SqlClient: Support SqlAuthenticationProvider and authentication connection string keyword for AAD auth #10
Comments
|
We need to port over code from full .NET Framework. |
So does it mean the AAD auth support for Azure SQL Database may not be available anytime soon? Thanks & Regards, |
|
Yes, priority-wise it is not too high up given the cost/benefit ratio (as understood today). @YoungGah @saurabh500 are there other ways to authenticate Azure SQL Database from .NET Core? |
|
Right now connections to Azure SQL DB can be accomplished by specifying the Used Id and Password to the |
|
@gabarach would that be a reasonable workaround for you? |
|
We have a request for the MSSQL extension in VSCode to support Azure AD authentication - see microsoft/vscode-mssql#435. This is dependent on this enhancement since we use the SqlClient stack in .Net Core to connect. Adding this comment to help track this ask. |
|
@kevcunnane why is the workaround above not sufficient for you? |
|
@karelz - the workaround is viable for most cases (in my opinion). I'm trying to add our user's voice to the conversation so that the team can take this on board when prioritizing. I understand this is an enhancement request - for the same reasons that Azure AD support was added to .Net and to ODBC drivers, it would be good to have symmetry here and allow users the benefits that come with Azure AD integration (e.g. no longer manage at a server level, but instead using AD-managed credentials). As to why I'm raising this: It's something a user of our new MSSQL extension to VSCode raised as an issue. For many users they might not have permissions to create new users and only have an Azure AD login permission, or their company might mandate use of AD authentication. This is lower priority to our team than a number of other .Net Core related issues but it's likely that as Azure AD authentication increases in usage, this may become higher priority. |
|
Has there been any traction on this? My employer is moving on-prem applications to the cloud and our current standard is to use Active Directory Integrated authentication. We would really like to use this in our applications. Thanks. |
|
Any movement on this? Using AAD for Azure SQL is the most secure way available now and having support for this is a must. Thanks. |
|
@divega @saurabh500 @corivera can comment on progress / prioritization / workarounds, given we have 10 votes now. |
|
does me giving this issue the thumbs-up count as a "vote" ? |
|
We are working with the SQL Security team for a AAD auth solution which can work cross platform for .Net Core and which can have a decoupled design for SqlClient in .Net core so that the users who are not using AAD Auth don't need a dependency on all the AAD packages. Meanwhile, are folks on this thread looking to using AAD Azure SQL DB auth using only Windows or are there users who intend to take this capability on Linux as well? |
|
Also what kind of auth satisfy your requirements more? Fedauth username and password or integrated auth? |
|
hi @saurabh500 , my requirement is AAD that differs from the log on to my machine (i think this is fedauth ye?) the reason for this is that i work with many clients, and need to log in to multiple Azure AD instances from time to time... so this is my primary requirement. Regarding platform, i would say that Windows would satisfy my requirement very well, however i am contemplating moving over to work on macOS, and would very much like to be able to use AAD against SQL Svr in Visual Studio Code, but it would be a bonus |
|
OSX support would be very well received in my business. |
|
Thanks @m1nkeh and @rgbattersby @m1nken Yes, I am talking about FedAuth which is used to authenticate to Azure SQL using your domain account. |
|
AAD Username and Password, yes. |
|
Ideally both, to support users who generally belong to other AD environments such as contractors etc and our own employees. |
|
Since SQL Operations Studio goes to Preview stage, original request of supporting AAD username and password on MacOS and Linux needs to be upvoted and uplifted with higher priority. |
|
Came here from SQL Operation Studio (Preview). As we only allow ad-hoc query to our Azure SQL using Azure AD (username/password), not via SQL Login (username/password). |
|
This is critical for Mac-based teams that are moving to Azure. Please prioritize this. |
|
AAD Username and Password and windows is what we use in our projects. |
|
Came here from SQL Operations Studio (Preview) as well and it would be very important to have AAD authorization working (in both username\password and Integrated). |
|
As more and more Azure resources support MSI, we are actively converting all possible resources to use MSI. Why? If there isn't a secret, you can't leak it. So insofar as this issue relates to MSI support in .NET Core, it is quite important. |
|
Is this the right place to up-vote this? Or is there another place like a user voice site? |
|
Workaround is to put the SQL password in a key vault and use MSI to authorise the app to access the key vault, which does work from dotnet core. |
|
We absolutely want this feature to remove the hassle of keeping passwords in keyvault and then pulling them from .NET core code. The workaround is ok from a security point of view, but adds an extra layer of maintenance that isnt ideal. |
|
I have the same problem as @AndersMalmgren I tried specifying UserId in the connection string, but then the SqlConnection constructor fails saying that UserId and AccessToken cannot be used together. |
|
