microsoft-authentication-library-for-dotnet icon indicating copy to clipboard operation
microsoft-authentication-library-for-dotnet copied to clipboard
verified publisher icon AzureAD

[Feature Request] Service Fabric MI Auth doesn't validate server cert.

Open g2vinay opened this issue 2 years ago • 3 comments

MSAL client type

Managed identity

Problem Statement

Currently, MSAL .NET reads the Thumbprint from env but doesn't use it to validate the cert from the server in the transport layer. This logic needs to be implemented.

Proposed solution

.NET Identity SDK does this, this logic can be ported from here: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/ServiceFabricManagedIdentitySource.cs#L55

Other languages

java: https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java#L1032

Py: (not implemented) https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/azure/identity/_credentials/service_fabric.py#L38

JS: (not implemented) https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/src/credentials/managedIdentityCredential/fabricMsi.ts#L128

g2vinay avatar Dec 08 '23 22:12 g2vinay

We have agreed with Azure SDK to not extend the HttpClient factory for this. It is acceptable for MSAL use it's own HttpClient that doesn't go through the extensibility pipeline.

Retry policies etc. are still required.

bgavrilMS avatar Dec 14 '23 12:12 bgavrilMS

@neha-bhargava - it's acceptable for this call to MSI to not use IHttpClientFactory / an HttpClient created externally. But try to find a way so as to keep the code path testable.

If you need to make changes to HttpManager, please see @gladjohn 's PR on SLC first, as it has a sweeping refactor of that. Maybe it's worth pulling that refactor out.

bgavrilMS avatar Jan 05 '24 10:01 bgavrilMS

Is this still blocked?

bgavrilMS avatar May 08 '24 15:05 bgavrilMS