[BUG] Potential authorization issue with Confidential Ledger

[rajdhandus]

Library name and version

Azure.Security.ConfidentialLedger 1.0.0-beta.2

Describe the bug

• Not able to use the certificate based authentication method for authenticating with the Azure Confidential Ledger data plane APIs
• ConfidentialLedgerClient class's constructor expects TokenCredentials to be not null. Only one should be needed as Authentication can be done via either Certificate or AAD
• ConfidentialLedgerClient seems to validate TokenCredential Paramter to ensure that its not null.. but if the client code chooses to use cert based authentication and not rely on TokenCredentials - it throws an error

Expected behavior

• Should be able to use either TokenCredentials or Certificate based credentials

Actual behavior

• Not able to use either TokenCredentials or Certificate based credentials. Code expects both.

Reproduction Steps

Run the below code where the TokenCredentials is not present.

private static void SDKClient(StringContent request, HttpClientHandler handler)
{
    try
    {
        var options = new ConfidentialLedgerClientOptions { Transport = new HttpClientTransport(handler) };
        var ledgerClient = new ConfidentialLedgerClient(new Uri(_ledgerURI), null, options);
        RequestContent requestContent = RequestContent.Create(request);
        var responseForPost = ledgerClient.PostLedgerEntry(requestContent);
        Console.WriteLine(responseForPost.Content);
    }
    catch (HttpRequestException e)
    {
        Console.WriteLine("\nException Caught!");
        Console.WriteLine("Message :{0} ", e.Message);
    }
}

Environment

No response

[jsquire]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[christothes]

Hi @rajdhandus - Would the ClientCertificiateCredential work for you in this scenario? If not, could you explain a bit more about what you are trying to do?

I'm also curious - is there a reason you need to use a custom handler other than to trust the identity endpoint's certificate root?

[rajdhandus]

Hi @christothes - thanks for the link. ClientCertificiateCredential looks like it needs clientId and TenantId ? And also - its minting a token at the end?

I am trying to authenticate with Azure Confidential Ledger directly with certificates that were used while creating the ledger. These certificates are not necessarily uploaded to AAD.

[christothes]

Ah - OK, I understand now - Unfortunately, we are missing the self-signed client certificate auth support in this client. We currently only support TokenCredential auth. We'll look at adding this in an upcoming release.

[rajdhandus]

thanks! this seems to be available in Python SDK

https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/core/azure-core/README.md?plain=1#L181

https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/confidentialledger/azure-confidentialledger/README.md?plain=1#L237

https://azuresdkdocs.blob.core.windows.net/$web/python/azure-confidentialledger/latest/azure.confidentialledger.html?highlight=certificatecredential#azure.confidentialledger.ConfidentialLedgerCertificateCredential

[christothes]

tracking this in #28147