@AndersMalmgren I have solved it by using two slashes in the scope: "https://database.windows.net//.default" It is vaguely documented here: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Adal-to-Msal#warning-should-you-have-one-or-two-slashes-in-the-scope-corresponding-to-a-v10-web-api |
|
Yeah, I got it working too some while ago. services.AddScoped<DbContext>(p =>
{
var ctx = new AuthenticationContext("https://login.microsoftonline.com/xxx");
var result = ctx.AcquireTokenAsync("https://database.windows.net/", new ClientCredential("xxx", "xxx"))
.ConfigureAwait(false)
.GetAwaiter()
.GetResult();
var db = p.GetService<MyDbContext>();
((SqlConnection)db.Database.GetDbConnection()).AccessToken = result.AccessToken;
return db;
}); |
|
As recently announced in the .NET Blog, focus on new SqlClient features an improvements is moving to the new Microsoft.Data.SqlClient package. For this reason, we are moving this issue to the new repo at https://github.com/dotnet/SqlClient. We will still use https://github.com/dotnet/corefx to track issues on other providers like System.Data.Odbc and System.Data.OleDB, and general ADO.NET and .NET data access issues. |
David-Engel
added
the
💡 Enhancement
Hi - What is "xxx" supposed to be in "var ctx = new AuthenticationContext("https://login.microsoftonline.com/xxx");" |
|
@nimitad It's the authority you are authenticating against: |
|
Is .net core 2.2 web api can work for SQL with Azure AD Password Authentication. |
|
Have you tested with latest preview version of Microsoft.Data.SqlClient ? |
|
@cheenamalhotra FWIW, I just tested this with https://www.nuget.org/packages/Microsoft.Data.SqlClient/1.0.19189.1-Preview and I still see the exception when targeting .NET Core:
Is this supposed to be addressed? |
Yes. I tested with that, still same issue |
|
I get it now. The work is in progress for .NET Core support, we only have it working for applications targeting .NET Framework as of now. Likewise the issue is addressed in our backlog and planned for GA. I will mark it accordingly in Kanban board to avoid any confusions. |
|
It worked for me doing this from an Azure App Service using MSI. I got these packages added to my project: |
|
Is there an ETA for this issue? |
I taken the latest version of SQlclient. but my issue is not solved. I created one Azure App with the name of 'CoreApp'. then I added user with the same name of Azure App name 'CoreApp' in Azure SQL Server and granted the permissions for that user by using the below commands.
Then I used the below code in Web API under Startup.CS file with in the method of 'services.AddDbContext'
Now I am able to access the Azure SQL with AD passwords authentication with in .net core 2.0 |
|
Active Directory Password Authentication support has been added to Microsoft.Data.SqlClient (NetCore) in the latest preview version 1.0.19221.1-Preview | Release Notes. Closing the issue. |
@cheenamalhotra, could you point a fellow developer to either the source code/merge request that implemented the change to support the Active Directory Password Authentication method. I've made sure to read through this entire thread and there were no examples specifically geared to this approach using .NET Core, specifically I referring to configuring the SqlConnection in .NET Core to use (what I assume ) the implemented provider for Active Directory Password Authentication.
Please correct me if i'm wrong and provide guidance otherwise. |
|
Hi @abjoseph Usage in NetCore for AAD Password Authentication is identical to .Net Framework, and same connection string works for both targets. Existing Documentation: Using an Azure AD identity to connect from a client application We are currently working on gathering documents for all existing and new features for M.D.SqlClient which will provide more clarity. We'll also add more details for Interactive Authentication (which is currently supported in .Net Framework), but for now you can use the same connection string as Integrated Authentication connection string with For .NET Core to support Interactive authentication, it is in our backlog and shall be picked up in future iterations, we were hitting some roadblocks from MSAL.NET hence its disabled for now. Whenever we touchbase again, Integrated and Interactive modes need to be re-investigated and hopefully will be supported for .NET Core in future driver versions. Thanks for checking in! |
|
I too would like this in .net core 2.2, And no, I don't want to supply pwds either. Would you have a link to the work task on getting "Authentication=Active Directory Integrated" working in .net core? |
and others
AAD authentication, including MFA, is already supported on SqlClient for .NET Core from version 2.2, by first obtaining the AccessToken using the ADAL library or some other method against Azure AD, and then setting it on the AccessToken property of the SqlConnection.
This issue is about enabling a different pattern for AAD authentication that is supported in .NET Framework, in which SqlClient takes care of obtaining the AccesToken automatically based on an authentication keyword in the connection string and SqlAuthenticationProvider implemetnations.
Original issue text
Please add AAD auth support for Azure SQL Database the way how that' s supported in .NET framework 4.6. We should be able to use Authentication modes like "Active Directory Integrated" and "Active Directory Password" in the connecting string.
Currently, including aforementioned authentication modes result into following error:
“Keyword not supported: ‘authentication’.
The text was updated successfully, but these errors were encountered: