azure-dev icon indicating copy to clipboard operation
azure-dev copied to clipboard

Published 20 hours ago verified publisher icon Azure

Azure Developer Auth Server (azd auth serve)

Open jongio opened this issue 2 months ago • 10 comments

Overview and Problem Statement

This PR introduces the Azure Developer Auth Server (azd auth server start and azd auth server stop), a local identity server designed to facilitate authentication for development scenarios. This server uses the identity authenticated with azd to generate tokens, allowing developers to:

  1. Local Development Authentication: Use tokens from their authenticated azd identity to authenticate in their application code, avoiding the need for other developer credentials. This server provides local emulation to support the credential types in Azure Identity libraries (e.g., ManagedIdentityCredential, DefaultAzureCredential).

  2. Containerized Development: Enable seamless authentication within Docker containers. Authentication using DefaultAzureCredential within containers became challenging after the transition to MSAL. The Azure Developer Auth Server helps resolve this by providing tokens for containerized applications. More details on the issue are available here.

  3. Terraform Integration: Authenticate Terraform using tokens from the Azure Developer Auth Server without relying on the Azure CLI. This simplifies the authentication process for local and container-based development. Refer to the Terraform MSI Guide for more information.

Solution

Azure Developer Auth Server: This command starts a local identity server that provides tokens based on the current azd authenticated identity. The server offers a local emulation for the credential types in Azure Identity libraries, suitable for various development scenarios:

  1. Server Initialization:

    • Run azd auth server start to start a server on 127.0.0.1 (localhost) or host.docker.internal for Docker environments.
    • Run azd auth server stop to stop the server.

  2. Endpoint Configuration:

    • Applications using Azure Identity libraries will interact with this server. Set MSI_ENDPOINT to http://localhost:53028/MSI/token for local development or http://host.docker.internal:53028/MSI/token for container development to facilitate this interaction.

  3. Application Integration:

    • Applications configured to use Azure Identity libraries (e.g., ManagedIdentityCredential, DefaultAzureCredential) will obtain tokens from the MSI_ENDPOINT provided by azd auth server start. The server provides these tokens based on the azd authenticated identity, allowing the application to authenticate as if using actual Azure services.

Additional Enhancements:

  • Alternate Endpoint: Introduce AZD_AUTH_ENDPOINT, an environment variable that can be used as an alternative authentication endpoint for AzureDeveloperCLICredential.
  • Localhost Restriction: Limit the serving endpoint to 127.0.0.1 to ensure it is only accessible locally.
  • Secret Validation: Implement a secret generation mechanism at server startup to validate incoming authentication requests, similar to OAuth CSRF, enhancing security.

Open Issues

  1. Security:

    • Determine effective ways to secure the server and prevent misuse. Possible solutions include:
      • Restricting access to 127.0.0.1 or host.docker.internal.
      • Using bearer tokens or CSRF-style verification.
    • Develop and review a threat model for the Azure Developer Auth Server.

  2. Credential Handling:

    • Avoid potential confusion where developers might think they are using actual managed identities when they are using tokens from the Azure Developer Auth Server.
    • Manage additional attributes on the Azure Identity objects such as resourceId and TokenCredentialOptions.

  3. User-Assigned Managed Identities:

    • Develop a solution for scenarios where users specify a clientId for user-assigned managed identities while using azd auth server start.

Next Steps

  1. Review with the Managed Identity Team:

    • Conduct a review with the managed identity team to identify any concerns or issues with the approach and ensure alignment with existing systems.

  2. Threat Model Development:

    • Create and review a threat model for the Azure Developer Auth Server to ensure security and compliance.

Scenarios

  1. Using Tokens from the Azure Developer Auth Server:

    • Developers can authenticate using tokens provided by the local identity server (azd auth server start) for local development, avoiding the need for other credentials.

  2. Container Authentication:

    • Facilitate authentication within Docker containers by configuring MSI_ENDPOINT to the Azure Developer Auth Server endpoint, allowing the use of tokens for the current azd identity.

  3. Terraform Authentication:

    • Enable Terraform to authenticate using tokens from the Azure Developer Auth Server without relying on the Azure CLI by pointing Terraform endpoints to the azd auth server start endpoint.

Resources

jongio avatar Jun 04 '24 20:06 jongio