workflow: This issue needs the team to triage. label Nov 2, 2021
@ohadschn
Copy link
Author

ohadschn commented Nov 4, 2021

Some credentials used by DefaultAzureCredential can be configured with a ClientId via the options. Is there a specific scenario where you've found this not to be possible?

It looks likes things have changed since I opened this bug, specifically InteractiveBrowserCredentialClientId and ManagedIdentityClientId which look great. I guess I'd have to exclude all the others though to make sure e.g. token is not taken from cache with the wrong ClientId, which would be a shame if I had the right token in the cache for some reason...

How about something like a unified ClientId instead (or in addition, where the above specific ones can override it), where the same order of credentials is tried (environment, managed identity, etc) and the first one which is successful for that Client ID takes?

@ohadschn
Copy link
Author

ohadschn commented Nov 4, 2021

/unresolve

@ghost ghost added needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team and removed issue-addressed Workflow: The Azure SDK team believes it to be addressed and ready to close. labels Nov 4, 2021
@christothes
Copy link
Member

It looks likes things have changed since I opened this bug, specifically InteractiveBrowserCredentialClientId and ManagedIdentityClientId which look great. I guess I'd have to exclude all the others though to make sure e.g. token is not taken from cache with the wrong ClientId, which would be a shame if I had the right token in the cache for some reason...

Could you talk a bit more about how the current configuration options prevent using the intended ClientId in your specific scenario? For example, in a production scenario, I would think that you'd have a very specific credential to target, such as ManagedIdentity. In a development scenario, you'd have control over which credential would be selected based on your dev environment configuration. My assumption is that it should be rare that the intended credential (and in effect the intended ClientId) in the chain is not chosen.

Another thing to consider is that if you need more control over the credential chain and how it is configured, the ChainedTokenCredential is intended exactly for that. DefaultAzureCredential is definitely the most convenient options, but is not intended for scenarios where total control over the configuration is necessary.

@christothes christothes added the needs-author-feedback Workflow: More information is needed from author to address the issue. label Nov 4, 2021
@ghost ghost removed the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Nov 4, 2021
@ghost ghost added the no-recent-activity There has been no recent activity on this issue. label Nov 12, 2021
@ghost
Copy link

ghost commented Nov 12, 2021

Hi, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

@ghost ghost closed this as completed Nov 26, 2021
@github-actions github-actions bot locked and limited conversation to collaborators Mar 28, 2023
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@schaabs schaabs

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. needs-author-feedback Workflow: More information is needed from author to address the issue. no-recent-activity There has been no recent activity on this issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jsquire @christothes @ohadschn @schaabs