microsoft-authentication-library-for-dotnet
microsoft-authentication-library-for-dotnet copied to clipboard
AzureAD
[Bug] WithSSHCertificateAuthenticationScheme Not Return a SSH Certificate When WAM Enabled
Library version used
4.61.3.0
.NET version
.netstandard 2.0
Scenario
PublicClient - desktop app
Is this a new or an existing app?
The app is in production, and I have upgraded to a new version of MSAL
Issue description and reproduction steps
Raised by @vthiebaut10, in Azure PowerShell, when WAM is enabled, the customer fails to retry to connect a configured Azure VM using Az.Ssh. Here are the steps to reproduce
- Create an Ubuntu Azure VM with Login with Microsoft Entra Id enabled (Sign in to a Linux virtual machine in Azure by using Microsoft Entra ID and OpenSSH - Microsoft Entra ID | Microsoft Learn). To enable AAD login, during creation in the portal, on the management tab select the Login with Microsoft Entra ID checkbox and ensure that the System assigned managed identity checkbox is selected.
- Once the VM is created, assign "Virtual Machine Administrator Login" role to your account.
- Run "Enter-AzVM -ResourceGroupName rgname -Name vmname" (make sure wam is enabled)
When the WAM is disabled, Enter-AzVM works as expected. And we find when WAM is enabled, WithSSHCertificateAuthenticationScheme doesn't return a SSH certificate but return a bearer token. But WAM is disabled, it returns a SSH certficate.
Relevant code snippets
public virtual IPublicClientApplication CreatePublicClient(string authority, string tenantId)
{
var builder = PublicClientApplicationBuilder.Create(Constants.PowerShellClientId);
if (AzConfigReader.IsWamEnabled(authority))
{
builder = builder.WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows));
}
if (!string.IsNullOrEmpty(authority))
{
builder.WithAuthority(authority, tenantId ?? organizationTenant);
}
var client = builder.Build();
RegisterCache(client);
return client;
}
var publicClient = CreatePublicClient(context.Environment.ActiveDirectoryAuthority, context.Tenant.Id)
var account = publicClient.GetAccountAsync(context.Account.GetProperty(AzureAccount.Property.HomeAccountId))
.ConfigureAwait(false).GetAwaiter().GetResult();
var result = publicClient.AcquireTokenSilent(scopes, account)
.WithSSHCertificateAuthenticationScheme(jwk, keyId)
.ExecuteAsync();
var accessToken = result.ConfigureAwait(false).GetAwaiter().GetResult();
Expected behavior
Return a SSH certificate as non-broker public client does
Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Regression
No response
Solution and workarounds
No response
Right, this is a feature gap with WAM. It does not support fetching SSH certificates.
Right, this is a feature gap with WAM. It does not support fetching SSH certificates.
But I don't find the same issue with AzureCLI. Does the MSAL.py has the same issue?
MSAL Py also supports fetching SSH certificates. It is possible that the team also added support for WAM + SSH certificates, I don't recollect.
@rayluo @jiasli @iulico-1 - do you remember?
MSAL Py also supports fetching SSH certificates. It is possible that the team also added support for WAM + SSH certificates, I don't recollect.
@rayluo @jiasli @iulico-1 - do you remember?
WAM has been improved to also support SSH cert now. MSAL .Net just needs to relay the relevant parameters to MsalRuntime. This was how MSAL Py did it.
