[MSAL Migration] device code flow is not supported in Managed Device in Conditional Access #62
Comments
|
pending on token cache feature in Azure/azure-sdk-for-go#6602 |
weinong
changed the title
|
adapter between ADAL and AzIdentity |
|
The device code flow is much less convenient than interactive browser, so please migrate. Additionally, ADAL has been deprecated and will no longer receive security updates:
|
|
Hi @aelij, yes, completely agree with you. I'm ramping up a new hire on this project. Hopefully we can tackle it soon. Though, I'm curious to learn what "inconvenience" you are referring to? |
|
The fact that you have to copy the device code, open the browser, paste it and login, rather than having the browser simply open :) |
|
Any update on the progress to migrate kubelogin to MSAL? Would changing to MSAL result in the access_token be included in the _claim_sources member when a distrubted claim is returned? We can't use kubelogin with anything other than AKS due to this limitation when users have more than 200 groups. |
|
closing this issue as web interactive login mode is compatible with conditional access policy |
|
@weinong I think you should keep this open until ADAL is fully removed from the repo (or track in a different issue). The library was deprecated a while ago and presents a security risk. |
The limitation is documented here.
The fix is to adopt auth code grant flow
Sample code: https://github.com/Azure/azure-sdk-for-go/blob/master/sdk/azidentity/interactive_browser_credential.go
The text was updated successfully, but these errors were encountered: