Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE REQ] [Identity] Support non-microsoft tenants #19443

Closed
andxu opened this issue Feb 25, 2021 · 6 comments
Closed

[FEATURE REQ] [Identity] Support non-microsoft tenants #19443

andxu opened this issue Feb 25, 2021 · 6 comments
Assignees
@christothes @g2vinay
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. feature-request This issue requires a new behavior in the product in order be resolved.
Milestone
[2021] August

Comments

@andxu
Copy link

andxu commented Feb 25, 2021
edited
Loading

  1. Consider the case, I want use to login using device code and list all the subscriptions associate with the account, the code bellowing will promote user many times for listing all subscriptions, how can I fork a new TokenCredential with a tenant which will be used in the second call of 'AzureResourceManager.authenticate', the InteractiveBrowserCredential has the same issue.
        TokenCredential tokenCredential = new DeviceCodeCredentialBuilder().build();
        AzureProfile profile = new AzureProfile(AzureEnvironment.AZURE);
        AzureResourceManager.authenticate(tokenCredential, profile).tenants().list().stream().forEach(tenant-> {
            System.out.println(tenant.tenantId());

            // here I want to use tokenCredential, but I cannot change the tenant from null to tenant.tenantId()
            // if I use new DeviceCodeCredentialBuilder() then the user must input the code twice and select the same account in page
            AzureResourceManager.authenticate(new DeviceCodeCredentialBuilder().tenantId(tenant.tenantId()).build(), profile).subscriptions().list().stream().forEach(
                    subscription -> {
                System.out.println(subscription.displayName());
                System.out.println(subscription.subscriptionId());
            });
        });
  1. Another issue, for VisualStudioCodeCredentialBuilder, how does the the app know the Azure Environment and tenant id? Otherwise the credential from new VisualStudioCodeCredentialBuilder().build() while in vscode I signed in a account which is not a microsoft tenant(72f988bf-86f1-41af-91ab-2d7cd011db47) will report error for listing tenants:
AADSTS70002: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.

  1. The third case, the azure cli credential doesn't support tenant, actually we can get access token through:
    az account get-access-token -t xxxx

  2. The 4th case, for SharedTokenCacheCredential, we cannot list the accounts saved in TokenCache, I have to use very strange logic to get the cached accounts: https://github.com/microsoft/azure-maven-plugins/blob/andy-wip2/azure-toolkit-libs/azure-toolkit-auth-lib/src/main/java/com/microsoft/azure/toolkit/lib/auth/core/visualstudio/VisualStudioAccountEntityBuilder.java#L61

Summary
To provide an access token, we need to specify the following properties:

  • a. Azure environment(Azure cloud name)
  • b. Tenant (organization/domain, eg: onmicrosoft.com)
  • c. Client Id (referring to different clients)
  • d. Scopes (resource)

TokenCredential has enveloped the D, in most cases, the client id is implied, but for tenant id, it is hard for apps using azure-identity to provide and it can be populated through the listing tenant call, so I want azure identity:

  1. provide the functionality of building a token credential from (a: existing credential, b: tenant id) for refresh token based credentials: InteractiveBrowserCredential and DeviceCodeCredential, VisualStudioCodeCredential
  2. provide the functionality of setting tenant id for AzureCliCredential
  3. provide a valid token in VisualStudioCodeCredentialBuilder without tenant id, use this token we can list the tenants
  4. We want identity not to only to provide functionality to get the token but also the functionality of listing cached account(azure environment, tenant id, user name, client id) for SharedTokenCacheCredential
@ghost ghost added the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Feb 25, 2021
@andxu andxu changed the title [FEATURE REQ] Support create new token credential with existing token credentials and a tenant [FEATURE REQ] Support tenant for non-microsoft tenants Feb 25, 2021
@andxu andxu changed the title [FEATURE REQ] Support tenant for non-microsoft tenants [FEATURE REQ] Support non-microsoft tenants Feb 25, 2021
@andxu andxu changed the title [FEATURE REQ] Support non-microsoft tenants [FEATURE REQ] [Identity] Support non-microsoft tenants Feb 25, 2021
@joshfree joshfree added Azure.Identity Client This issue points to a problem in the data-plane of the library. feature-request This issue requires a new behavior in the product in order be resolved. labels Feb 25, 2021
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Feb 25, 2021
@joshfree joshfree added this to the [2021] May milestone Feb 25, 2021
@joshfree
Copy link
Member

