Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MSAL and OIDC support #2308

Closed
wants to merge 26 commits into from
Closed

MSAL and OIDC support #2308

wants to merge 26 commits into from

Conversation

thomas11
Copy link
Contributor

About

This PR contains two related pieces:

  1. Switch the provider from the deprecated ADAL authentication method to the current MSAL method. This is discussed in detail in the document MSAL auth in the Azure Native Provider. However, this document outlines three options for using MSAL, each with drawbacks. Since writing this document I believe I have found a better option that this PR implements: detect the unsupported cli case dynamically and fall back to ADAL in that case.
  2. Enable OIDC for authentication. The actual OIDC implementation is in our dependencies but enabling it was gated behind MSAL. This PR exposes the relevant configuration settings and adds a dedicated test.

Testing

I picked an existing e2e test, keyvault. In general, any e2e test will do since we only want to see that authentication works. However, keyvault has more authentication test coverage than the other tests because it also creates a key vault secret, which is a data plane operation that requires a different token.

I used Go build tags to make this test as oidc. This required moving it into its own file.

In the OIDC test run, we run only this test, unsetting the ARM client secret to make sure we really test OIDC.

Next steps

To fully release OIDC support we need to document it in our user-facing documentation.

I should also document the particular OIDC integration used in testing in our wiki (AD principal, roles, permissions etc.).

thomas11 and others added 26 commits March 17, 2023 11:47
@thomas11
Upgrade auth stack to latest versions
eb30a41 
Spike: upgrade hashicorp/go-azure-helpers to 0.40

Unblock Azure auth by using long-lived context

Fix logic bug in getting object id.

Upgrade some more minor dependencies

minor dependency upgrades

Switch back to ADAL but keep the upgrades.

Fix nil pointer bug in getClientConfig
@thomas11
Factor details of auth better, extra nil check for safety
083a045
@thomas11
[WIP] Cherry-pick MSAL changes from tkappler/upgrade-azure-helpers.
ab4f7b1
@thomas11
Move auth code into its own file
b502903
@thomas11
Use correct audience for MSAL Key Vault token #1566
1f0e274
@thomas11
Dependency upgrades
2d27137
@thomas11
Add OIDC config to auth builder creation
dc6b427
@thomas11
Temporarily use oidc-test client id and comment client secret to test…
23fc749 
… OIDC
@thomas11
need to set ARM_USE_OIDC
b963e62
@thomas11
Need UseMicrosoftGraph and write permissions for JWT token
b5acb2f
@thomas11
Temporarily add back some Q logging
4a37ee7
@thomas11
Split off OIDC test
cd7e4a0
@thomas11
try to cat q.Q output
284bfbb
@thomas11
Rework build tags
e970e89
@thomas11
Name short test runs accordingly
d1112fb
@thomas11
Try echo-ing q.Q again
104c50f
@thomas11
Fix oidc-only test build
60b1b16
@thomas11
Test via az cli as well, get q.Q logs after failures
4d2e5c9
@thomas11
Allow the CLI test to fail for now so we get more overall results.
0396389
@thomas11
regenerate stuff after rebasing
aad5bba
@thomas11
Don't need the cli for OICD
f3c2c95
@thomas11
Sync azure-rest-api-specs with master after rebase
12fdd2e 
Regenerate versions
@thomas11
Fall back to ADAL when the CLI is used for auth
76a0f0c
@thomas11
Different test for az cli, remove q.Q
cca3737
@thomas11
Remove q.Q support from GH action, run nodejs only OIDC tests
adff53f
@thomas11
Comment the OIDC via cli test that's not fully supported
d29f8f2
@thomas11 thomas11 closed this Mar 22, 2023
@danielrbradley
Copy link
Member

Replaced with #2320

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danielrbradley danielrbradley Awaiting requested review from danielrbradley

@mikhailshilkov mikhailshilkov Awaiting requested review from mikhailshilkov

@kpitzen kpitzen Awaiting requested review from kpitzen

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@thomas11 @danielrbradley