Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support federated credentials in on-behalf-of flow #28726

Open
chlowell opened this issue Feb 29, 2024 · 7 comments · May be fixed by #29711
Open

Support federated credentials in on-behalf-of flow #28726

chlowell opened this issue Feb 29, 2024 · 7 comments · May be fixed by #29711
Assignees
@KarishmaGhiya
Labels
Azure.Identity feature-request This issue requires a new behavior in the product in order be resolved.
Milestone
Backlog

Comments

@chlowell
Copy link
Contributor

1P documentation shows how to authenticate the service principal in the OBO flow with a federated credential instead of a secret or certificate. The request is essentially the same as for a certificate, however its assertion is the federated credential instead of a JWT signed by the app. Note that the 3P documentation doesn't mention federated credentials, so this may be a 1P-only feature.

First thoughts on implementation:

  1. check whether and how MSAL supports this
  2. OBO constructor could take a callback providing assertions instead of a cert. This would be a dual-use in that it enables the federated credential scenario and also cert scenarios in which the client app doesn't possess the private key e.g. because it's stored in Key Vault
@chlowell chlowell added customer-reported Issues that are reported by GitHub users external to the Azure organization. Azure.Identity feature-request This issue requires a new behavior in the product in order be resolved. labels Feb 29, 2024
@github-actions github-actions bot added the needs-team-attention This issue needs attention from Azure service team or SDK team label Feb 29, 2024
@chlowell chlowell removed the needs-team-attention This issue needs attention from Azure service team or SDK team label Feb 29, 2024
@github-actions github-actions bot added the needs-team-attention This issue needs attention from Azure service team or SDK team label Feb 29, 2024
@xirzec xirzec removed customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention This issue needs attention from Azure service team or SDK team labels Feb 29, 2024
@joshfree
Copy link
Member

/cc @scottaddie

@joshfree joshfree added this to the Backlog milestone Mar 11, 2024
@MRayermannMSFT
Copy link

MRayermannMSFT commented Mar 14, 2024
edited

Hi! Chiming in here to voice some 1P customer desire for this to be completed.

We run nodejs tests in our Azure pipelines, and these tests make API calls to Azure. Right now these API calls are authenticated using service principal secrets.

As part of a compliance effrot, we need to move away from using service principal secrets, and what seems to be the best way forward is federated credentials. We can connect service principals to our Azure pipelines using federated credential service connections, however, the @azure/identity package doesn't support federated credentials.

To be totally clear, we're looking for something that can provide an implementation of this OAuth flow:

image
Source: https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation

I believe this is something @azure/identity would expose (though I assume quite a bit of the acutal implementation would be coming from MSAL).

Additional information on our speceific scenario:

@maorleger
Copy link
Member

Hi! Chiming in here to voice some 1P customer desire for this to be completed.

We run nodejs tests in our Azure pipelines, and these tests make API calls to Azure. Right now these API calls are authenticated using service principal secrets.

As part of a compliance effrot, we need to move away from using service principal secrets, and what seems to be the best way forward is federated credentials. We can connect service principals to our Azure pipelines using federated credential service connections, however, the @azure/identity package doesn't support federated credentials.

To be totally clear, we're looking for something that can provide an implementation of this OAuth flow:

image Source: https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation

I believe this is something @azure/identity would expose (though I assume quite a bit of the acutal implementation would be coming from MSAL).

Additional information on our speceific scenario:

I'm new to this space but aren't these different asks / scenarios? The first is support for federated credentials on-behalf-of a user, the second seems more related to #27093 - just to make sure we have things tracked in the right place and partners can be informed of timelines

@maorleger maorleger mentioned this issue Mar 14, 2024
Closed
@MRayermannMSFT
Copy link

MRayermannMSFT commented Mar 15, 2024
edited

@maorleger I'm also new to the space of "federated credentials" so apologies if I stumbled upon the wrong issue. I agree that issue #27093 probably sounds like more of the right thing.

@bgavrilMS
Copy link

@chlowell @KarishmaGhiya - FIC is supported by 3p.

There are 2 types of FIC:

  • with an external Identity Provider (e.g. GitHub). This allows a GitHub action to get access to KeyVault. See https://github.com/Azure/azure-workload-identity/tree/main/examples for examples for AKV, including with Azure SDK JS
  • with Managed Identity. You get an S2S token from MSI - leg1. And use this token as the client_assertion in the OBO flow (or any other confidential client flow) - leg2.

From MSAL perspective this is very simple - all MSALs allow for specifying a client assertion. Just note that most samples (including https://github.com/Azure/azure-workload-identity/tree/main/examples) are wrong, because you have to ensure the token from leg1 is valid when you pass it to leg2. So you need to cache tokens from leg1 and from leg2.

@Robbie-Microsoft will be looking into the sample https://github.com/Azure/azure-workload-identity/tree/main/examples to fix it.

Hope this helps.

@KarishmaGhiya
Copy link
Contributor

Chatted with @bgavrilMS
Assuming we add support for client assertion in OBO, the user can probably do something like this -

managedIdentity = new ManagedIdentityCredential()

getAssertion()=>{
msiAccessToken = await managedIdentity.getToken(<scope>)
return msiAccessToken;
}

oboCredential = new OnBehalfOfCredential(<tenantId>,<clientId>,getAssertion,<userAssertionToken>)

await oboCredential.getToken(<scope>)

@KarishmaGhiya
Copy link
Contributor

Related MSAL feature issue for requesting Client Assertion callback input instead of a string - AzureAD/microsoft-authentication-library-for-js#7013

@MitchBodmer MitchBodmer mentioned this issue Apr 29, 2024
Closed
@KarishmaGhiya KarishmaGhiya linked a pull request May 16, 2024 that will close this issue
Draft
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@KarishmaGhiya KarishmaGhiya

Labels
Azure.Identity feature-request This issue requires a new behavior in the product in order be resolved.
Projects
Azure Identity SDK Improvements
Status: In Progress
Milestone
Backlog
Development

Successfully merging a pull request may close this issue.

[identity] update OBO client assertion KarishmaGhiya/azure-sdk-for-js
7 participants
@xirzec @maorleger @joshfree @KarishmaGhiya @chlowell @bgavrilMS @MRayermannMSFT