-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade Microsoft.Identity.Client package reference #7
Conversation
changes looks good. please enable MSAL logging, this will help us with troubleshooting any issues you may see. |
Thanks @gladjohn - we plan to enable MSAL logging in an upcoming release once StackExchange.Redis itself supports a logging story |
@@ -41,7 +41,7 @@ public static async Task<ConfigurationOptions> ConfigureForAzureWithSystemAssign | |||
/// Throws on failure by default (configurable in the <see cref="ConfigureForAzureAsync"/> method). | |||
/// </summary> | |||
/// <param name="configurationOptions">The configuration to update.</param> | |||
/// <param name="clientId">Client ID of the user-assigned managed identity.</param> | |||
/// <param name="clientId">Client ID or resource ID of the user-assigned managed identity.</param> | |||
/// <param name="principalId">Principal (object) ID of the user-assigned managed identity.</param> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MSAL does not support principalId for Managed Identity. Is this something you want us to support?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@samsaha-ms can you comment on this? We pass the MI's object/principal ID as the username for the Redis connection, so I believe we use it in some capacity while validating tokens on the server side
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, this is something related to what our extension does to interact with Redis, not related to MSAL.
It does two things 1. Acquire token from MSAL 2. Send AUTH request to Redis with principal-id and token to comply with redis command format "auth username password" and we validate this pair in server side.
We could actually make this field optional here, we could parse the acquired token and get the oid field in token and use that value while sending to redis. We can choose it do later after giving some thought as it might add client side overhead of parsing token.
Fix #6, #15, #18, #34