[Bug] WithSSHCertificateAuthenticationScheme Not Return a SSH Certificate When WAM Enabled

msJinLei commented 2 weeks ago

Library version used

4.61.3.0

.NET version

.netstandard 2.0

Scenario

PublicClient - desktop app

Is this a new or an existing app?

The app is in production, and I have upgraded to a new version of MSAL

Issue description and reproduction steps

Raised by @vthiebaut10, in Azure PowerShell, when WAM is enabled, the customer fails to retry to connect a configured Azure VM using Az.Ssh. Here are the steps to reproduce

Create an Ubuntu Azure VM with Login with Microsoft Entra Id enabled (Sign in to a Linux virtual machine in Azure by using Microsoft Entra ID and OpenSSH - Microsoft Entra ID | Microsoft Learn). To enable AAD login, during creation in the portal, on the management tab select the Login with Microsoft Entra ID checkbox and ensure that the System assigned managed identity checkbox is selected.
Once the VM is created, assign "Virtual Machine Administrator Login" role to your account.
Run "Enter-AzVM -ResourceGroupName rgname -Name vmname" (make sure wam is enabled)

When the WAM is disabled, Enter-AzVM works as expected. And we find when WAM is enabled, WithSSHCertificateAuthenticationScheme doesn't return a SSH certificate but return a bearer token. But WAM is disabled, it returns a SSH certficate.

Relevant code snippets

public virtual IPublicClientApplication CreatePublicClient(string authority, string tenantId)
{
    var builder = PublicClientApplicationBuilder.Create(Constants.PowerShellClientId);
    if (AzConfigReader.IsWamEnabled(authority))
    {
        builder = builder.WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows));
    }
    if (!string.IsNullOrEmpty(authority))
    {
        builder.WithAuthority(authority, tenantId ?? organizationTenant);
    }
    var client = builder.Build();
    RegisterCache(client);
    return client;
}

var publicClient = CreatePublicClient(context.Environment.ActiveDirectoryAuthority, context.Tenant.Id)
var account = publicClient.GetAccountAsync(context.Account.GetProperty(AzureAccount.Property.HomeAccountId))
               .ConfigureAwait(false).GetAwaiter().GetResult();
var result = publicClient.AcquireTokenSilent(scopes, account)
             .WithSSHCertificateAuthenticationScheme(jwk, keyId)
             .ExecuteAsync();
var accessToken = result.ConfigureAwait(false).GetAwaiter().GetResult();

Expected behavior

Return a SSH certificate as non-broker public client does

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

bgavrilMS commented 2 weeks ago

Right, this is a feature gap with WAM. It does not support fetching SSH certificates.

msJinLei commented 2 weeks ago

Right, this is a feature gap with WAM. It does not support fetching SSH certificates.

But I don't find the same issue with AzureCLI. Does the MSAL.py has the same issue?

bgavrilMS commented 2 weeks ago

MSAL Py also supports fetching SSH certificates. It is possible that the team also added support for WAM + SSH certificates, I don't recollect.

@rayluo @jiasli @iulico-1 - do you remember?

rayluo commented 2 weeks ago

MSAL Py also supports fetching SSH certificates. It is possible that the team also added support for WAM + SSH certificates, I don't recollect.

@rayluo @jiasli @iulico-1 - do you remember?

WAM has been improved to also support SSH cert now. MSAL .Net just needs to relay the relevant parameters to MsalRuntime. This was how MSAL Py did it.

AzureAD / microsoft-authentication-library-for-dotnet