Tokens generated using adal 1.2.0 (python) works but those generated using adal4j 1.6.0 do not Azure Active Directory App Integration and Development #282
Comments
|
@yubhat The reason this is happening is because ADAL Python hardcodes the api-version in the endpoints they are hitting ("api-verseion=1.0"), while Java does not. ADAL Java is in maintenance mode and we are not making updates unless they are security related. Do you own the Kubernetes service which you using the token for? |
|
@sangonzal unfortunately, we dont own the Kubernetes service, hence we cannot make any changes there. If there is any way in which we can pass the api-version via the java sdk (adal or msal), it will solve this issue for us. |
|
@yubhat @chatter92 Out of curiosity, how do you initialize ADAL Python in your code? Did you explicitly use its |
|
@rayluo yes, we have explicitly set api_version to 1.0 in our script. |
|
@yubhat @chatter92 ADAL is in maintenance mode and we are not planning on making changes unless they are security related. The Kubernetes service should accept tokens with the new format. Have you tried contacting the owners and asking them to update? |
|
@chatter92 Thanks for sharing this info! Back then when I implemented that As @sangonzal correctly pointed out, ideally the Kubernetes service would better accept new format of token. By the way, @chatter92 have you folks even try using our MSAL library (either MSAL Python or MSAL Java)? Will the token acquired by those libraries work for Kubernetes service? If not, that will be another topic that we would like to figure out. //CC our PMs @navyasric @jmprieur as a FYI. |
|
@rayluo we did try using the MSAL java library (1.1.0), but it looks like even that is generating tokens without the "spn" prefix, so it didnt work with our cluster. So till the time we get a k8s update, if we could get the token in the older format, it would great for us. |
|
@chatter92 Your research effort on this topic is amazing! Given that the Kubernetes side has fixed this and is probably in the process of releasing/rolling out their new version, would you consider checking their release plan and see if you can wait? Because, even if you somehow find a workaround to add that legacy |
|
Yeah that's the thing. We don't know when we will get an update on the cluster, so we dont know how long we have to wait. If you can expose this api_version parameter, we can keep it configurable in our service in, say, a properties file. So today, that property can say api_version=1.0. Tomorrow, when they do rollout the fix, we can just update the properties file to say api_version=2.0 or something |
|
Closing. We will not be addressing this in adal4j. Migrating to MSAL can be found here: |
Using adal 1.2.0(python) and adal4j 1.6.0(java) to generate access tokens using username and password. The resource ids and the client app ids are the same in both cases. However, while the token generated via the python sdk works perfectly, the token generated via the java sdk does not.
Python is giving audition as SPN:Client_ID
Java is giving audition: Client_ID
Kubernetes service expect audition as SPN:Client_ID
Python Adal Saml assertion:-
https://github.com/AzureAD/azure-activedirectory-library-for-python/blob/dev/adal/authentication_context.py#L147
https://github.com/AzureAD/azure-activedirectory-library-for-python/blob/dev/adal/token_request.py#L186
Ask:
Tokens generated using adal 1.2.0 (python) works but those generated using adal4j 1.6.0 do not Azure Active Directory App Integration and Development.
The text was updated successfully, but these errors were encountered: