Using msal token cache to fetch refresh token inside proxy command for az cli version >= 2.30 #4194
Conversation
|
@sirireddy12 May I ask do you need to write the description of this change in to the history note and release a new extension for this change? If so, please modify the |
| msal_token_cache_user = r'.azure/msal_token_cache.bin' | ||
| msal_token_cache_spn = r'.azure/service_principal_entries.bin' |
There was a problem hiding this comment.
DON'T DO THIS. THIS IS NOT SUPPORTED. See Azure/azure-cli#19853 (comment)
| token_cache._reload_if_necessary() | ||
| home_account_id = response_user_objectid + "." + tenantId | ||
| owned_by_home_account = {"home_account_id": home_account_id} | ||
| creds_info = token_cache.find(PersistedTokenCache.CredentialType.REFRESH_TOKEN, query=owned_by_home_account) |
There was a problem hiding this comment.
@rayluo, I think this is another instance where people are hacking MSAL cache to get the refresh token.
There was a problem hiding this comment.
That is really unfortunate.
@sirireddy12 , why is refresh token (RT) needed? Can the usage pattern be replaced by periodically requesting an access token, possibly via Azure CLI? (@jiasli , does az get-access-token ... has an equivalent helper function to be called by extensions?)
FYI: Not only the token cache helpers are considered internal, MSAL would probably NOT save RT in token cache in near future.
There was a problem hiding this comment.
@rayluo Refresh token is needed to retrieve PoP token. Does PoP implementation support available in MSAL python which az extension can utilize?
There was a problem hiding this comment.
@rayluo Refresh token is needed to retrieve PoP token. Does PoP implementation support available in MSAL python which az extension can utilize?
MSAL Python does not currently support PoP. However, I got an impression that the PoP implementation might be similar to another feature named "Ssh Cert" which MSAL Python does support, and then there is also an az extension "ssh" already handles the key management and feeds signed content to MSAL. You may take a look and see whether that pattern could be repurposed for PoP token.
(Oh, I did not notice your alias, @krdhruva :-). The content above was the idea that I already mentioned in our email conversation.)
| token_cache_location = os.path.expanduser(os.path.join('~', msal_token_cache_spn)) | ||
| try: | ||
| if operating_system == 'Windows': | ||
| persistence = msal_extensions.FilePersistenceWithDataProtection(token_cache_location) |
There was a problem hiding this comment.
You really should not be doing this. MSAL's internal cache is not a public artifact and may change without notice.
In fact, this is changing as we speak - MSAL py will use the Windows broker (WAM). Brokers don't even return RT and cache is going to be stored elsewhere (not shared anymore).
This checklist is used to make sure that common guidelines for a pull request are followed.
General Guidelines
azdev style <YOUR_EXT>locally? (pip install azdevrequired)python scripts/ci/test_index.py -qlocally?For new extensions:
About Extension Publish
There is a pipeline to automatically build, upload and publish extension wheels.
Once your PR is merged into master branch, a new PR will be created to update
src/index.jsonautomatically.The precondition is to put your code inside this repo and upgrade the version in the PR but do not modify
src/index.json.