-
Notifications
You must be signed in to change notification settings - Fork 205
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] Add cert validation for MI auth in Service Fabric #654
Comments
No wonder we were not aware of this feature requirement when we researched the prior art in Azure Identity for Python. And, that also means MSAL Python's current Managed Identity behavior is on par with Azure Identity's status quo. |
Marking this a bug, as it is inconsistent with Azure SDK's managed identity implementation, which we try to replace. This is a GA blocker. |
For Java and .NET it's a bug since the behavior doesn't match what's in Azure SDK, but for Python (and Node) Azure SDK's implementation doesn't currently validate the cert so the current behavior technically is consistent. However, they also have an issue on their backlog to add this validation, and I believe it's a blocker for them as well: Azure/azure-sdk-for-python#33431 |
Disabling cert validation is our behavior today. Given that, I don't think this is a GA blocker. |
And if you want to discuss more details, let's use emails. |
MSAL client type
Managed identity
Problem Statement
According to the managed identity docs for Service Fabric, there is an environment variable called "IDENTITY_SERVER_THUMBPRINT": https://learn.microsoft.com/en-us/azure/service-fabric/how-to-managed-identity-service-fabric-app-code#acquiring-an-access-token-using-rest-api
And per those docs, the thumbprint should be used as part of the steps to retrieve a token:
Proposed solution
The docs don't describe what 'appropriate' validation entails, however Azure Identity does perform this step for the Java and .NET libraries:
Unfortunately for Python they have not implemented any validation logic to copy, and simply hardcode the relevant 'connection_verify' flag to false.
The text was updated successfully, but these errors were encountered: