Azure-sdk-for-net: AzureServiceTokenProvider with EasyAuth

Created on 11 Sep 2019 · 7Comments · Source: Azure/azure-sdk-for-net

Query/Question
Is there a way to use AzureServiceTokenProvider with the V1 auth endpoints in order to work with easyAuth?

Why is this not a Bug or a feature Request?
This is asking if the capability is there not asking for it.
Currently, easyAuth only works with V1 endpoints. Due to this fact the tokens AzureServiceTokenProvider generates are auto rejected by easyAuth.

Setup (please complete the following information if applicable):
EasyAuth and Azure

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

[x] Query Added
[x] Setup information Added

AppAuthentication Client Service Attention customer-reported question

Source

Alec321

👍3

All 7 comments

@nonik0 do you konw if AzureServiceTokenProvider can be used with EasyAuth in this context?

schaabs on 4 May 2020

@schaabs @Alec321 I am not familiar with EasyAuth at all so I need more context here. What is meant specifically by "V1 auth endpoints"? AppAuth interfaces with many "auth endpoints" so not sure what the specific scenario is here.

nonik0 on 11 May 2020

@nonik0 The goal of this issue was to get EasyAuth to work with managed identities using AzureServiceTokenProvider. EasyAuth is a Microsoft product that is used to get auth for your app services (https://medium.com/tech-feed/azure-active-directorys-hidden-feature-easy-auth-315e34d92249). The problem is managed identities and AzureServiceTokenProvider do not support Microsoft app registration V1 token endpoints. The tokens AzureServiceTokenProvider generates are "v2" tokens. EasyAuth only works with Microsoft V1 endpoints. In several support channels, I've asked if easyAuth is going away, or will be able to support v2 tokens with no concrete answer from anyone. My hope was just to allow AzureServiceTokenProvider to get V1 tokens then it would be a non issue. Does that make sense?

Alec321 on 12 May 2020

@Alec321 What you're saying makes sense, but from what it sounds like that sort of support would need to also be on the platform-side, i.e. adding support for v1 tokens to the App Service managed identity endpoint or the Azure VM IMDS endpoint. In that case, it makes more sense for EasyAuth to support v2 tokens since that's what all platforms and SDKs are using now.

That being said, this could be a good ask for Azure.Identity, at least for awareness. Azure.Identity moving forward will be the recommended authentication library for Azure SDKs (more info on differences between AppAuth and Az.Id will be published soon).

nonik0 on 22 Jul 2020

Question appears to be answered. May we close this thread?

anaismiller on 5 Oct 2020

😕1 👎1

@anaismiller No, I don't think so. This is still broken with no definitive way to move forward. We ended up changing our app, but if we were stubborn this isn't a solution. Unless the solution is sorry it's not supported.

Alec321 on 6 Oct 2020

AzureServiceTokenProvider does not and will not support v1 auth endpoints for EasyAuth at this moment.

anaismiller on 4 Dec 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

[BUG] Class KeyVaultCredential does not reflect change in www-authenticate header

msfcolombo · 4Comments

Cannot auth with certificate to azure when targeting .NET 4.5.2

vladbarosan · 4Comments

System.MissingMethodException: Method not found: 'Void Microsoft.Azure.Management.ServiceBus.ServiceBusManagementClient..ctor(Microsoft.Rest.ServiceClientCredentials, System.Net.Http.DelegatingHandler[])'.

sakher-sawan · 4Comments

Azure Search: does it support deleting documents?

philoushka · 3Comments

[QUERY] repositories in container registries

PejmanNik · 4Comments