search

Azure / azure-sdk-for-net

This repository is for active development of the Azure SDK for .NET. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/dotnet/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-net.
MIT License
5.35k stars 4.68k forks source link

[BUG] Need UsernamePasswordCredentialBrokerOptions to Enable Username Password Account to Go to WAM #45439

Closed msJinLei closed 1 month ago

msJinLei commented 1 month ago

Library name and version

Azure.Identity 1.12.0.0

Describe the bug

The customers of Azure PowerShell report that when WAM enabled, they cannot retrieve token by SharedTokenCacheCredential If the token is acquired by UsernamePasswordCredential. Refer to https://github.com/Azure/azure-powershell/issues/25028. We find UsernamePasswordCredential doesn't have broker option, as InteractiveBrowserCredentialBrokerOptions or SharedTokenCacheCredentialBrokerOptions. We get the information from MSAL that in MSAL.Net, interactive and username password flows support WAM while device code does not. We request Azure. Identity to provide the interface such as UsernamePasswordCredentialBrokerOptions . If WAM enabled, we are going to call UsernamePasswordCredentialBrokerOptions to acquire token so that the account information will go intoWAM and can be retrieved by SharedTokenCacheCredential

Expected behavior

Provides the interface such as UsernamePasswordCredentialBrokerOptions to enable Username Password account to go to WAM

Actual behavior

Username Password account cannot go to WAM

Reproduction Steps

Environment

dotnet standard 2.0

github-actions[bot] commented 1 month ago

Thank you for your feedback. Tagging and routing to the team member best able to assist.

christothes commented 1 month ago

Hi @msJinLei Currently we do not support the username/password flow because it is not recommended for security reasons. MSAL's documentation mentions this here.

Based on the linked issue scenario, it sounds like AzurePipelinesCredential might be a better fit for their scenario.

github-actions[bot] commented 1 month ago

Hi @msJinLei. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

msJinLei commented 1 month ago

Hi @msJinLei Currently we do not support the username/password flow because it is not recommended for security reasons. MSAL's documentation mentions this here.

Based on the linked issue scenario, it sounds like AzurePipelinesCredential might be a better fit for their scenario.

We also deprecate Username password flow in Azure PowerShell. However, we cannot break the customers who already use it for now.