Skip to content

Instantly share code, notes, and snippets.

@christothes

christothes/tenant-hint.md Secret

Last active May 20, 2021 13:20
Show Gist options
  • Save christothes/34b713a70aad4e94f228b5a9b64f92a4 to your computer and use it in GitHub Desktop.
Save christothes/34b713a70aad4e94f228b5a9b64f92a4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
tenant-hint.md

Azure.Identity Support Tenant Id Challenges

Summary

Currently, for services that return challenges which include context about the tenant that can service a failed service request, such as authorization_url, Azure.Identity does not utilize this information to request a new token with the correct tenantId.

This is a proposal to enhance Azure.Identity to make it possible for service clients to interpret challenges to request tokens for the correct tenant Id, where possible.

Value

The value of implementing this feature is:

  • The ability to authenticate to Key Vaults across multiple tenants is a feature that has been requested by some customers. This would enable that scenario.
  • Address the common issues encountered by our customers when using VSCode and Vs credentials with an MSA account signed in, or with multiple credentials signed in

Issues

To implement the capability to handle challenges that provide tenant Id hints, the following issues need to be addressed.

  1. The TokenCredential abstraction needs the required tenant Id context
  2. Services that include the tenant Id hint context in their challenge response do not parse the tenantId
  3. Decisions need to be made about how the challenge context would be used for credentials that specify a TenantId in their options or as a required property at construction time

Design Ideas

Issue 1

A TenantId property could be added to the TokenRequestContext class.

Issue 2

Services that support tenantID challenges will implement a BearerTokenChallengeAuthenticationPolicy that understands how to parse the tenant Id from the challenge header.

Issue 3

This should be discussed as a feature crew. Some initial thoughts:

  • For credentials that specify a tenantId at construction time or in options, an additional property could be added to its credential options to indicate if tenantId hints should be honored or ignored

Estimates

Rough estimate for this work is ~5 days per language.

@ericsampson
Copy link

Sorry, I meant on the actual server side, like how KV returns the WWW-Authenticate header with the tenant to give hints that help the library in this scenario - if the other services should do that too (if they don’t all already). Thanks!

@christothes
Copy link
Author

Sorry, I meant on the actual server side, like how KV returns the WWW-Authenticate header with the tenant to give hints that help the library in this scenario - if the other services should do that too (if they don’t all already). Thanks!

Yes, they would need to send the tenant ID in the challenge header.

@ericsampson
Copy link

Thanks. Can I help by filing tickets for the various services in order to give them enough time to implement this change to match the release of the library, or something?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment