azure-sdk-for-net icon indicating copy to clipboard operation
azure-sdk-for-net copied to clipboard

Published 20 hours ago verified publisher icon Azure

Regional Authority Endpoint

Open ahmednawar1997 opened this issue 3 years ago • 4 comments
trafficstars

Library name and version

Azure.Storage.Blob 11.2.2 & Azure.Identity 1.5.0

Query/Question

We're using Azure.Storage.Blob SDK and we got alerts that we are not using regional authority while fetching tokens to contact Azure Tables, Azure Queues and Azure Blob Stores.

Is there a way for automatic region discovery so we can contact the correct endpoint. I can see that the default AuthorityHost in TokenCredentialOptions.cs is 'https://login.microsoftonline.com/' and I need a way to return the regional endpoint instead of the global AAD.

Environment

No response

ahmednawar1997 avatar Aug 07 '22 12:08 ahmednawar1997

Thank you for your feedback. Tagging and routing to the team member best able to assist.

jsquire avatar Aug 08 '22 12:08 jsquire

Hi @ahmednawar1997. Thank you for reaching out and we regret that you're experiencing difficulties. I'm not sure if I understand what you're asking. I believe what you'd like to do is set the AuthorityHost for the credential that you're using. If so, each credential type takes a set of options as part of its constructor which allow the value to be set.

That said, since you've already looked at TokenCredentialOptions, I get the feeling that I'm overlooking something. Can you help me better understand the information that you're looking for?

jsquire avatar Aug 08 '22 12:08 jsquire

Hi @jsquire, I can see that in https://github.com/Azure/azure-sdk-for-net/blob/7f3836c3149d624fe01217e836eb5768cb624763/sdk/identity/Azure.Identity/src/MsalConfidentialClient.cs you get the regionalAuthority from EnvironmentVariables.AzureRegionalAuthorityName. There is a way in MSAL where it can autodetect the region. Do you have a flag or any way where we can use it?

ahmednawar1997 avatar Aug 09 '22 12:08 ahmednawar1997

I'll have to defer to @schaabs for the authoritative answer to that; I don't know of one.

jsquire avatar Aug 09 '22 13:08 jsquire

Hi @schaabs waiting for your help.

ahmednawar1997 avatar Aug 11 '22 09:08 ahmednawar1997

A lot of what you want to do is done easily in 1.6.1 and up.

If you're using ConfidentialClientApplicationBuilder, you can use the .WithAzureRegion() method added in Azure.Identity 1.5~ ish.

 ConfidentialClientApplicationBuilder
                        .Create(applicationId)
                        .WithAuthority(authorityUri)
                        .WithAzureRegion(ConfidentialClientApplication.AttemptRegionDiscovery)

Ping my alias if you'd like some more exmples (I'll see what I can find!)

stowen-msft avatar Aug 11 '22 14:08 stowen-msft

Default is for the region to be auto-detected by the authority. Please re-open and provide additional details if this is still a problem.

christothes avatar Jul 13 '23 21:07 christothes