azure-sdk-for-net
azure-sdk-for-net copied to clipboard
Azure
[FEATURE REQ] Add Integrated Windows Authentication support within TokenCredential interface
Library name
Azure.Storage.Blobs
Please describe the feature.
I am running into this issue with Azure.Storage.Blobs but I believe this will be the case for other libraries accepting TokenCredential as well. I tried to make it work with Integrated Windows Authentication but failed to find the appropriate descendant of TokenCredential to supply into the constructor of BlobContainerClient. After asking a question on StackOverflow I was pointed to the migration guide where IWA is marked is not supported.
I am not sure why Integrated Windows Authentication is not supported. This must be pretty popular demand in the Enterprise world.
I ended up writing my own implementation of TokenCredential interface:
internal class IwaCredential : TokenCredential
{
private readonly IPublicClientApplication _application;
private readonly string[] _scopes;
public IwaCredential(IPublicClientApplication app, string[] scopes)
{
_application = app;
_scopes = scopes;
}
private async Task<AuthenticationResult> AuthenticateAsync()
{
AuthenticationResult? result = null;
var accounts = await _application.GetAccountsAsync();
if (accounts.Any())
{
try
{
result = await _application.AcquireTokenSilent(_scopes, accounts.FirstOrDefault()).ExecuteAsync();
}
catch (MsalUiRequiredException)
{
}
}
if (result == null)
{
result = await _application.AcquireTokenByIntegratedWindowsAuth(_scopes).ExecuteAsync();
}
return result;
}
private async Task<AccessToken> GetAccessTokenAsync()
{
var authResult = await AuthenticateAsync();
return new AccessToken(authResult.AccessToken, authResult.ExpiresOn);
}
public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
{
return GetAccessTokenAsync().GetAwaiter().GetResult();
}
public override ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
{
return new ValueTask<AccessToken>(GetAccessTokenAsync());
}
}
Now we are able to supply it into BlobContainerClient (or other):
var appOptions = new PublicClientApplicationOptions
{
ClientId = "...",
TenantId = "...",
};
var app = PublicClientApplicationBuilder.CreateWithApplicationOptions(appOptions).Build();
var cred = new IwaCredential(app, new string[] { "https://storage.azure.com/user_impersonation" });
var client = new BlobContainerClient(new Uri("https://foobar.blob.core.windows.net/upload"), cred);
// obtain your file...
var res = await client.UploadBlobAsync("prefix/my.file", file);
Console.WriteLine(res);
}
I ask you to please include an equivalent of IwaCredential above into the standard of Azure.Identity.
See also my question on StackOverflow (and comments).
Thank you for your feedback. Tagging and routing to the team member best able to assist.
Hi @greatvovan - The reason we don't have a credential that supports IWA is that, generally, the other implementations of TokenCredential are cross-platform.
I understand @christothes. Any plans for including this functionality into other (Windows-related) packages? I think there should be an official implementation from Microsoft for this part as it might be not obvious how to proceed from IWA to token auth.
If you are wanting to do interactive windows based login support, this Azure.Identity.BrokeredAuthentication may be closer to what you are looking for.
Hi @greatvovan. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text “/unresolve” to remove the “issue-addressed” label and continue the conversation.
See also #12219 where you promise to close the gap to AppAuthentication. Funny that Microsoft abandons their own enterprise platform and its paying users.
Hi @greatvovan, since you haven’t asked that we “/unresolve” the issue, we’ll close this out. If you believe further discussion is needed, please add a comment “/unresolve” to reopen the issue.