Feature | Azure Active Directory Managed Identity authentication support

[cheenamalhotra]

Fixes #616

Introduces AAD Managed Identity support with below authentication mode keywords:

• Active Directory Managed Identity
• Active Directory MSI (for cross MS SQL drivers compatibility)

Connection strings applicable:

// For System Assigned Managed Identity
"Server:{serverURL}; Authentication=Active Directory MSI; Initial Catalog={db};"

// For System Assigned Managed Identity
"Server:{serverURL}; Authentication=Active Directory Managed Identity; Initial Catalog={db};"

// For User Assigned Managed Identity
"Server:{serverURL}; Authentication=Active Directory MSI; User Id={ObjectIdOfManagedIdentity}; Initial Catalog={db};"

// For User Assigned Managed Identity
"Server:{serverURL}; Authentication=Active Directory Managed Identity; User Id={ObjectIdOfManagedIdentity}; Initial Catalog={db};"

Dev Notes:
No new dependency is added to driver.
This feature is supported with direct Rest API calls to IMDS and Identity endpoints (as MSSQL JDBC driver)

Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http

[David-Engel]

We also need to provide an synonym "ActiveDirectoryMSI" for the authentication keyword value to align the connection string with what all our other drivers use. The other drivers will eventually add a synonym for "ActiveDirectoryManagedIdentity".

[sopelt]

Hi @cheenamalhotra ,

this looks very nice for production. For local development and non-MSI AAD scenarios I was hoping for some support via Azure.Identity. What are your thoughts on that?

Thanks!

[cheenamalhotra]

Hi @sopelt

We've discussed that internally and we'd have loved to do that if that was feasible. As of now we could not take dependency on Azure.Identity as it's partially compatible with our driver and does not support .NET Framework 4.6 that SqlClient does. We'd be able to support that in a future version hopefully by taking a leap on the lowest Full Framework version SqlClient supports.

As of this feature and upcoming stable v2.1, Visual Studio (for local development) and Azure CLI (for non-MSI implicit) based token support shall remain unsupported.

[ericsampson]

@cheenamalhotra I'd also love Azure.Identity support for seamless localdev.

Once this PR is in, what is the recommended way to connect in localdev using the VS/CLI token stores?

[cheenamalhotra]

@ericsampson

You would be able to override our implementation of "Active Directory Managed Identity" authentication provider with your own class that implements "SqlAuthenticationProvider" and register it in your application by calling "SetProvider" API.

There you can simply acquire token from Azure.Identity library when implementing "AcquireTokenAsync", using "DefaultAzureCredential" as they support .NET Core and .NET Framework 4.6.1+ and their "GetToken" API does the following, as you can find documented:

The following credential types if enabled will be tried, in order:

• EnvironmentCredential
• ManagedIdentityCredential
• SharedTokenCacheCredential
• VisualStudioCredential
• VisualStudioCodeCredential
• AzureCliCredential
• InteractiveBrowserCredential

Once you call SetProvider, all future connection requests for "Active Directory Managed Identity" authentication mode from driver will go through your implementation using same connection strings.

[ericsampson]

@cheenamalhotra thanks for the notes, that seems doable.

Is there an existing "Extensions" NuGet package that it would be possible to put something like that code in, where it would be OK to have the Identity library dependency?
I was just thinking that if so, I could make a PR so that everyone could take advantage of the functionally.

[chamikasandamal]

Is this available now with 3.x or 5.x?

[ErikEJ]

There is no version 5 of this provider.

This feature is available in 3.0 preview, which will RTM quite soon, and this version work with both .nEt Core 3 and .Net 5