-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move to Azure Identity #1201
Move to Azure Identity #1201
Conversation
do you recall why we added the accesstoken on invoke-mggraphrequest to begin with? |
{ | ||
InteractiveAuthenticationProvider, | ||
DeviceCodeProvider, | ||
DeviceCodeProviderFallBack, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what was this one covering?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DeviceCodeProviderFallBack
was used to detect when to fall back to DeviceCode when MSAL can't open browser in environments such as Linux servers. I've changed the implementation in https://github.com/microsoftgraph/msgraph-sdk-powershell/blob/enhancements/MSIdentity/src/Authentication/Authentication.Core/Utilities/AuthenticationHelpers.cs#L157-L162 to catch the right MSAL exception and retry with device code.
<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="5.6.0" /> | ||
<PackageReference Include="Azure.Core" Version="1.22.0" /> | ||
<PackageReference Include="Azure.Identity" Version="1.5.0" /> | ||
<PackageReference Include="Microsoft.Graph.Core" Version="2.0.8" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
by the time this goes out wouldn't kiota likely be the release? Is the plan to convert this later and align with CLI?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's the plan. Swapping the current MS Graph .NET core for Kiota based core should be trivial. I have a work item to integrate dependabot for verion updates - #1002.
can you say more about why the token caches for mac/linux are no longer necessary? |
public class InMemoryTokenCacheOptions : UnsafeTokenCacheOptions | ||
{ | ||
private readonly ReaderWriterLockSlim _sessionLock = new ReaderWriterLockSlim(LockRecursionPolicy.SupportsRecursion); | ||
internal ReadOnlyMemory<byte> TokenCache { get; private set; } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
seems odd that the options class is holding the reference to the cache and operating on the object. This looks more like cache manager than options class
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point! It is a cache manager. It's Azure Identity that named the base class UnsafeTokenCacheOptions. I opted to use the options suffix to be in sync with Azure Identity naming.
It was because we didn't expose |
We no longer need them because Azure.Identity securely caches tokens on Windows, MacOS, and Linux (when libsecret-1.so.0 is available). We will fall back to in-memory cache when Azure.Identity can't persist tokens to the underlying OS mechanism (MsalCachePersistenceException is thrown). |
We should verify that successfully sign in and token caching is possible on the following platforms (I'll check them once verified):
|
We had added it for BYOT scenarios. For example authenticating against Managed Identity in a Virtual Machine, getting a token and (re)-using it with the SDK. |
This PR closes #1144 by:
The following improvements have been made to the Authentication module as part of this transition:
-AccessToken
fromInvoke-MgGraphRequest
. The goal is to have one authentication/authorization point,Connect-MgGraph
.-ForceRefresh
fromConnect-MgGraph
.-ForeceRefresh
is not exposed by Azure Identity as the library will fetch new tokens automatically when new scopes are added.In-Memory
token cache for process context scope.