Azure-sdk-for-net: [FEATURE REQ] Support sendX5c in ClientCertificateCredential to allow SubjectName+issuer validation

Created on 17 May 2020  路  3Comments  路  Source: Azure/azure-sdk-for-net

Library or service name.
Azure.Identity

Is your feature request related to a problem? Please describe.
When requesting a token via AuthenticationContext.AcquireTokenAsync (in the Microsoft.IdentityModel.Clients.ActiveDirectory assembly), there are overloads that accept the sendX5c parameter:

This parameter enables application developers to achieve easy certificates roll-over in Azure AD: setting this parameter to true will send the public certificate to Azure AD along with the token request, so that Azure AD can use it to validate the subject name based on a trusted issuer policy. This saves the application admin from the need to explicitly manage the certificate rollover (either via portal or powershell/CLI operation)

This is critical for auto rotation scenarios, where you have your cert auto-renewed in KeyVault and you want your certs to maintain their access to their AAD apps following such renewals.

There is currently no way that I can tell so specify this parameter in Azure.Identity's ClientCertificateCredential, forcing users to drop to the lower AuthenticationContext level.

Azure.Identity Client customer-reported feature-request
Source
picture ohadschn
👍2

Most helpful comment

@ohadschn Thanks for filling this issue. Adding support for SubjectName / Issuer authentication with the ClientCertificateCredential is currently on our backlog. While support for this did not make it into our current round of previews for the Azure.Identity library, I expect this will be one of the first features we work on after we GA what is currently in preview. I hope to have at least a preview of SubjectName / Issuer support ealry this fall. I'll update this issue once we have more information available.

picture schaabs on 18 May 2020
👍3

All 3 comments

@ohadschn Thanks for filling this issue. Adding support for SubjectName / Issuer authentication with the ClientCertificateCredential is currently on our backlog. While support for this did not make it into our current round of previews for the Azure.Identity library, I expect this will be one of the first features we work on after we GA what is currently in preview. I hope to have at least a preview of SubjectName / Issuer support ealry this fall. I'll update this issue once we have more information available.

schaabs picture schaabs on 18 May 2020
👍3

Use the solution here before Azure.Identity support SendX5c Link

JackXuCN picture JackXuCN on 25 Aug 2020
👍1

This has been implemented in #14636, and is available in 1.3.0-beta.1 or later. The feature is still in preview so if you have any feedback on its usability please open an issue and let us know.

schaabs picture schaabs on 8 Oct 2020
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

realrubberduckdev picture realrubberduckdev  路  3Comments
Yves57 picture Yves57  路  4Comments
tudort-iquest picture tudort-iquest  路  3Comments
msfcolombo picture msfcolombo  路  4Comments
subbartt picture subbartt  路  3Comments