Skip to content

[Identity] Let GetTokenMixin.get_token pass kwargs to MSAL#16397

Closed
jiasli wants to merge 2 commits intoAzure:masterfrom
jiasli:get-token-kwargs
Closed

[Identity] Let GetTokenMixin.get_token pass kwargs to MSAL#16397
jiasli wants to merge 2 commits intoAzure:masterfrom
jiasli:get-token-kwargs

Conversation

@jiasli
Copy link
Member

@jiasli jiasli commented Jan 28, 2021

GetTokenMixin is inherited by

  • ClientSecretCredential
  • CertificateCredential
  • ManagedIdentityCredential

However, GetTokenMixin.get_token discards **kwargs when calling MSAL, making it impossible to get an SSH certificate with a Service Principal credential.

After applying this PR, the network trace shows req_cnf is sent correctly:

azure.core.pipeline.policies._universal: Request URL: 'https://login.microsoftonline.com/54826b22-38d6-4fb2-bad9-b7b93a3e9c5a/oauth2/v2.0/token'
azure.core.pipeline.policies._universal: Request method: 'POST'
...
azure.core.pipeline.policies._universal: Request body:
azure.core.pipeline.policies._universal: 
{
    'client_id': 'ee01ddbe-2865-4d12-95ef-cd75ac9285a8', 
    'grant_type': 'client_credentials', 
    'client_info': 1, 
    'client_secret': 'UKx11...', 
    'token_type': 'ssh-cert', 
    'req_cnf': '{
        "kty": "RSA", 
        "n": "...", 
        "e": "AQAB", 
        "kid": "a83576e..."
    }', 
    'key_id': 'a83576e2adc1a2654003f3744486fa1f2595851e5539c6d213011854be1377fb', 
    'scope': 'https://pas.windows.net/CheckMyAccess/Linux/.default'
}

@ghost ghost added the Azure.Identity label Jan 28, 2021
jiasli
jiasli commented Jan 29, 2021
View reviewed changes
sdk/identity/azure-identity/azure/identity/_internal/managed_identity_client.py

def get_cached_token(self, *scopes):
# type: (*str) -> Optional[AccessToken]
def get_cached_token(self, *scopes, **kwargs): # pylint:disable=unused-argument
Copy link
Member Author

@jiasli jiasli Jan 29, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is more complicated than the change itself:

  • Service Principal credentials support data, but
  • Managed Identity credentials don't. (They may support data in the future.)

Making them share the same GetTokenMixin adds unused kwargs to ManagedIdentityClientBase.get_cached_token.

@jiasli jiasli mentioned this pull request Jan 29, 2021
Merged
@chlowell
Copy link
Member

chlowell commented Feb 5, 2021

Whether a credential uses MSAL, and how, are implementation details. Routine maintenance makes it impossible to guarantee two versions of azure-identity will call the same MSAL methods, or require the same version of MSAL (see e.g. #16449). An application trying to pass arguments to an MSAL method through get_token therefore risks breaking every time it upgrades azure-identity. I don't think we should help applications take that risk.

Whether we support acquiring SSH certificates is a separate question. We'll consider doing that in a future version.

@chlowell chlowell closed this Feb 5, 2021
@jiasli jiasli deleted the get-token-kwargs branch February 9, 2021 02:43
@jiasli jiasli mentioned this pull request Mar 1, 2021
Closed
This was referenced Sep 2, 2021
Closed
Closed
@jiasli jiasli mentioned this pull request Jan 13, 2022
Merged
@jiasli jiasli mentioned this pull request Jun 26, 2025
Draft
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chlowell chlowell Awaiting requested review from chlowell

@mccoyp mccoyp Awaiting requested review from mccoyp

@schaabs schaabs Awaiting requested review from schaabs

Assignees

No one assigned

Labels

Azure.Identity

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jiasli @chlowell