Open Avery-Dunn opened 8 months ago
Unfortunately for Python they have not implemented any validation logic to copy, and simply hardcode the relevant 'connection_verify' flag to false.
No wonder we were not aware of this feature requirement when we researched the prior art in Azure Identity for Python. And, that also means MSAL Python's current Managed Identity behavior is on par with Azure Identity's status quo.
Marking this a bug, as it is inconsistent with Azure SDK's managed identity implementation, which we try to replace. This is a GA blocker.
For Java and .NET it's a bug since the behavior doesn't match what's in Azure SDK, but for Python (and Node) Azure SDK's implementation doesn't currently validate the cert so the current behavior technically is consistent.
However, they also have an issue on their backlog to add this validation, and I believe it's a blocker for them as well: https://github.com/Azure/azure-sdk-for-python/issues/33431
Disabling cert validation is our behavior today. Given that, I don't think this is a GA blocker.
And if you want to discuss more details, let's use emails.
MSAL client type
Managed identity
Problem Statement
According to the managed identity docs for Service Fabric, there is an environment variable called "IDENTITY_SERVER_THUMBPRINT": https://learn.microsoft.com/en-us/azure/service-fabric/how-to-managed-identity-service-fabric-app-code#acquiring-an-access-token-using-rest-api
And per those docs, the thumbprint should be used as part of the steps to retrieve a token:
Proposed solution
The docs don't describe what 'appropriate' validation entails, however Azure Identity does perform this step for the Java and .NET libraries:
Unfortunately for Python they have not implemented any validation logic to copy, and simply hardcode the relevant 'connection_verify' flag to false.