The MSAL library for Go is part of the Microsoft identity platform for developers (formerly named Azure AD) v2.0. It enables you to acquire security tokens to call protected APIs. It uses industry standard OAuth2 and OpenID Connect.
MIT License
218
stars
87
forks
source link
[Feature Request] Federated Identity Credential with Kubernetes on Azure Arc #477
There are 2 types of Federated Identity Credential (FIC) - with external provider or with internal provider (MSI). This is about external provider, where the provider is Kubernetes.
The FIC scenario is:
LEG1: app asks for a token from external identity provider
LEG2: app uses client_credentials OAuth flow to get token from
All MSALs can perform LEG2.
Request
The request is for MSAL to help perform LEG1 in a very specific case - Azure Arc enabled K8. The K8 team will provision a local http service that acts like an OAuth compliant Identity Provider. MSAL can request tokens from this provider just like it would from eSTS, with some minor changes:
support for a custom authority?
no instance discovery
custom TLS certificate verification (i.e. the endpoint will have a self signed cert, and the thumbprint of that can be found in a well-known location)
anything else?
Protocol details
TBD
Open questions
how will MSAL know about being hosted on this environment?
what will the authority look like?
where will the TLS cert be picked up?
will MSAL have enough information for token caching? For app tokens it's pretty simple - it's just clientID
how does the request to this endpoint look like exactly? what params do we put on the wire? I assume it's only client_credentials flow. Will there be a secret or a cert?
how will the end to end look like?
Alternative
Have you thought about using the "AppTokenProvider" - an extensibility point which allows the app developer to hook to any tokebn provider and leverage MSAL's cache. It is used by Azure SKD today to place tokens in MSAL
Context
There are 2 types of Federated Identity Credential (FIC) - with external provider or with internal provider (MSI). This is about external provider, where the provider is Kubernetes.
The FIC scenario is:
LEG1: app asks for a token from external identity provider LEG2: app uses
client_credentials
OAuth flow to get token fromAll MSALs can perform LEG2.
Request
The request is for MSAL to help perform LEG1 in a very specific case - Azure Arc enabled K8. The K8 team will provision a local http service that acts like an OAuth compliant Identity Provider. MSAL can request tokens from this provider just like it would from eSTS, with some minor changes:
Protocol details
TBD
Open questions
Alternative
Have you thought about using the "AppTokenProvider" - an extensibility point which allows the app developer to hook to any tokebn provider and leverage MSAL's cache. It is used by Azure SKD today to place tokens in MSAL