-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implemement OnBehalfOfCredential #22146
Conversation
sdk/core/Azure.Core/src/Pipeline/BearerTokenAuthenticationPolicy.cs
Outdated
Show resolved
Hide resolved
@@ -7,6 +7,7 @@ | |||
- Added support to `ManagedIdentityCredential` for Bridge to Kubernetes local development authentication. | |||
- TenantId values returned from service challenge responses can now be used to request tokens from the correct tenantId. To support this feature, there is a new `AllowMultiTenantAuthentication` option on `TokenCredentialOptions`. | |||
- By default, `AllowMultiTenantAuthentication` is false. When this option property is false and the tenant Id configured in the credential options differs from the tenant Id set in the `TokenRequestContext` sent to a credential, an `AuthorizationFailedException` will be thrown. This is potentially breaking change as it could be a different exception than what was thrown previously. This exception behavior can be overridden by either setting an `AppContext` switch named "Azure.Identity.EnableLegacyTenantSelection" to `true` or by setting the environment variable "AZURE_IDENTITY_ENABLE_LEGACY_TENANT_SELECTION" to "true". Note: AppContext switches can also be configured via configuration like below: | |||
- Added `OnBehalfOfFlowCredential` which enables support for AAD On-Behalf-Of (OBO) flow. See the [Azure Active Directory documentation](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow) to learn more about OBO flow scenarios. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this feature deserves a sample.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed - I plan to add one in a follow up PR
sdk/core/Azure.Core/tests/BearerTokenAuthenticationPolicyTests.cs
Outdated
Show resolved
Hide resolved
…ure-sdk-for-net into chriss/OnBehalfOf
/// <summary> | ||
/// Will include x5c header in client claims when acquiring a token to enable subject name / issuer based authentication for the <see cref="ClientCertificateCredential"/>. | ||
/// </summary> | ||
public bool SendCertificateChain { get; set; } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we throw if this option is set and the OnBehalfOfCredential
is being constructed with a client secret? If we don't will MSAL throw when we request the token?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we go down a different constructor path that doesn't read that option if you use the client secret public ctor.
This pull request is protected by Check Enforcer. What is Check Enforcer?Check Enforcer helps ensure all pull requests are covered by at least one check-run (typically an Azure Pipeline). When all check-runs associated with this pull request pass then Check Enforcer itself will pass. Why am I getting this message?You are getting this message because Check Enforcer did not detect any check-runs being associated with this pull request within five minutes. This may indicate that your pull request is not covered by any pipelines and so Check Enforcer is correctly blocking the pull request being merged. What should I do now?If the check-enforcer check-run is not passing and all other check-runs associated with this PR are passing (excluding license-cla) then you could try telling Check Enforcer to evaluate your pull request again. You can do this by adding a comment to this pull request as follows: What if I am onboarding a new service?Often, new services do not have validation pipelines associated with them. In order to bootstrap pipelines for a new service, please perform following steps: For data-plane/track 2 SDKs Issue the following command as a pull request comment:
For track 1 management-plane SDKsPlease open a separate PR and to your service SDK path in this file. Once that PR has been merged, you can re-run the pipeline to trigger the verification. |
string clientId, | ||
string clientSecret, | ||
string userAssertion, | ||
OnBehalfOfCredentialOptions options = null) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: why does this ctor use a default parameter where the ctor which takes an X509Cert has an explicit overload?
fix cadl sample (Azure#22146) * fix * Update Widgets_ListWidgetsSample.json * Update Widgets_ListWidgetsSample.json
OnBehalfOfCredential
and the supporting propertyRefreshOn
onAccessToken
.BearerTokenAuthorizationPolicy
to bypass internal token cache whenRefreshOn
isDateTimeOffset.MinValue
on theAccessToken
resolves #16264
closes #21941
#19404