Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] No way to specify local VS credentials for GraphServiceClient #2554

Closed
jsquire opened this issue Jun 18, 2024 · 1 comment
Closed

[BUG] No way to specify local VS credentials for GraphServiceClient #2554

jsquire opened this issue Jun 18, 2024 · 1 comment

Comments

@jsquire
Copy link

jsquire commented Jun 18, 2024

Issue Transfer

This issue has been transferred from the Azure SDK for .NET repository, #44620.

Please be aware that @sanjaydebnath is the author of the original issue and include them for any questions or replies.

Details

Library name and version

Microsoft.Identity.Web 2.19.0
Azure.Identity 1.12.0
Microsoft.Graph 5.56.0

Describe the bug

When we configure authentication in asp.net we can specify to include the default GraphServiceClient object creation by calling AddMicrosoftGraph method. The default token config for GraphServiceClient is picked up from config as documented here.

There is no way in config I could figure that we can mention to use 'VS/VS code credentials' for local environment debugging purpose. You have to mention either certificate or secret for local environments which we want to avoid.

Expected behavior

There should be an easy option to use 'logged in user token' from VS or VS Code inside ClientCredentials so that for local environment you can still use the same config based approach for the default GraphServiceClient. E.g. for our scenario when we deploy inside AKS cluster we use federated credential flow to authenticate, that we can mention by adding source as SignedAssertionFilePath. For web apps we can use SignedAssertionFromManagedIdentity. But for local machine none of these works without using cert/secret. I would expect to have a type for local may be as **VSOBOIdentity**

I am aware of ways to customize the creation of the client, like mentioned here e.g. I can create custom wrapper using below code that will work in AKS or local machine, but that needs unnecessary custom code.

public class GraphService : IGraphService
    {
        private readonly HttpClient _httpClient;
        private readonly GraphOptions _graphOptions;

        public GraphService(IConfiguration configuration)
        {
            var handlers = GraphClientFactory.CreateDefaultHandlers();
            this._httpClient = GraphClientFactory.Create(handlers);
            _graphOptions = configuration.GetSection("Graph").Get<GraphOptions>()!;
        }

        public async Task<AADUser> GatUserGroups(IEnumerable<string> groupIds, string oboToken)
        {
            var onBehalfOfCredential = Debugger.IsAttached
                                                         ? new DefaultAzureCredential()
                                                         : new OnBehalfOfCredential(_graphOptions.TenantId, _graphOptions.ClientId, GetK8ServiceAccountAssertion, oboToken)
            var authProvider = new AzureIdentityAuthenticationProvider(onBehalfOfCredential, scopes: _graphOptions.Scopes);
            var graphServiceClient = new GraphServiceClient(_httpClient, authProvider);
            // ... use graphServiceClient object now and register IGraphService as singleton
            // ... get user groups etc...
        }

       // e.g. documented here: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/samples/OtherCredentialSamples.md#onbehalfofcredential-with-managed-identity-fic-example
       public static Task<string> GetK8ServiceAccountAssertion(CancellationToken cancellationToken)
       {
              // get existing workload assertion and return
       }
    }

Actual behavior

N/A

Reproduction Steps

Enable authentication in code as

builder.Services
    .AddAuthentication()
    .AddMicrosoftIdentityWebApi()
    .EnableTokenAcquisitionToCallDownstreamApi()
    .AddMicrosoftGraph()
    .AddDistributedTokenCaches();

In appsettings.json add below config (only kept necessary configs for downstream api call

"AzureAd": {
    "TenantId": "common",
    "ClientId": "...", 
    "Instance": "https://login.microsoftonline.com/",
    "ValidIssuers": [
        "..."
    ],
    "ValidAudiences": [
        "..."
    ],
    "ClientCredentials": [
        {
            "SourceType": "SignedAssertionFilePath",
            "SignedAssertionFileDiskPath": "/var/run/secrets/azure/tokens/azure-identity-token"
        },
        {
            "SourceType": "SignedAssertionFromManagedIdentity",
            "ManagedIdentityClientId": "...."
        },
        {
            "SourceType": "VSOBOIdentity" // does NOT exist today
        }
    ]
}

Environment

No response
@jsquire jsquire mentioned this issue Jun 18, 2024
Closed
@andrueastman
Copy link
Member

Thanks for raising this @jsquire

I believe the correct place for the issue transfer would be microsoft.identity.web library that handles the configuration options for the scenario. The microsoft graph library only provides models and requestbuilders for making requests while allowing authentication scenarions to be handled externally.

We'll close this and forward the feature request at AzureAD/microsoft-identity-web#2910

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jsquire @andrueastman