Related draft PR jongio/azidext#41

@joshfree
Copy link
Member

@andboyer this is an area we plan to improve starting in our upcoming May release

This was referenced Mar 10, 2021
Closed
Closed
Closed
Closed
Closed
@andxu
Copy link
Author

andxu commented Mar 17, 2021

HI @joshfree , I tried the PR, both the StaticTokenCredential and OnBehalfOfFlowCredential are not what I want, for StaticTokenCredential in the PR, it is a simple wrapper for access token only, it lacks the ability to acquire new token when access token is expired, for OnBehalfOfFlowCredential in the PR, it requires clientSecret which is supposed to be a AAD application.
The one I want is a credential accept an AuthenticationRecord or refresh token(AuthenticationRecord or refresh token can be created by InteractiveBrowserCredential and saved in the token cache)

@andxu
Copy link
Author

andxu commented Mar 17, 2021

I also noticed the new changes in 1.3.0-Beta2:

Added new APIs for authenticating users with DeviceCodeCredential, InteractiveBrowserCredential and UsernamePasswordCredential.
Added method authenticate which pro-actively interacts with the user to authenticate if necessary and returns a serializable AuthenticationRecord
Added following configurable options in classes DeviceCodeCredentialBuilder and InteractiveBrowserCredentialBuilder
authenticationRecord enables initializing a credential with an AuthenticationRecord returned from a prior call to Authenticate
disableAutomaticAuthentication disables automatic user interaction causing the credential to throw an AuthenticationRequiredException when interactive authentication is necessary.

I want to convert AuthenticationRecord to a profile saved at intellij plugin side(authority/environment, client id, tenant id, email) and save the AuthenticationRecord/refresh_token in TokenCache(by azure-identity), and when next time the intellij idea restarts, I can use the saved profile to create a new credential, seems SharedTokenCacheCredential is the right one, but if I use SharedTokenCacheCredential, the tenant id might be tricky, the tenant id passed to SharedTokenCacheCredential is a filter that will filter the exact tenant id when saving the AuthenticationRecord, but the refresh token in AuthenticationRecord may support multiple tenants, so I have no way of generate the access token for another tenant with an existing AuthenticationRecord/refresh_token with an alternative tenant id.

andxu pushed a commit to microsoft/azure-maven-plugins that referenced this issue Mar 25, 2021
Fix multiple tenant issue issue at Azure/azure-sdk-for-java#19443
b988295
This was referenced Jun 17, 2021
Closed
Closed
Closed
Closed
@g2vinay g2vinay modified the milestones: [2021] May, [2021] August Aug 2, 2021
@g2vinay
Copy link
Member

g2vinay commented Oct 25, 2021

@andxu support for multi tenant authentication has been released in version 1.4.0 of azure-identity.

You can pass in tenant id to the getToken API through the TokenRequestContext class to override the tenant as follows:

        TokenRequestContext trc = new TokenRequestContext()
            .addScopes("<Scopes>")
            .setTenantId("<Tenant-Id>");
        
        tokenCredential.getToken(trc);

Let us know if you've any further questions.

@g2vinay g2vinay closed this as completed Oct 25, 2021
@andxu
Copy link
Author

andxu commented Nov 24, 2021

@g2vinay great, thank you for the good news

@github-actions github-actions bot locked and limited conversation to collaborators Apr 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@christothes christothes

@g2vinay g2vinay

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. feature-request This issue requires a new behavior in the product in order be resolved.
Projects
None yet
Milestone
[2021] August
Development

No branches or pull requests
4 participants
@christothes @joshfree @g2vinay @andxu