Linux Support 🙏

[kyle-rader-msft]

Linux Support

Demand

There is current demand for azureauth on Linux from, at least:

• msrustup and the Microsoft Rust toolchain. (Company wide audience)
• ESAI's AI Coder tools are used company wide, and we have Linux customers. (Company wide audience)

Needs

Shipping the .deb package

We need the .deb package shipped again.

MSAL Caching

We need plain-text MSAL cache fallback, with restricted permissions. See comments on security here. This is okay, and already the norm for GCM in this environment.

A Note on WaveSpaces

I've been using AzureAuth in Wave Workspaces (a C+AI alternative to microsoft devbox) where you connect via VSCode to a Linux VM. Azureatuh can be installed here, and ... through VSCode, it can launch a web browser auth prompt and just works! Which is great! The Azure CLI and GCM in this same environment force you to do full 2FA through device code which sucks 😭.

[mvanchaa]

But @kyle-rader-msft wouldn't that be a security issue as it's a plain text?

[kyle-rader-msft]

I don't think this is a security issue that outweighs the experience and risk of training employees to click log in because every single action requires a prompt.

The Git Credential manager already has set a precedent for this plain text fall back method, and on Linux the text file can have permissions set to only the current user. Linux machines are also now managed devices, to get to the Linux machines we want to use this on you have MFA into the Wave Work system to begin with.

Also note that while access tokens can be exfiltrated, they are short lived, and defense in depth has helped break apart what any bad actor can do with a single access token, given they are short lived, and better scoped. Refresh tokens from that cache are bound to the computer they were issued for and will not work from any new location or machine.

Kyle Rader (he/himhttps://www.mypronouns.org/what-and-why)

Microsoft.Azure.AHSI.SCHIE.DPU-SDK

---

From: Manuha Vancha @.> Sent: Friday, September 20, 2024 11:34 AM To: AzureAD/microsoft-authentication-cli @.> Cc: Mention @.>; Author @.> Subject: Re: [AzureAD/microsoft-authentication-cli] Support plain text file cache fallback in headless linux (Issue #410)

But @kyle-rader-msfthttps://github.com/kyle-rader-msft wouldn't that be a security issue as it's a plain text?

— Reply to this email directly, view it on GitHubhttps://github.com/AzureAD/microsoft-authentication-cli/issues/410#issuecomment-2364308630 or unsubscribehttps://github.com/notifications/unsubscribe-auth/A6GC2DL4EXXMDB625NHSQ33ZXRTDXBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVE2DMMZTGU3TQMZZQKSHI6LQMWSWS43TOVS2K5TBNR2WLKRSGUZTMOJZHEYDMMFHORZGSZ3HMVZKMY3SMVQXIZI. You are receiving this email because you were mentioned.

Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[rewrlution]

Hey @kyle-rader-msft , I am Huijing.

It would be great to have azureauth also allow a plain text fallback in this scenario.

Am I reading your feature request correctly that you want us to persist access token in plain-text file just like what Git Credential Manager does?

[kyle-rader-msft]

Not just the access token, but the MSAL cache, yes. If the normal MSAL cache persistence check fails, and we're running on Linux, enable using a plain text file fall back as the cache source. This file can be created with permissions only for the current user.

The normal KeyRing cache mechanism, on Linux requires a UI, and in Azure, Wave Workspaces are powered via SSH connections to your Linux VM remotely in VSCode. The web auth flow works just fine and is propagated to the host already, but the cache persistence check fails, resulting in a prompt on every invovation.

Kyle Rader (he/himhttps://www.mypronouns.org/what-and-why)

Microsoft.Azure.AHSI.SCHIE.DPU-SDK

---

From: Huijing Huang @.> Sent: Wednesday, September 25, 2024 2:10 PM To: AzureAD/microsoft-authentication-cli @.> Cc: Mention @.>; Author @.>; Comment @.***> Subject: Re: [AzureAD/microsoft-authentication-cli] Support plain text file cache fallback in headless linux (Issue #410)

Hey @kyle-rader-msfthttps://github.com/kyle-rader-msft , I am Huijing.

It would be great to have azureauth also allow a plain text fallback in this scenario.

Am I reading your feature request correctly that you want us to persist access token in plain-text file just like what Git Credential Manager does?

— Reply to this email directly, view it on GitHubhttps://github.com/AzureAD/microsoft-authentication-cli/issues/410#issuecomment-2375265307 or unsubscribehttps://github.com/notifications/unsubscribe-auth/A6GC2DKITEGDMMPCFXD7WZLZYMRELBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVE2DMMZTGU3TQMZZQKSHI6LQMWSWS43TOVS2K5TBNR2WLKRSGUZTMOJZHEYDMMFHORZGSZ3HMVZKMY3SMVQXIZI. You are receiving this email because you were mentioned.

Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[AtOMiCNebula]

Allowing an opt-in to plaintext credential caching is fine IMO, though I'm not confident enough in the space to want to suggest making it default behavior. Perhaps naming the setting something like "allow plaintext cache storage"? Ultimately, as long as the cache file itself is only user-readable (and not group/world-readable), then that seems pretty reasonable to me.

[kyle-rader-msft]

To add some more weight to this request: This is the current GCM experience we have in Wave Workspaces:

kyrader in 🌐 TDC*** in /workspace/*** 
❯ git clone https://******.visualstudio.com/*****/_git/******
Cloning into '******'...
warning: cannot persist Microsoft authentication token cache securely!
warning: using plain-text fallback token cache

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code ****** to authenticate. 
😭😭😭😭😭😭

########################################
# => GO through full 2FA flow in browser, 
this is where azureauth, helpfully, will launch a normal web prompt out of the remote VS Code instance,
and if it was using the plain cache like GCM is here, it would all #just work...
########################################

remote: Azure Repos
remote: Found 383 objects to send. (62 ms)
Receiving objects: 100% (383/383), 204.83 KiB | 2.73 MiB/s, done.
Resolving deltas: 100% (131/131), done.

