-
Notifications
You must be signed in to change notification settings - Fork 339
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] Public cloud regionalization breaks existing services before 4.49.x #4022
Comments
Hi @tomkerkhove - can you please contact us via email so that we can add ESTS-R folks reponsible for the DNS? bogavril |
After discussions with the ESTS-R team, we have reched the conclusion that we cannot enforce the new alias, as some end-app devs block it and it is outside our control. We need a mechanism to:
I propose we use either HttpClient extensibility or MSAL team to provide a POC. |
Typo. You meant to say
This change is also applicable to other confidential MSALs, isn't it? Some may not have Why did the original proposal |
While that approach would work, it does not stimulate to move away to the new DNS name nor does it easily allow you to gain insights if the new DNS entry became available unless you made a code change. The proposed approach above, however, does give you that by doing a failover to the old DNS name in case the new one is not reachable. |
Good point.
Will that work well, though? Before that failover happens, an attempt on an unreachable domain name could hang indefinitely. Besides, if "some end-app devs block it and it is outside our control", those app devs would control which domain suffix would work. Does that mean at any given time, there would be one and only one suffix that works? Then we might as well also let those app devs to control which suffix to use accordingly, in a deterministic way. |
I hope not because that means platform builders such as Azure API Management have to do code changes given customers own the networking and they can change it without us changing the code. Hence why our preference is to go with the fallback approach.
We could set a time threshold after which we consider it as failed though, no? |
Is the proposal here to do a failover per each acquire token request? We allow users to pass a cancellation token with a timeout, so I think adding our own timeout and then figuring out which endpoint works adds complexity. If the assumption is that whichever regional endpoint is valid during the app's existence is constant, we can do some sort of a ping during the initial regional discovery. Then cache the result of which regional endpoint is available statically. We already do an IMDS call with a 2 second timeout. So this would be similar. |
@tomkerkhove - here's a sample implementation using MSAL's existing HttpClient extensibility. Let me know what you think. |
Closing this as resolved, please re-open if more guidance is needed. |
Logs and network traces
Without logs or traces, it is unlikely that the team can investigate your issue. Capturing logs and network traces is described in Logging wiki.
Which version of MSAL.NET are you using?
4.49.1
Platform
What authentication flow has the issue?
Other?
Relates to #3252
Is this a new or existing app?
The 1P service is in production, and we have upgraded to a 4.49.1 or above of MSAL. This is breaking customers which use VNETs as they have to allow the traffic.
Repro
Expected behavior
Not break customers.
Actual behavior
Customers have to change network to allow traffic to be sent to new regional endpoints.
Possible solution
Make the DNS suffix configurable so that 1P services can use later version of the package; but still use the old DNS suffix.
For example:
builder.WithAzureRegion(region, regionalHostSuffix: "r.login.microsoftonline.com")
The text was updated successfully, but these errors were encountered: