Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rework CustomJWTAuthentication to request the oauth token correctly #465

Merged
merged 1 commit into from
Feb 8, 2022
Merged

Rework CustomJWTAuthentication to request the oauth token correctly #465

merged 1 commit into from
Feb 8, 2022

Conversation

nclaeys
Copy link
Contributor

@nclaeys nclaeys commented Feb 7, 2022
edited

Usecase:
I am using oidc on k8s with workload-identity for spark applications and noticed that requesting a token did not work.

Problem:
The fix for #437 is not sufficient to work with workload identity as the new CustomJwtAuthentication class does not construct the correct body for requesting a token (the applyTo method does nothing).

I use this library as follows:

IClientCredential credential = ClientCredentialFactory.createFromClientAssertion(tokenFileString);
ConfidentialClientApplication app = ConfidentialClientApplication.builder(clientId, credential).authority(authority).build();

Set<String> scopes = new HashSet<>();
scopes.add("https://storage.azure.com/.default");

ClientCredentialParameters parameters = ClientCredentialParameters.builder(scopes).tenant(tenantId).build();
IAuthenticationResult token = app.acquireToken(parameters).get(5, TimeUnit.SECONDS);

Changes that I made are:

  • I updated the customJwtAuthentication to work similarly to how the JwtAuthentication class from com.nimbusds.oauth2.sdk.auth. I think this is useful for other users as well, such that they can also use workload identity with java applications.
  • The clientId used, should be the azure ad application id instead of the subject in the jwt token as this is the serviceAccount and thus does not exist in azure ad.

Note on running all tests:
I had issues running all tests as some depended on libraries I do not have on Linux. To test the relevant classes I created a custom keystore with a self signed certificate in it with a password (minimum was 6 characters). Can you describe the setup required to run all the tests locally?

@nclaeys
fix: request oauth tokens correctly for jwt auth
101759a 
The customJwtAuthentication class did not provide the same behavior as the JwtAuthentication class of nimbusds library.
The fix for AzureAD#437 is not sufficient to use workload-identity with this msal library. I updated the customJwtAuthentication to make sure it sets the correct body when requesting oauth tokens.
@siddhijain
Copy link
Contributor

@nclaeys Thanks for putting your time and effort in fixing the code. We highly appreciate it. I have tested the changes and they look good to me. I am not sure of the setup needed to run these tests in Linux since we use a Windows machine. I will update you once I find something.
I will discuss with my team and wait for them to review the PR before merging this in.
Thanks again.

@siddhijain siddhijain merged commit 58baa9f into AzureAD:dev Feb 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@siddhijain siddhijain siddhijain approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@nclaeys @siddhijain