Using AzureAuth through a VSCode Remote dev experience on Linux, you actually get a native web browser on your host and can 1 click auth! But... the token caching doesn't work, so this happens everytime. If we enable plain text token cache on Linux, the auth experience for Wave Space and remote Linux dev through VS Code would be so much more awesome!

[dggsax]

Just wanted to comment that implementing this support would also help our usage of AzureAuth in Linux environments where we have customers wanting to build on top of our platform in Linux Environments.

[funArash]

My knowledge of the authentication is limited. however, would it be possible to integrate with Linux's keyring? https://docs.keeper.io/en/privileged-access-manager/secrets-manager/integrations/linux-keyring#linux-keyring-utility

[kyle-rader-msft]

We already do use the Linux keyring if we can. The problem is that when using Linux in a headless environment, (over SSH, VSCode Remote tunnel, etc) the keyring isn't usable because there's no GUI to unlock it (or at least this used to be the case).

Kyle Rader (he/himhttps://www.mypronouns.org/what-and-why)

Microsoft.Azure.AHSI.SCHIE.DPU-SDK

---

From: Arash Bannazadeh-Mahani @.> Sent: Thursday, January 30, 2025 10:57 AM To: AzureAD/microsoft-authentication-cli @.> Cc: Author @.>; Comment @.> Subject: Re: [AzureAD/microsoft-authentication-cli] Support plain text file cache fallback in headless linux (Issue #410)

My knowledge of the authentication is limited. however, would it be possible to integrate with Linux's keyring? https://docs.keeper.io/en/privileged-access-manager/secrets-manager/integrations/linux-keyring#linux-keyring-utility

— Reply to this email directly, view it on GitHubhttps://github.com/AzureAD/microsoft-authentication-cli/issues/410#issuecomment-2625325932 or unsubscribehttps://github.com/notifications/unsubscribe-auth/A6GC2DJY4Y4JWTWLXYNLN4L2NJY2RBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVE2DMMZTGU3TQMZZQKSHI6LQMWSWS43TOVS2K5TBNR2WLKRSGUZTMOJZHEYDMMFHORZGSZ3HMVZKMY3SMVQXIZI. You are receiving this email because you authored the thread.

Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[funArash]

I found this SOF post which talks about keyring (python) and secret-tools libsecret-tools package.. can any of these be used to store the creds? I know cargo has support for libsecret.

Also, launching GUI in SSH session is a pain or not possible.. However, with WSL you can enable its GUI feature which allows to run X11 apps (Code, MS Edge, ..) on Linux.

In ${env:USERPROFILE}/.wslconfig add:

[wsl2]              
guiApplications=true

Not as convenient as using keyring, but it helps.

[kyle-rader-msft]

This isn't as much an issue for WSL, since WSL can launch the Windows azureauth installation for a better auth experience using the windows auth broker.

I think libsecret is already in use under the hood, this is handled by the msal-extensions library: See https://github.com/AzureAD/microsoft-authentication-cli/blob/5520cb01a745f6032fb3762eed09f382c7eebe58/src/MSALWrapper/PCACache.cs#L55

Kyle Rader (he/himhttps://www.mypronouns.org/what-and-why)

Microsoft.Azure.AHSI.SCHIE.DPU-SDK

---

From: Arash Bannazadeh-Mahani @.> Sent: Thursday, January 30, 2025 11:50 AM To: AzureAD/microsoft-authentication-cli @.> Cc: Author @.>; Comment @.> Subject: Re: [AzureAD/microsoft-authentication-cli] Support plain text file cache fallback in headless linux (Issue #410)

I found this SOFhttps://askubuntu.com/questions/262698/how-do-i-get-passwords-from-the-keyring-in-the-terminal-for-usage-in-scripts post which talks about keyring (python) and secret-tools libsecret-tools package.. can any of these be used to store the creds? I know cargo has support for libsecret.

Also, launching GUI in SSH session is a pain or not possible.. However, with WSL you can enable its GUIhttps://github.com/microsoft/wslg feature which allows to run X11 apps (Code, MS Edge, ..) on Linux.

In ${env:USERPROFILE}/.wslconfig add:

[wsl2] guiApplications=true

Not as convenient as using keyring, but it helps.

— Reply to this email directly, view it on GitHubhttps://github.com/AzureAD/microsoft-authentication-cli/issues/410#issuecomment-2625432502 or unsubscribehttps://github.com/notifications/unsubscribe-auth/A6GC2DK6CI7BSMC27CCVSHD2NJ67FBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVE2DMMZTGU3TQMZZQKSHI6LQMWSWS43TOVS2K5TBNR2WLKRSGUZTMOJZHEYDMMFHORZGSZ3HMVZKMY3SMVQXIZI. You are receiving this email because you authored the thread.

Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[bpkroth]

We already do use the Linux keyring if we can. The problem is that when using Linux in a headless environment, (over SSH, VSCode Remote tunnel, etc) the keyring isn't usable because there's no GUI to unlock it (or at least this used to be the case).

Kyle Rader (he/himhttps://www.mypronouns.org/what-and-why)

Microsoft.Azure.AHSI.SCHIE.DPU-SDK …

FWIW, this (my ephasis above) isn't correct: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/81c50aad7f2675b73a7d1180e8b4fb209034e8f9/build/template-test-on-linux.yaml#L61