Skip to content

acquire_token_interactive(..., prompt="none") acquires token via Cloud Shell's IMDS-like interface #420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 31, 2022
Merged

acquire_token_interactive(..., prompt="none") acquires token via Cloud Shell's IMDS-like interface #420

merged 1 commit into from
May 31, 2022

Conversation

rayluo
Copy link
Collaborator

@rayluo rayluo commented Oct 18, 2021
edited
Loading

The changes in this proof-of-concept is to allow a typical 3-step pattern MSAL app to automatically utilize the IMDS-like interface when that app happens to be running inside Cloud Shell.

Note to target audience (@jiasli ):

  • Starting from 3/1/2022, portal and Cloud Shell have been refactored to allow cert and token acquisition, again, via this test URL:
    https://rc.portal.azure.com/?feature.sshtokens=true&feature.tokencaching=false#home
    Currently, portal and Cloud Shell team are still working on the error handling, but that part does not block Azure CLI from integrating this feature branch.
  • Currently, the Cloud Shell IMDS-like interface supports only a small set of scopes/resources, such as:
    https://management.core.windows.net/,https://management.azure.com/,https://graph.windows.net/,...
  • When adopting this feature, Azure CLI would need to remove its existing Cloud Shell code path, and use normal MSAL code path.

jiasli
jiasli reviewed Oct 19, 2021
View reviewed changes
jiasli
jiasli reviewed Oct 19, 2021
View reviewed changes
rayluo
rayluo commented Oct 19, 2021
View reviewed changes
@rayluo rayluo marked this pull request as ready for review October 25, 2021 22:42
@rayluo rayluo force-pushed the cloudshell-imds branch from 4b3ba89 to 2b12c6a Compare March 2, 2022 06:53
@rayluo rayluo mentioned this pull request Apr 6, 2022
Closed
@jiasli jiasli mentioned this pull request Apr 14, 2022
Closed
@rayluo rayluo mentioned this pull request Apr 22, 2022
Merged
@rayluo rayluo force-pushed the cloudshell-imds branch from e6cbab9 to ffea5ef Compare May 13, 2022 02:38
jiasli
jiasli reviewed May 18, 2022
View reviewed changes
msal/application.py
Comment on lines +1058 to +1081
self.token_cache.add(dict(
client_id=self.client_id,
scope=response["scope"].split() if "scope" in response else scopes,
token_endpoint=self.authority.token_endpoint,
response=response.copy(),
data=data or {},
authority_type=_AUTHORITY_TYPE_CLOUDSHELL,
))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think Cloud Shell's pseudo managed identity endpoint already has a cache, so does a normal managed identity endpoint. Do we really need to save it to MSAL's cache?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The devil is in the details.

I think Cloud Shell's pseudo managed identity endpoint already has a cache,

The SSH Cert feature has its own quirk in caching. Currently, the Cloud Shell (actually the Azure Portal) does not yet really support caching for SSH Cert.

so does a normal managed identity endpoint.

Yes but there is a catch. Quoted from normal managed identity's document: "The managed identities subsystem caches tokens but we still recommend that you implement token caching in your code." They even defined an HTTP 429 throttling error when you use Managed Identity endpoint too often. FWIW, I'm currently working on another project that is trying to enable MSAL token cache for managed identity.

Do we really need to save it to MSAL's cache?

The MSAL cache has long been designed to be used as often as you want, and it also stores SSH cert. Adding this (technically still a) one-liner here can allow existing MSAL-powered apps' acquire_token_silent() to work, for free (meaning without any extra code change in app's code). Why not?

@rayluo rayluo force-pushed the cloudshell-imds branch from db005ca to 92be2e2 Compare May 19, 2022 05:15
@rayluo
Acquire SSH cert from Cloud Shell IMDS
292e28b 
Cloud Shell Detection

PoC: Silent flow utilizes Cloud Shell IMDS

Introduce get_accounts(username=msal.CURRENT_USER)

A reasonable-effort to convert scope to resource

Replace get_accounts(username=msal.CURRENT_USER) by acquire_token_interactive(..., prompt="none")

Detect unsupported Portal so that AzCLI could fallback
@rayluo rayluo force-pushed the cloudshell-imds branch from 92be2e2 to 292e28b Compare May 19, 2022 05:48
@rayluo rayluo changed the title acquire_token_silent() acquires token via Cloud Shell's IMDS-like interface acquire_token_interactive(..., prompt="none") acquires token via Cloud Shell's IMDS-like interface May 19, 2022
@rayluo rayluo mentioned this pull request May 19, 2022
Merged
@rayluo rayluo force-pushed the cloudshell-imds branch from cd1b9a1 to 292e28b Compare May 19, 2022 06:44
@rayluo rayluo merged commit 1b26417 into dev May 31, 2022
@rayluo rayluo deleted the cloudshell-imds branch May 31, 2022 18:47
@rayluo rayluo mentioned this pull request May 31, 2022
Merged
@jiasli jiasli mentioned this pull request Sep 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jiasli jiasli jiasli approved these changes

Assignees
No one assigned
Labels
None yet
Projects
MSAL Python Customer Trust
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rayluo @jiasli