Azure
Better support with Bearer Challenge
Is your feature request related to a problem? Please describe.
This is a feature ask for JS and other Azure SDK languages, please help guide to a proper repo if not enough for disucssion in azure-sdk-for-js.
Azure Storage is going to fully support with OAuth Bearer Challenge. Bearer Challenge is part of OAuth protocol. For invalid anonymous access, Azure Storage will return 401 Unauthorized with additional header www-authenticate returned. For example, "www-authenticate": "Bearer authorization_uri=https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize resource_id=https://storage.azure.com"
authorization_uri and resource_id are parameters of Azure Identity SDK credential types.
Currently, Azure Storage JS SDK, customers need to manually parser the challenge response:
const account = process.env.ACCOUNT_NAME || "";
const fileClient = new DataLakeFileClient(`https://${account}.dfs.core.windows.net/filesystem/file`,);
let tenantId: string;
let authorityHost: string;
try {
await fileClient.create(); // Anonymous request to get bearer challenge
} catch (err) {
// "www-authenticate": "Bearer authorization_uri=https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize resource_id=https://storage.azure.com"
const headerRaw = err.details["www-authenticate"];
const url = new URL(headerRaw.split('=')[1].split(' ')[0]);
tenantId = url.pathname.split('/')[1]; // 72f988bf-86f1-41af-91ab-2d7cd011db47
authorityHost = url.origin; // https://login.microsoftonline.com
}
const clientSecretCredential = new ClientSecretCredential(tenantId!, process.env.AZURE_CLIENT_ID!, process.env.AZURE_CLIENT_SECRET!, {
authorityHost: authorityHost!
});
const serviceClient = new DataLakeServiceClient(`https://${account}.dfs.core.windows.net`,clientSecretCredential);
let i = 1;
for await (const filesystem of serviceClient.listFileSystems()) {
console.log(`FileSystem ${i++}: ${filesystem.name}`);
}
It's should be great if we can make this a better user experience for customers. For example,
const clientSecretCredential = new ClientSecretCredential(process.env.AZURE_CLIENT_ID!, process.env.AZURE_CLIENT_SECRET!, {
bearerChallenge: true
}); // ClientSecretCredential can set bearer challenge flag and ignore parameters tenantID and authorityHost
const serviceClient = new DataLakeServiceClient(`https://${account}.dfs.core.windows.net`,clientSecretCredential);
let i = 1;
for await (const filesystem of serviceClient.listFileSystems()) {
console.log(`FileSystem ${i++}: ${filesystem.name}`);
}
Besides Azure Storage, other Azure Services has Bearer Challenge too. For example, Azure KeyValut SDK implements challengeBasedAuthenticationPolicy.ts in this repo. It's better if @azure/identitycan support challenge in build-in credential types. Or @azure/core-http can support challenge based authentication policy. It's a common scenario for many Azure services. Storage and other services don't need to do duplicate implementations.
https://github.com/Azure/azure-sdk-for-js/blob/a53c7e10fefd7acb697aefad8536643cfe7e31da/sdk/keyvault/keyvault-keys/src/core/challengeBasedAuthenticationPolicy.ts
Describe the solution you'd like Think about bearer challenge user scenario. It should be an overall design cross all languages of Azure SDKs.
Describe alternatives you've considered Customers manually parser challenge response and extract to Azure Identity SDK.
Additional context Add any other context or screenshots about the feature request here.
@jonathandturner Would this be similar to what was done for Keyvault via a custom policy for challenge based auth? If so, would our guidance for Storage be to do the same?
cc @daviwil, @schaabs
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage.
![msftbot[bot] avatar](https://avatars.githubusercontent.com/in/26612?v=4 "Published by a pub.dev verified publisher"){kind=small}
@ramya-rao-a we’re just about to provide some functions to make parsing bearer challenges easier, see this comment: https://github.com/Azure/azure-sdk-for-js/pull/17315#discussion_r710509338 I’ll ping @xirzec to get his feedback.
@XiaoningLiu we’re still working on the core changes. We’re considering on exposing the parseCAEChallenge after this PR has been merged: https://github.com/Azure/azure-sdk-for-js/pull/17315 . We’ll be working on merging this PR within a week from this comment. Feedback appreciated!
@XiaoningLiu @EmmaZhu Is there more work to do here? I notice we have https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/storage/storage-blob/src/policies/StorageBearerTokenChallengeAuthenticationPolicy.ts
