Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Enhancement Proposal] Add config option to disable token cache encryption #19506

Closed
jiasli opened this issue Sep 9, 2021 · 4 comments
Closed

[Enhancement Proposal] Add config option to disable token cache encryption #19506

jiasli opened this issue Sep 9, 2021 · 4 comments
Assignees
@jiasli
Labels
feature-request MSAL
Milestone
Oct 2021 (2021-11...

Comments

@jiasli
Copy link
Member

jiasli commented Sep 9, 2021

Azure PowerShell's token encryption issues

Various issues have been reported regarding Azure PowerShell's token encryption functionality:

Windows:

MacOS:

The workaround is to disable persistent token cache between sessions:

However, this approach is not feasible for Azure CLI, as there is no concept of session - Azure CLI is a python application and there is no connection between commands.

Python SDK status

In current Python SDKs, a fallback mechanism is used:

But this fallback mechanism only takes effect when initializing LibsecretPersistence on Linux fails - it is possible that failures can also occur when

  • FilePersistenceWithDataProtection on Windows, KeychainPersistence on MacOS are initialized or actually used. (Token encryption is enforced on Windows and MacOS)
  • LibsecretPersistence on Linux is actually used

When failures happen on various platforms, forcing token encryption will render Azure CLI totally unusable.

Proposed solution

Instead of using allow_unencrypted or fallback_to_plaintext and let Azure CLI try its best to encrypt, we should introduce a definitive option like plaintext to force unencrypted token cache, so that complex platform-dependent problems can be bypassed.

Reference email: Workaround for DPAPI/KeyChain Errors
@ghost ghost added the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Sep 9, 2021
@ghost ghost removed the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Sep 9, 2021
@yonzhan yonzhan added MSAL needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Sep 9, 2021
@ghost ghost removed the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Sep 9, 2021
@yonzhan yonzhan added this to the Sep 2021 (2021-10-12) milestone Sep 9, 2021
@yonzhan
Copy link
Collaborator

yonzhan commented Sep 9, 2021

Enhancement

@rayluo
Copy link
Member

rayluo commented Sep 9, 2021

Regarding to this:

Windows:

One of its comment linked to this MSAL Ex .Net PR which adds WithUnprotectedFile() option.

So, if that kind of "opt-in to unprotected token cache" behavior is what you want, you can use the FilePersistence in MSAL EX Python. The choice is yours.

@jiasli
Copy link
Member Author

jiasli commented Sep 10, 2021

Totally understand. That's why this issue is opened in Azure CLI repo.

@jiasli jiasli mentioned this issue Sep 13, 2021
Closed
@jiasli
Copy link
Member Author

jiasli commented Oct 15, 2021
edited
Loading

Implemented in #19853 as core.token_encryption (for now).

Renamed to core.encrypt_token_cache (#20432).

@jiasli jiasli closed this as completed Oct 15, 2021
@jiasli jiasli mentioned this issue Dec 2, 2021
Closed
@jiasli jiasli changed the title [Enhancement Proposal] Add option plaintext to disable token cache encryption [Enhancement Proposal] Add config option to disable token cache encryption Dec 2, 2021
@jiasli jiasli mentioned this issue Jan 13, 2022
Merged
@jiasli jiasli mentioned this issue Mar 16, 2022
Draft
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
feature-request MSAL
Projects
None yet
Milestone
Oct 2021 (2021-11-02) - For Ignite
Development

No branches or pull requests
3 participants
@rayluo @jiasli @yonzhan