azure-dev
azure-dev copied to clipboard
Azure Developer Auth Server (azd auth serve)
Overview and Problem Statement
This PR introduces the Azure Developer Auth Server (azd auth server start
and azd auth server stop
), a local identity server designed to facilitate authentication for development scenarios. This server uses the identity authenticated with azd
to generate tokens, allowing developers to:
-
Local Development Authentication: Use tokens from their authenticated
azd
identity to authenticate in their application code, avoiding the need for other developer credentials. This server provides local emulation to support the credential types in Azure Identity libraries (e.g.,ManagedIdentityCredential
,DefaultAzureCredential
). -
Containerized Development: Enable seamless authentication within Docker containers. Authentication using
DefaultAzureCredential
within containers became challenging after the transition to MSAL. The Azure Developer Auth Server helps resolve this by providing tokens for containerized applications. More details on the issue are available here. -
Terraform Integration: Authenticate Terraform using tokens from the Azure Developer Auth Server without relying on the Azure CLI. This simplifies the authentication process for local and container-based development. Refer to the Terraform MSI Guide for more information.
Solution
Azure Developer Auth Server: This command starts a local identity server that provides tokens based on the current azd
authenticated identity. The server offers a local emulation for the credential types in Azure Identity libraries, suitable for various development scenarios:
-
Server Initialization:
- Run
azd auth server start
to start a server on127.0.0.1
(localhost) orhost.docker.internal
for Docker environments. - Run
azd auth server stop
to stop the server.
- Run
-
Endpoint Configuration:
- Applications using Azure Identity libraries will interact with this server. Set
MSI_ENDPOINT
tohttp://localhost:53028/MSI/token
for local development orhttp://host.docker.internal:53028/MSI/token
for container development to facilitate this interaction.
- Applications using Azure Identity libraries will interact with this server. Set
-
Application Integration:
- Applications configured to use Azure Identity libraries (e.g.,
ManagedIdentityCredential
,DefaultAzureCredential
) will obtain tokens from theMSI_ENDPOINT
provided byazd auth server start
. The server provides these tokens based on theazd
authenticated identity, allowing the application to authenticate as if using actual Azure services.
- Applications configured to use Azure Identity libraries (e.g.,
Additional Enhancements:
-
Alternate Endpoint: Introduce
AZD_AUTH_ENDPOINT
, an environment variable that can be used as an alternative authentication endpoint forAzureDeveloperCLICredential
. -
Localhost Restriction: Limit the serving endpoint to
127.0.0.1
to ensure it is only accessible locally. - Secret Validation: Implement a secret generation mechanism at server startup to validate incoming authentication requests, similar to OAuth CSRF, enhancing security.
Open Issues
-
Security:
- Determine effective ways to secure the server and prevent misuse. Possible solutions include:
- Restricting access to
127.0.0.1
orhost.docker.internal
. - Using bearer tokens or CSRF-style verification.
- Restricting access to
- Develop and review a threat model for the Azure Developer Auth Server.
- Determine effective ways to secure the server and prevent misuse. Possible solutions include:
-
Credential Handling:
- Avoid potential confusion where developers might think they are using actual managed identities when they are using tokens from the Azure Developer Auth Server.
- Manage additional attributes on the Azure Identity objects such as
resourceId
andTokenCredentialOptions
.
-
User-Assigned Managed Identities:
- Develop a solution for scenarios where users specify a
clientId
for user-assigned managed identities while usingazd auth server start
.
- Develop a solution for scenarios where users specify a
Next Steps
-
Review with the Managed Identity Team:
- Conduct a review with the managed identity team to identify any concerns or issues with the approach and ensure alignment with existing systems.
-
Threat Model Development:
- Create and review a threat model for the Azure Developer Auth Server to ensure security and compliance.
Scenarios
-
Using Tokens from the Azure Developer Auth Server:
- Developers can authenticate using tokens provided by the local identity server (
azd auth server start
) for local development, avoiding the need for other credentials.
- Developers can authenticate using tokens provided by the local identity server (
-
Container Authentication:
- Facilitate authentication within Docker containers by configuring
MSI_ENDPOINT
to the Azure Developer Auth Server endpoint, allowing the use of tokens for the currentazd
identity.
- Facilitate authentication within Docker containers by configuring
-
Terraform Authentication:
- Enable Terraform to authenticate using tokens from the Azure Developer Auth Server without relying on the Azure CLI by pointing Terraform endpoints to the
azd auth server start
endpoint.
- Enable Terraform to authenticate using tokens from the Azure Developer Auth Server without relying on the Azure CLI by pointing Terraform endpoints to the
Resources
- OAuth 2.0 CSRF State Parameter:
- Localhost Binding Security: