search

Azure / azure-sdk-for-go

This repository is for active development of the Azure SDK for Go. For consumers of the SDK we recommend visiting our public developer docs at:
https://docs.microsoft.com/azure/developer/go/
MIT License
1.64k stars 844 forks source link

AzIdentity with Cache - logout? #23499

Closed DariuszPorowski closed 4 weeks ago

DariuszPorowski commented 1 month ago

Hi there

I am trying caching (1.8.0-beta.3) for user context authentication - so far looks good. But I wonder how to do "logout"? I assume that simply deleting the cache file does not solve the problem (it only contains user metadata) and the rest is in the encryption facility. So how to do "logout" and remove stuff from the encryption facility according to the user's operating system?

github-actions[bot] commented 1 month ago

Thank you for your feedback. Tagging and routing to the team member best able to assist.

chlowell commented 1 month ago

Neither azidentity nor its underlying cache implementation has an API for logging users in or out because applications decide whether a user is logged in or not. azidentity only authenticates users, and the cache is just a simple data store; neither has a concept of a "logged in" user. azidentity does require an AuthenticationRecord to access persisted user data, so at the application level "logging in" means authenticating a user and storing an AuthenticationRecord, and "logging out" means deleting deleting it.

Is it important for your application to actually delete cached data when a user logs out?

github-actions[bot] commented 1 month ago

Hi @DariuszPorowski. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

DariuszPorowski commented 1 month ago

Hi @chlowell, everything regarding AzIdentity being stateless is understood. Let me outline the scenario.

I have a CLI tool named mytool. When I execute mytool login, it uses azidentity for authentication and creates a state with the AzIdenity Cache (AuthenticationRecord) to avoid re-authentication on subsequent executions. Now, I wish to remove my authentication state by calling mytool logout. While it is straightforward to delete the file containing user metadata - which theoretically logs me out - AzIdenity Cache uses encryption facility to store sensitive data. Therefore, I need to ensure that mytool also clears this.

chlowell commented 1 month ago

Why do you need to delete the data? Sure, it's sensitive, but it's encrypted and the OS protects it from other users.

github-actions[bot] commented 1 month ago

Hi @DariuszPorowski. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

github-actions[bot] commented 1 month ago

Hi @DariuszPorowski, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!