[Identity] Support cross-tenant authentication #8313
Comments
joshfree
added
feature-request
|
This feature will be implemented by management clients, not within azure-identity. |
|
Reopened for tracking. |
* [Network] Migrate network to track2 SDK * Add comments to regular expression change * Remove useless argument * Uncomment test
ImpactThis limitation makes cross-tenant operations impossible and has so far affected Root causeThe old "ADAL/msrest"-based Azure CLI adds headers
in def signed_session(self, session=None): # pylint: disable=arguments-differ
...
session.headers['Authorization'] = header
if external_tenant_tokens:
aux_tokens = ';'.join(['{} {}'.format(scheme2, tokens2) for scheme2, tokens2, _ in external_tenant_tokens])
session.headers['x-ms-authorization-auxiliary'] = aux_tokens
...The new "MSAL/Azure Core"-based Azure CLI follows class TokenCredential(Protocol):
def get_token(self, *scopes, **kwargs):
# type: (*str, **Any) -> AccessToken
passand is not responsible for adding Instead, the logic for adding class BearerTokenCredentialPolicy(_BearerTokenCredentialPolicyBase, SansIOHTTPPolicy):
def on_request(self, request):
...
self._token = self._credential.get_token(*self._scopes)
self._update_headers(request.http_request.headers, self._token.token)Due to the lack of the logic to add WorkaroundThe current workaround Azure CLI adopted is to manually add return client.gallery_image_versions.begin_create_or_update(
...
headers={'x-ms-authorization-auxiliary': external_bearer_token}Problem with this workaround:
Possible solutionSDK clients' class NetworkManagementClient(NetworkManagementClientOperationsMixin, MultiApiClientMixin, _SDKClient):
def __init__(
self,
credential, # type: "TokenCredential"
external_credentials,
... When References |
|
Azure CLI now uses a workaround to implement cross-tenant authentication by adding # Track 2 currently lacks the ability to take external credentials.
# https://github.com/Azure/azure-sdk-for-python/issues/8313
# As a temporary workaround, manually add external tokens to 'x-ms-authorization-auxiliary' header.
# https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/authenticate-multi-tenant
if hasattr(cred, "get_auxiliary_tokens"):
aux_tokens = cred.get_auxiliary_tokens(*scopes)
if aux_tokens:
# Hard-code scheme to 'Bearer' as _BearerTokenCredentialPolicyBase._update_headers does.
client_kwargs['headers']['x-ms-authorization-auxiliary'] = \
', '.join("Bearer {}".format(token.token) for token in aux_tokens)So implementing this feature request is no longer mandatory from Azure CLI perspective. |
|
According to Azure/azure-sdk-for-java#3819 (comment), to support cross-tenant authentication natively, Java SDK adopted similar approach as my proposal (#8313 (comment)) by accepting multiple credentials: AzureResourceManager azureResourceManager = AzureResourceManager
.configure()
.withAuxiliaryCredential(anotherTokenCredential)
.authenticate(credential, profile)
.withDefaultSubscription(); |
|
Hi @joshfree, we deeply appreciate your input into this project. Regrettably, this issue has remained inactive for over 2 years, leading us to the decision to close it. We've implemented this policy to maintain the relevance of our issue queue and facilitate easier navigation for new contributors. If you still believe this topic requires attention, please feel free to create a new issue, referencing this one. Thank you for your understanding and ongoing support. |
Support the scenario described in https://docs.microsoft.com/bs-latn-ba/azure/azure-resource-manager/authenticate-multi-tenant.
To test it, the shared image gallery scenario takes advantage of this type of authentication header: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/share-images-across-tenants
A previous issue which users were able to workaround: Azure/azure-sdk-for-java#3819. We need to provide a more elegant way.
Related Azure/azure-sdk-for-java#6040
The text was updated successfully, but these errors were encountered: