Enable token encryption on macOS

glyph commented 1 year ago

Describe the bug

By default, on macOS, azure login places its OAuth tokens in .azure/msal_token_cache.json.

The only documentation for how to protect the tokens using Keychain appears to be in the code here:

https://github.com/Azure/azure-cli/blob/3ae3c61737ab5203de56d5c1328ae5462584d631/src/azure-cli-core/azure/cli/core/util.py#L1353-L1361

The comment here is misleading, as it says EXPERIMENTAL: Use core.encrypt_token_cache=False to turn off token cache encryption. as if the default value is True, but it's actually False.

At least, encrypt_token_cache does not appear in the list of "core" configuration values here:

https://learn.microsoft.com/en-us/cli/azure/azure-cli-configuration#cli-configuration-values-and-environment-variables

MSAL for Python also gives a somewhat misleading summary of its security properties, as it says:

https://github.com/AzureAD/microsoft-authentication-extensions-for-python#microsoft-authentication-extensions-for-python

MAC - The MAC KeyChain is used.

Which is not true in the configuration that the azure CLI actually uses it.

Finally, once encrypt_token_cache is set to true, the keychain service name and account name are set to "my_service_name" and "my_account_name" here: https://github.com/Azure/azure-cli/blob/3ae3c61737ab5203de56d5c1328ae5462584d631/src/azure-cli-core/azure/cli/core/auth/persistence.py#L44

I verified that this is actually how it's stored in Keychain Access:

Related command

az login

Errors

No errors.

Issue script & Debug output

No relevant debug output.

Expected behavior

In general the credential storage situation just ought to be tightened up:

encryption / storage in macOS keychain should be the default
encrypt_token_cache ought to be documented
credential labels seem inappropriately generic, and it should say something more like a service name of "Azure CLI" and an account name of the user's email address.
credentials also really ought to be stored in separate keychain items so that applications can be granted access control to, for example, test credentials without granting them access to production credentials in the same keychain.

There's also the msal_http_cache.bin file which contains cookies and stuff, which maybe should also be encrypted somewhere; i don't know the privilege level of these cookies but it seems relevant to look at them.

Environment Summary

azure-cli                         2.50.0 *

core                              2.50.0 *
telemetry                          1.0.8 *

Dependencies:
msal                              1.22.0
azure-mgmt-resource             23.1.0b2

Python location '/opt/homebrew/Cellar/azure-cli/2.50.0_1/libexec/bin/python'
Extensions directory '/Users/glyph/.azure/cliextensions'

Python (Darwin) 3.10.12 (main, Jun 20 2023, 19:43:52) [Clang 14.0.3 (clang-1403.0.22.14.1)]

Legal docs and information: aka.ms/AzureCliLegal

Additional context

I am filing this as a regular bug and not as a security issue because I don't see an exploit here per se, and the tools don't directly claim any security properties that are subverted by this misconfiguration.

azure-client-tools-bot-prd[bot] commented 1 year ago

Hi @glyph,

2.50.0 is not the latest Azure CLI(2.51.0).

Please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

yonzhan commented 1 year ago

Thank you for opening this issue, we will look into it.

jiasli commented 1 year ago

Currently Azure CLI doesn't support token encryption on macOS and Linux (https://github.com/Azure/azure-cli/issues/23495). I am marking this issue as a Feature Candidate.

There is a draft work https://github.com/Azure/azure-cli/pull/20636 to support token encryption on macOS, but currently there is no ETA.

The only documentation for how to protect the tokens using Keychain appears to be in the code here

This is merely Azure CLI's source code. It is not public documentation.

At least, encrypt_token_cache does not appear in the list of "core" configuration values here

This is expected, as core.encrypt_token_cache is only used to disable token cache in some edge cases on Windows. Using it to enable token encryption on macOS or Linux is not supported.

joergjo commented 7 months ago

@jiasli #20636 refers to a pull request that hasn't been merged for quite some time. Will it be merged and made available in an upcoming release or is that blocked?

muxmuse commented 7 months ago

The discussion in PR #20636 assumes an implementation using Apple Keyring / Keychain. One could instead allow configuration of an arbitrary password management command. This would allow Linux and Mac users to encrypt their tokens.

Azure / azure-cli