Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Support CAE #21296

Closed
jiasli opened this issue Feb 15, 2022 · 2 comments · Fixed by #23635
Closed

[Feature Request] Support CAE #21296

jiasli opened this issue Feb 15, 2022 · 2 comments · Fixed by #23635
Assignees
@jiasli
Labels
CAE CAE related feature-request
Milestone
Backlog

Comments

@jiasli
Copy link
Member

jiasli commented Feb 15, 2022

Context

As explained in #19853 (comment), Azure Identity SDK was dropped during MSAL migration. With that, the experimental CAE (Continuous Access Evaluation) support was dropped.

We need to support CAE in the new MSAL-based Azure CLI.

Problems

MSAL

MSAL.PY returns revoked access tokens even after re-login and updating the refresh token (AzureAD/microsoft-authentication-library-for-python#335). This imposes some complexity in supporting CAE.

Track 1 SDKs

Python SDK Track 2 has now supported challenge through azure.mgmt.core.policies._authentication.ARMChallengeAuthenticationPolicy, but there are still many Azure CLI modules or extensions based on Track 1 SDKs and there is and will be no CAE support for Track 1 SDKs (#20460).

Microsoft Graph

According to my observation, Microsoft Graph has already enforced CAE. However, there is no Python SDK for Microsoft Graph and we use our own light-weight client to call Microsoft Graph API (#12946). We need to make that light-weight client support CAE as well.

Reference
@ghost ghost added the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Feb 15, 2022
@yonzhan yonzhan added the CAE CAE related label Feb 15, 2022
@ghost ghost removed the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Feb 15, 2022
@yonzhan yonzhan added feature-request needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Feb 15, 2022
@ghost ghost removed the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Feb 15, 2022
@yonzhan yonzhan added this to the Backlog milestone Feb 15, 2022
@yonzhan
Copy link
Collaborator

yonzhan commented Feb 15, 2022

CAE

@jiasli
Copy link
Member Author

jiasli commented Aug 5, 2022

According to AAD document:

https://docs.microsoft.com/en-us/azure/active-directory/develop/app-resilience-continuous-access-evaluation#the-code

try
{
    authResult = await _clientApp.AcquireTokenSilent(scopes, firstAccount)
        .WithClaims(claimChallenge)
        .ExecuteAsync()
        .ConfigureAwait(false);
}
catch (MsalUiRequiredException)
{
    try
    {
        authResult = await _clientApp.AcquireTokenInteractive(scopes)
            .WithClaims(claimChallenge)
            .WithAccount(firstAccount)
            .ExecuteAsync()
            .ConfigureAwait(false);
    }
    // ...

claims challenge should be sent back to interactive re-auth. But Azure PowerShell cmdlet Connect-AzAccount doesn't expose -Claims parameter, and everything still works as expected.

We still need to decide whether Azure CLI wants to expose --claims in az login.

@jiasli jiasli mentioned this issue Aug 23, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
CAE CAE related feature-request
Projects
None yet
Milestone
Backlog
Development

Successfully merging a pull request may close this issue.

[Core] Support Continuous Access Evaluation jiasli/azure-cli
2 participants
@jiasli @yonzhan