search

AzureAD / microsoft-authentication-library-for-dotnet

Microsoft Authentication Library (MSAL) for .NET
https://aka.ms/msal-net
MIT License
1.36k stars 331 forks source link

[Feature Request] Service Fabric MI Auth doesn't validate server cert. #4462

Open g2vinay opened 7 months ago

g2vinay commented 7 months ago

MSAL client type

Managed identity

Problem Statement

Currently, MSAL .NET reads the Thumbprint from env but doesn't use it to validate the cert from the server in the transport layer. This logic needs to be implemented.

Proposed solution

.NET Identity SDK does this, this logic can be ported from here: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/ServiceFabricManagedIdentitySource.cs#L55

Other languages

java: https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java#L1032

Py: (not implemented) https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/azure/identity/_credentials/service_fabric.py#L38

JS: (not implemented) https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/src/credentials/managedIdentityCredential/fabricMsi.ts#L128

bgavrilMS commented 6 months ago

We have agreed with Azure SDK to not extend the HttpClient factory for this. It is acceptable for MSAL use it's own HttpClient that doesn't go through the extensibility pipeline.

Retry policies etc. are still required.

bgavrilMS commented 6 months ago

@neha-bhargava - it's acceptable for this call to MSI to not use IHttpClientFactory / an HttpClient created externally. But try to find a way so as to keep the code path testable.

If you need to make changes to HttpManager, please see @gladjohn 's PR on SLC first, as it has a sweeping refactor of that. Maybe it's worth pulling that refactor out.

bgavrilMS commented 2 months ago

Is this still blocked?