Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE REQ] DefaultAzureCredential should send x5c claim for app authentication #25822

Closed
trevorlacey-msft opened this issue Dec 9, 2021 · 3 comments
Closed

[FEATURE REQ] DefaultAzureCredential should send x5c claim for app authentication #25822

trevorlacey-msft opened this issue Dec 9, 2021 · 3 comments
Assignees
@christothes @schaabs
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@trevorlacey-msft
Copy link
Contributor

Library name

Azure.Identity

Please describe the feature.

DefaultAzureCredential covers many basic authentication scenarios, including application ID + certificate. However, if the application is configured to use subject name + issuer certificate validation (as opposed to thumbprint validation), DefaultAzureCredential fails because the certificate's x5c claim is never sent to AAD when generating an auth token. Given the increasing number of applications using SNI authentication for automatic certificate rollover support, this scenario should be supported by DefaultAzureCredential.

Proposal
Modify DefaultAzureCredentialOptions to support the option to send certificate x5c claim by adding a EnvironmentCredentialSendCertificateChain bool property.

Details
When AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_CERTIFICATE_PATH environment variables are set, DefaultAzureCredential creates an EnvironmentCredential which creates a ClientCertificateCredential which creates an MsalConfidentialClient which uses MSAL to conditionally send the x5c claim here. This condition is controlled by ClientCertificateCredentialOptions.SendCertificateChain property.

  1. Add DefaultAzureCredentialOptions.EnvironmentCredentialSendCertificateChain property
  2. Define a new EnvironmentCredentialOptions class with a SendCertificateChain property
  3. Plumb option from DefaultAzureCredentialOptions to ClientCertificateCredentialOptions

Alternative Proposal
Enable ClientCertificateCredentialOptions.SendCertificateChain by default when EnvironmentCredential creates a ClientCertificateCredential.

Reference
Support for SNI was added in PR 14636
@ghost ghost added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Dec 9, 2021
@trevorlacey-msft
Copy link
Contributor Author

I'd be happy to submit a PR myself if either of these design proposals are acceptable.

@jsquire jsquire added Azure.Identity Client This issue points to a problem in the data-plane of the library. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team labels Dec 9, 2021
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Dec 9, 2021
@jsquire
Copy link
Member

jsquire commented Dec 9, 2021

Thank you for your feedback. Tagging and routing to the team members best able to assist.

@trevorlacey-msft trevorlacey-msft mentioned this issue Jan 6, 2022
Merged
7 tasks
@trevorlacey-msft
Copy link
Contributor Author

Feature completed with PR.

@github-actions github-actions bot locked and limited conversation to collaborators Mar 27, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@christothes christothes

@schaabs schaabs

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jsquire @christothes @schaabs @trevorlacey-msft