jmprieur
commented
3 years ago Thanks @luismanez We are working on other mechanism at the MSAL.NET level.
cc: @henrik-me. Let's discuss about the best options.
Open luismanez opened 3 years ago
jmprieur
commented
3 years ago Thanks @luismanez We are working on other mechanism at the MSAL.NET level.
cc: @henrik-me. Let's discuss about the best options.
cvbc2010
commented
3 years ago can we have even proxy configuration for token acquisition as I need to connect to Azure AD via proxy using proxy credentials. and am unable to configure them.
for AadIssuerValidatorOption i was able to do using named ProxyClient like below
services.Configure
can we have similar to use the provided http client to use for token acquisition.
jmprieur
commented
3 years ago @cvbc2010 : Did you see this article: https://github.com/AzureAD/microsoft-identity-web/wiki/Deploying-Web-apps-to-App-services-as-Linux-containers#how-to-fix-it ?
cvbc2010
commented
3 years ago My issue is different than this. our IIS is behind corporate firewall and we have access to internet only via proxy server and it requires credentials.
the current Token Acquisition is using IHttpClientFactory which is not linked with handler which uses proxy.
luismanez
commented
2 years ago hey @jmprieur. Is there any update here? I´ve seen a bunch of great changes in the library, but not sure if there´s any improvement in the MSAL.net about token acquisition resilience. Thanks!
HiroyukiSakoh
commented
2 years ago Memo When the HttpMessageHandlerBuilder was injected first, token acquisition and downstream calls via proxies. All default HttpClient changes though...
builder.Services.AddTransient<HttpMessageHandlerBuilder, CustomHttpMessageHandlerBuilder>();
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi();
public class CustomHttpMessageHandlerBuilder : HttpMessageHandlerBuilder
{
public override IServiceProvider Services { get; }
public CustomHttpMessageHandlerBuilder(IServiceProvider services)
{
Services = services;
}
public override string? Name { get; set; }
public override HttpMessageHandler PrimaryHandler { get; set; } = new HttpClientHandler();
public override IList<DelegatingHandler> AdditionalHandlers { get; } = new List<DelegatingHandler>();
// Our custom builder doesn't care about any of the above.
public override HttpMessageHandler Build()
{
return new HttpClientHandler
{
Proxy = new WebProxy("localhost", 8888)
};
}
}I wish inject IMsalHttpClientFactory into TokenAcquisition. https://github.com/AzureAD/microsoft-identity-web/blob/1a073ed8c0f1e6edf7ac929729c4f76251f1fff7/src/Microsoft.Identity.Web/TokenAcquisition.cs#L68
https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-provide-httpclient
Is your feature request related to a problem? Please describe. As far as I see in the code (and I might be wrong), if Azure AD is not available (or too busy) when calling AcquireToken*, the TokenAcquisition class is not resilience enough and will raise an exception.
Describe the solution you'd like It should have at least a retry mechanism, following pattern described here: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/retry-after Also related info here: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/High-availability
Describe alternatives you've considered I guess you can create your own HttpClientFactory that returns an resilient HttpClient (maybe using Polly), and pass that Factory when constructing the TokenAcquisition. It would be nice to have a built-in mechanism in the library, or an easier way to inject that custom Factory, maybe in the AddTokenAcquisition extension.
Thanks!