Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add integrated windows authentication support under public clients #652

Open
wants to merge 4 commits into
base: dev
Choose a base branch
from

Conversation

shajia-deshaw
Copy link

@shajia-deshaw shajia-deshaw commented Jan 22, 2024

Overview

Adds support for Integrated Windows Authentication similar to the Java/.NET clients.

Fixes: #31

@rayluo
Copy link
Collaborator

rayluo commented Jan 22, 2024

Thanks, @shajia-deshaw . Is there any way to test this? Can they be written into test cases?
Anyway, I'll leave this to @ashok672 for reviewing.

@shajia-deshaw
Copy link
Author

shajia-deshaw commented Jan 22, 2024

Sure @rayluo - I can add the test cases shortly (I had this tested with a driver script internally)

from msal import PublicClientApplication
app = PublicClientApplication(
    "<client_id>",
    authority="https://login.microsoftonline.com/<tenant_id>")
token = app.acquire_token_integrated_windows_auth("<upn>")
print(token)

@@ -172,6 +172,7 @@ class ClientApplication(object):
ACQUIRE_TOKEN_FOR_CLIENT_ID = "730"
ACQUIRE_TOKEN_BY_AUTHORIZATION_CODE_ID = "832"
ACQUIRE_TOKEN_INTERACTIVE = "169"
ACQUIRE_TOKEN_INTEGRATED_WINDOWS_AUTH_ID = "870"
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure how this number is mapped. I just added a random number for IWA btw.

@@ -243,7 +243,7 @@ def __add(self, event, now=None):
at["refresh_on"] = str(now + refresh_in) # Schema wants a string
self.modify(self.CredentialType.ACCESS_TOKEN, at, at)

if client_info and not event.get("skip_account_creation"):
if (client_info or iwa) and not event.get("skip_account_creation"):
Copy link
Author

@shajia-deshaw shajia-deshaw Jan 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The access token returned by IWA did not meet the criteria to be added as an ACCOUNT credential type in the TokenCache i.e. it didn't have client_info in the response. It was being added as a ACCESS_TOKEN credential type. The cache test in the e2e tests were failing because of it since the get_accounts() call didn't return anything and it assumed there was nothing being added to the cache. Hence, I added a special case of iwa to be added to the ACCOUNT credential type.

The other alternative is to add a method for get_access_tokens similar to get_accounts and use it to decide if we need to acquire new tokens silently for the items in cache.

@shajia-deshaw
Copy link
Author

Hello folks, just an update - I'm working with my employer to sign the CLA soon.

@shajia-deshaw
Copy link
Author

@microsoft-github-policy-service agree company="D. E. Shaw & Co., L.P."

@shajia-deshaw
Copy link
Author

Hello @ashok672 - Checking if you had a chance to review the PR? Thanks.

@velulev
Copy link

velulev commented Mar 13, 2024

Hello @ashok672 - Checking if you had a chance to review the PR? Thanks.

Hi @ashok672 , please let us know if there is anything else we can help on this with. Thanks.

@aschafs
Copy link

aschafs commented Oct 21, 2024

I just wanted to check if this PR was going to be reviewed and merged. We're very interested in getting IWA support in the msal python library. Thanks!

@bgavrilMS
Copy link
Member

bgavrilMS commented Oct 21, 2024

I don't think so, we are discussing to deprecate Integrated Windows Auth from all MSALs in favor of WAM (broker use). Integrated Windows Auth relies on SAML and HTTP level contracts which are easily broken by network changes, and this causes a lot of churn and support issues. WAM uses a different protocol (PRT) which is not affected.

@iulico-1 @localden - can you provide a perspective as scenario owners?

@rayluo
Copy link
Collaborator

rayluo commented Oct 21, 2024

I don't think so, we are discussing to deprecate Integrated Windows Auth from all MSALs in favor of WAM (broker use). Integrated Windows Auth relies on SAML and HTTP level contracts which are easily broken by network changes, and this causes a lot of churn and support issues. WAM uses a different protocol (PRT) which is not affected.

@iulico-1 @localden - can you provide a perspective as scenario owners?

For the sake of completeness, we had a similar conversation in the feature request issue with the contributor, who mentioned that IWA also works on Linux and that was part of the reason that they worked out this PR. That is a scenario that not currently satisfied by broker.

@shajia-deshaw
Copy link
Author

I don't think so, we are discussing to deprecate Integrated Windows Auth from all MSALs in favor of WAM (broker use). Integrated Windows Auth relies on SAML and HTTP level contracts which are easily broken by network changes, and this causes a lot of churn and support issues. WAM uses a different protocol (PRT) which is not affected.
@iulico-1 @localden - can you provide a perspective as scenario owners?

For the sake of completeness, we had a similar conversation in the feature request issue with the contributor, who mentioned that IWA also works on Linux and that was part of the reason that they worked out this PR. That is a scenario that not currently satisfied by broker.

Thanks @rayluo for adding context!

FTR, we've been using the patched version of MSAL with Kerberos / IWA flow for months in our internal linux services and applications -- Things have been working just fine.

However, we believe this could be a general enhancement in the upstream MSAL library, benefiting similar users, as evident from the comments on the issue/PR.

@localden
Copy link
Collaborator

Adding my perspective here - on Windows and macOS, we are indeed shifting to authentication brokers; however, that leaves Linux scenarios in the open and we will need to continue falling back on the vanilla API. I am not inherently opposed to having a native IWA implementation in MSAL Python, but we'd need to coordinate how it falls back to broker and when.

@ashok672 @iulico-1 - something for us to discuss.

azure_region=azure_region, client_credential=client_secret)
self.assertEqual(
self.app.get_accounts(username=username), [], "Cache starts empty")
result = self.app.acquire_token_integrated_windows_auth(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

acquire_token_integrated_windows_auth

I am not convinced we need to introduce Windows integrated Auth flow as a separate API.

Windows Integrated Auth is conceptually the same as functionality as default account that brokers (WAM) expose.

Can we follow the same pattern we did with OS account on .net ?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@iulico-1 - how is this going to work on Linux, where there is no WAM? We can't expect every customer to enroll their device either.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On linux there is no WIA also :) this api will just fail with UIRequired on linux without broker integration.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On linux there is no WIA also :) this api will just fail with UIRequired on linux without broker integration.

But the customer claimed otherwise.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A form of WIA can be setup on Linux.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, am I understanding correctly that we now agree on there is a need for Integrated Windows Auth (IWA, a.k.a. WIA) for Linux? And then this conversation is back to the original question, i.e. how the IWA shall be exposed in an API? Brainstorming time. :-)

  1. This PR's current implementation acquire_token_integrated_windows_auth(username, scopes) was probably inspired by MSAL .Net's dedicated IWA api.
    If we do not want IWA to be a dedicated API, we will need to fit it into other existing APIs. Such as:
  2. Modeling it as a ROPC but without a password acquire_token_by_username_password(username, password=None, scopes=[...]). This makes sense from the implementation standpoint, because the actual implementation already shares many building blocks (mex.py, wstrust_request.py) which are only used in ROPC code path.
  3. Modeling it as "the same pattern we did with OS account on .net Python", and that is acquire_token_interactive(scopes, login_hint="[email protected]", prompt="none")

Which one do we prefer?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rayluo @iulico-1 I think this fits best in the acquire_token_interactive flow, and the library can then determine that it's IWA based on parameter heuristics. This will also help reduce the API surfaces that customers have to navigate to use the capability, and simplify broker intergration.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello, is there anything that I can help with here? (Please feel free to leave any reviews)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Feature Request - IWA pass through capabilities - align with .net
8 participants