hamilton icon indicating copy to clipboard operation
hamilton copied to clipboard

Published 20 hours ago verified publisher icon manicminer

azcli auth doesn't support MSAL scopes

Open thomas11 opened this issue 2 years ago • 1 comments

Currently, in AzureCliAuthorizer.Token(), the arguments to az are hard-coded as

{"account", "get-access-token", fmt.Sprintf("--resource=%s", a.conf.Endpoint)}

This is correct for ADAL and also works for MSAL as long as you need the default scope of Resource Manager. However, for a different scope like KeyVault, the arguments should instead be

{"account", "get-access-token", fmt.Sprintf("--scope=%s", a.conf.Endpoint+"/.default")}

Note the MSAL-style (OAuth v2) scope.

I tested the above change and it unblocked a small program that changes Key Vault secrets. I don't have a full PR just yet because I wasn't sure how you wanted to treat MSAL vs ADAL here.

thomas11 avatar Oct 09 '22 21:10 thomas11

Related question - @manicminer , does contributing to this repo require a CLA?

thomas11 avatar Oct 11 '22 18:10 thomas11