Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] No way to specify local VS credentials for GraphServiceClient #44620

Closed
sanjaydebnath opened this issue Jun 18, 2024 · 2 comments
Closed

[BUG] No way to specify local VS credentials for GraphServiceClient #44620

sanjaydebnath opened this issue Jun 18, 2024 · 2 comments
Assignees
@christothes
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@sanjaydebnath
Copy link

sanjaydebnath commented Jun 18, 2024
edited
Loading

Library name and version

Microsoft.Identity.Web 2.19.0
Azure.Identity 1.12.0
Microsoft.Graph 5.56.0

Describe the bug

When we configure authentication in asp.net we can specify to include the default GraphServiceClient object creation by calling AddMicrosoftGraph method. The default token config for GraphServiceClient is picked up from config as documented here.

There is no way in config I could figure that we can mention to use 'VS/VS code credentials' for local environment debugging purpose. You have to mention either certificate or secret for local environments which we want to avoid.

Expected behavior

There should be an easy option to use 'logged in user token' from VS or VS Code inside ClientCredentials so that for local environment you can still use the same config based approach for the default GraphServiceClient. E.g. for our scenario when we deploy inside AKS cluster we use federated credential flow to authenticate, that we can mention by adding source as SignedAssertionFilePath. For web apps we can use SignedAssertionFromManagedIdentity. But for local machine none of these works without using cert/secret. I would expect to have a type for local may be as **VSOBOIdentity**

I am aware of ways to customize the creation of the client, like mentioned here e.g. I can create custom wrapper using below code that will work in AKS or local machine, but that needs unnecessary custom code.

public class GraphService : IGraphService
    {
        private readonly HttpClient _httpClient;
        private readonly GraphOptions _graphOptions;

        public GraphService(IConfiguration configuration)
        {
            var handlers = GraphClientFactory.CreateDefaultHandlers();
            this._httpClient = GraphClientFactory.Create(handlers);
            _graphOptions = configuration.GetSection("Graph").Get<GraphOptions>()!;
        }

        public async Task<AADUser> GatUserGroups(IEnumerable<string> groupIds, string oboToken)
        {
            var onBehalfOfCredential = Debugger.IsAttached
                                                         ? new DefaultAzureCredential()
                                                         : new OnBehalfOfCredential(_graphOptions.TenantId, _graphOptions.ClientId, GetK8ServiceAccountAssertion, oboToken)
            var authProvider = new AzureIdentityAuthenticationProvider(onBehalfOfCredential, scopes: _graphOptions.Scopes);
            var graphServiceClient = new GraphServiceClient(_httpClient, authProvider);
            // ... use graphServiceClient object now and register IGraphService as singleton
            // ... get user groups etc...
        }

       // e.g. documented here: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/samples/OtherCredentialSamples.md#onbehalfofcredential-with-managed-identity-fic-example
       public static Task<string> GetK8ServiceAccountAssertion(CancellationToken cancellationToken)
       {
              // get existing workload assertion and return
       }
    }

Actual behavior

N/A

Reproduction Steps

Enable authentication in code as

builder.Services
    .AddAuthentication()
    .AddMicrosoftIdentityWebApi()
    .EnableTokenAcquisitionToCallDownstreamApi()
    .AddMicrosoftGraph()
    .AddDistributedTokenCaches();

In appsettings.json add below config (only kept necessary configs for downstream api call

"AzureAd": {
    "TenantId": "common",
    "ClientId": "...", 
    "Instance": "https://login.microsoftonline.com/",
    "ValidIssuers": [
        "..."
    ],
    "ValidAudiences": [
        "..."
    ],
    "ClientCredentials": [
        {
            "SourceType": "SignedAssertionFilePath",
            "SignedAssertionFileDiskPath": "/var/run/secrets/azure/tokens/azure-identity-token"
        },
        {
            "SourceType": "SignedAssertionFromManagedIdentity",
            "ManagedIdentityClientId": "...."
        },
        {
            "SourceType": "VSOBOIdentity" // does NOT exist today
        }
    ]
}

Environment

No response
@github-actions github-actions bot added Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jun 18, 2024
@github-actions GitHub Actions
Copy link

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@jsquire jsquire mentioned this issue Jun 18, 2024
Closed
@jsquire
Copy link
Member

jsquire commented Jun 18, 2024

As this is related to how the Microsoft.Graph library allows configuration, this issue has been transferred to the repository where that package is maintained as #2554.

@jsquire jsquire closed this as not planned Won't fix, can't repro, duplicate, stale Jun 18, 2024
@andrueastman andrueastman mentioned this issue Jun 25, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@christothes christothes

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
Azure Identity SDK Improvements
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jsquire @christothes @sanjaydebnath