-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Tenant Id Challenges / Hints #21378
Conversation
_options = options ??= new TokenCredentialOptions(); | ||
_pipeline = CredentialPipeline.GetInstance(options); | ||
_allowMultiTenantAuthentication = options?.AllowMultiTenantAuthentication ?? true; | ||
_pipeline = CredentialPipeline.GetInstance(options ?? new TokenCredentialOptions()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
passing null as opposed to a TokenCredentialOptions
uses the singleton instance of CredentialPipeline
this would change that behavior.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I may be missing something, but I believe this should have the same behavior as what is there currently:
azure-sdk-for-net/sdk/identity/Azure.Identity/src/AuthorizationCodeCredential.cs
Lines 88 to 89 in 658dbd4
options ??= new TokenCredentialOptions(); | |
_pipeline = CredentialPipeline.GetInstance(options); |
@christothes, I don't want to be a pain in the ass, and so I really didn't want to even mention this, but when you get a minute would you be able to comment on my questions here For an example of the impact that I'm concerned about, the SqlClient library recently added support for enabling the use of DefaultAzureCredentials via the SQL connection string, but there's no way to customize the chosen providers or set these new Thanks for taking the time to help me understand the reason for the default choices :) |
Hi @ericsampson - The default behavior is to avoid breaking changes or authorization requests for unexpected tenants. For example, sending an unauthenticated initial request where that didn't happen previously, or sending token requests to a tenant that you do not wish to share PII details with. Setting environment or AppConfig setting can be configured in a variety of ways depending on how your service is deployed to Azure, but that seems outside the scope of this PR :). |
The focus of these changes are to add the tenant discovery capability to Azure.Identity.
It also implements a new auth policy in all Azure.Storage clients that implement this capability.
#19404