-
Notifications
You must be signed in to change notification settings - Fork 479
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add IAuthenticator to allow for plugging in of Managed Service Identity #3255
Conversation
Pull Request Test Coverage Report for Build 102997
💛 - Coveralls |
@rggammon any update on this? The build is broken. Do you still want to move forward with this? |
…ty code (Microsoft.Azure.Services.AppAuthentication)
@johnataylor - thank you for the ping :). I had some API compatibility issues, which I have resolved. |
@carlosscastro, as the owner of all things ADAL, can you take a look at this? Seems reasonable set of changes to me, but your perspective (and corresponding issues to open in JS and Python) are appreciated. |
@carlosscastro, this seems reasonable. CAn you take a look? |
These are great. Let's get them in, thanks for your contribution!!! Could you share your MsiAuth implementation of the IAuthenticator interface and a some bot where you use it if you have any? I'm looking into MSI and potential ways of exposing support, so the timing is great. |
@rggammon quick reminder: Could you share your MsiAuth implementation of the IAuthenticator interface and a some bot where you use it if you have any? I'm looking into MSI and potential ways of exposing support, so the timing is great. |
@carlosscastro - https://github.com/rggammon/botframework-solutions/blob/msi/skills/csharp/experimental/restaurantbookingskill/Authentication/MsiAuthenticator.cs is an example. This should work locally. An issue you'll hit when deployed to an appservice is Azure/azure-sdk-for-net#9498 where the tenantId parameter doesn't work, and to talk to ABS, you need to use the botframework.com tenant. But, this is still useful if the bot is being called as a skill, and allows you to deploy via a "Deploy to Azure" type button as seen on https://github.com/Azure/azure-quickstart-templates samples. And, I can imagine how, if ABS had a client_id, a bot could run an S2S auth flow to get a token in the bot's tenant instead of the botframework.com tenant, which could get this working for ABS as well. |
…ty (#3255) * Add IAuthenticator to allow for plugging in of Managed Service Identity code (Microsoft.Azure.Services.AppAuthentication) * Fix API compatibility issues
…ty (#3255) * Add IAuthenticator to allow for plugging in of Managed Service Identity code (Microsoft.Azure.Services.AppAuthentication) * Fix API compatibility issues
Azure App Service (and several other resource types) has a Managed Service Identity feature which simplifies management of application identity - see Microsoft.Azure.Services.AppAuthentication for more information.
By having AdalAuthenticator derive from an interface, I can then inject my own MsiAuthenticator that uses AzureServiceTokenProvider to get the token to call the channels.
I can inject my MsiAuthenticator via overriding BuildCredentialsAsync on BotFrameworkHttpAdapter and returning a MsiAppCredentials class that, in turn, returns the MsiAuthenticator