Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authenticate with Azure.Identity #25

Closed
Dorus opened this issue Oct 23, 2023 · 6 comments
Closed

Authenticate with Azure.Identity #25

Dorus opened this issue Oct 23, 2023 · 6 comments

Comments

@Dorus
Copy link

Dorus commented Oct 23, 2023

Azure.Identity is the go-to way to authenticate azure resources from your dot net project. Almost all azure resources can be connected with by passing the credential class to the appropriatie configuration method. This makes is very simple to develop both locally where the developer has acces to an azure resource by IAM role assignments, and in azure where the resource's managed identity has these rights.

However with this package, I see no way to pass an new DefaultAzureCredential() object to any of the connect or config methods. Instead I'm required to pass an principalId, but I have no idea how to even access the principal id from code in my azure function (except by passing it in as an app configuration from my bicep template). Beside, the entire point of the managed identity is to let azure figure out how to authenticate and not bother my code with it.
@isacruzramos
Copy link

isacruzramos commented Oct 30, 2023
edited

You can use AccessToken https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.components.webassembly.authentication.accesstokenresult?view=aspnetcore-7.0

The token will have Claims, principalId should be one of those claim types and you can parse the token (JSON object) to retrieve its value.

@philon-msft
Copy link
Contributor

Also see #2

@mcraiha
Copy link

mcraiha commented Oct 31, 2023

If you need actual code, then it would be something like

using Azure.Identity;
using System.IdentityModel.Tokens.Jwt;

var credential = new DefaultAzureCredential();
string[] scopes = new string[] { "https://graph.microsoft.com/.default" };
var token = await credential.GetTokenAsync(new Azure.Core.TokenRequestContext(scopes));

var handler = new JwtSecurityTokenHandler();
var jsonToken = handler.ReadToken(token.Token) as JwtSecurityToken;
return jsonToken!.Claims.First(c => c.Type == "oid").Value;

@philon-msft philon-msft mentioned this issue Nov 8, 2023
Merged
@philon-msft
Copy link
Contributor

TokenCredential and DefaultAzureCredential are now supported in v2.0.0. Please give it a try and let us know how it works with your scenarios.

@eirikb
Copy link

eirikb commented Dec 14, 2023

@philon-msft Hi, just to be clear, the code @mcraiha provided is still required?
Or some other way to provide the principal id, but dynamically the code above seems solid.

@philon-msft
Copy link
Contributor

@eirikb The extension has a new method that takes a PrincipalId plus TokenCredential directly. If your TokenCredential will change in different environments (e.g. using DefaultAzureCredential), then you'll need some way to also update the PrincipalId to match. For DefaultAzureCredential, the code above is a good approach to extract the PrincipalId from the token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@eirikb @Dorus @mcraiha @philon-msft @isacruzramos