Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Subject Name/Issuer authentication #13350

Merged
merged 5 commits into from
Sep 1, 2020
Merged

Support Subject Name/Issuer authentication #13350

merged 5 commits into from
Sep 1, 2020

Conversation

chlowell
Copy link
Member

This leverages MSAL to support SNI auth with the sync CertificateCredential (closes #10816). I've tested this manually and will add a live test in a later PR. Adding equivalent support to the async CertificateCredential is tracked by #13349.

@chlowell chlowell added Client This issue points to a problem in the data-plane of the library. Azure.Identity labels Aug 27, 2020
@chlowell chlowell requested a review from schaabs as a code owner August 27, 2020 00:43
@chlowell chlowell requested a review from g2vinay August 27, 2020 00:44
xiangyan99
xiangyan99 reviewed Aug 28, 2020
View reviewed changes
sdk/identity/azure-identity/azure/identity/_credentials/certificate.py
@@ -54,9 +56,30 @@ def __init__(self, tenant_id, client_id, certificate_path, **kwargs):

# TODO: msal doesn't formally support passwords (but soon will); the below depends on an implementation detail
private_key = serialization.load_pem_private_key(pem_bytes, password=password, backend=default_backend())
client_credential = {"private_key": private_key, "thumbprint": hexlify(fingerprint).decode("utf-8")}
if kwargs.pop("send_certificate", False):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we do this only in
if kwargs.pop("send_certificate", False):
else:
private_key = serialization.load_pem_private_key(pem_bytes, password=password, backend=default_backend())
client_credential = {"private_key": private_key, "thumbprint": hexlify(fingerprint).decode("utf-8")}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need the private key and fingerprint in both cases. send_certificate=True means we need to include the cert content as well.

xiangyan99
xiangyan99 reviewed Aug 28, 2020
View reviewed changes
sdk/identity/azure-identity/azure/identity/_credentials/certificate.py
)


def extract_cert_chain(pem_bytes):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

public method?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Private package.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. But if we only want to use the method in this model, shouldn't we use _extract_cert_chain? Or we may want to use it in other models in the future?

@chlowell chlowell merged commit e2cac03 into Azure:master Sep 1, 2020
@chlowell chlowell deleted the sni branch September 1, 2020 16:14
iscai-msft added a commit to iscai-msft/azure-sdk-for-python that referenced this pull request Sep 2, 2020
@iscai-msft
Merge branch 'master' of https://github.com/Azure/azure-sdk-for-python
f7625ea 
…into link_om_sample

* 'master' of https://github.com/Azure/azure-sdk-for-python: (23 commits)
  Int32 serialization (Azure#13452)
  add output to opinion mining sample (Azure#13494)
  Add Document w/ Eng Sys Checks (Azure#13492)
  update version (Azure#13495)
  Remove resources post test (Azure#13379)
  bing_id -> bing_entity_search_api_id (Azure#13491)
  [EventGrid] Read me + improve docstrings (Azure#13484)
  Build AuthenticationRecords from ADFS identity tokens (Azure#13341)
  Support Subject Name/Issuer authentication (Azure#13350)
  Add KeyVaultAccessControlClient for data plane RBAC (Azure#13372)
  [text analytics] Add redacted_text (Azure#13449)
  add python sdk sample (Azure#13338)
  [text analytics] add versionadded sphinx documentation (Azure#13450)
  [text analytics] add bing_id property to LinkedEntity class (Azure#13446)
  fix typing for paging methods (Azure#13410)
  [text analytics] add domain_filter param (Azure#13451)
  fix issue Azure#11658 for is_valid_resource_id (Azure#11709)
  added create_table_if_not_exists method to table service client (Azure#13385)
  [ServiceBus] Test and failure improvements (Azure#13345)
  Proper encoding and decoding of source URLs - Fixes special characters in source URL issue (Azure#13275)
  ...
rakshith91 pushed a commit to rakshith91/azure-sdk-for-python that referenced this pull request Sep 4, 2020
@chlowell @rakshith91
Support Subject Name/Issuer authentication (Azure#13350)
535a8b2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xiangyan99 xiangyan99 xiangyan99 approved these changes

@mccoyp mccoyp Awaiting requested review from mccoyp

@schaabs schaabs Awaiting requested review from schaabs

@g2vinay g2vinay Awaiting requested review from g2vinay

Assignees
No one assigned
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support SubjectName/Issuer (SNI) authentication
2 participants
@chlowell @xiangyan99