Skip to content

Support Subject Name/Issuer authentication#13350

Merged
chlowell merged 5 commits intoAzure:masterfrom
chlowell:sni
Sep 1, 2020
Merged

Support Subject Name/Issuer authentication#13350
chlowell merged 5 commits intoAzure:masterfrom
chlowell:sni

Conversation

@chlowell
Copy link
Member

@chlowell chlowell commented Aug 27, 2020

This leverages MSAL to support SNI auth with the sync CertificateCredential (closes #10816). I've tested this manually and will add a live test in a later PR. Adding equivalent support to the async CertificateCredential is tracked by #13349.

@chlowell chlowell added Client This issue points to a problem in the data-plane of the library. Azure.Identity labels Aug 27, 2020
@chlowell chlowell requested review from mccoyp and xiangyan99 August 27, 2020 00:43
@chlowell chlowell requested a review from schaabs as a code owner August 27, 2020 00:43
@chlowell chlowell requested a review from g2vinay August 27, 2020 00:44
xiangyan99
xiangyan99 reviewed Aug 28, 2020
View reviewed changes
sdk/identity/azure-identity/azure/identity/_credentials/certificate.py
# TODO: msal doesn't formally support passwords (but soon will); the below depends on an implementation detail
private_key = serialization.load_pem_private_key(pem_bytes, password=password, backend=default_backend())
client_credential = {"private_key": private_key, "thumbprint": hexlify(fingerprint).decode("utf-8")}
if kwargs.pop("send_certificate", False):
Copy link
Member

@xiangyan99 xiangyan99 Aug 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we do this only in
if kwargs.pop("send_certificate", False):
else:
private_key = serialization.load_pem_private_key(pem_bytes, password=password, backend=default_backend())
client_credential = {"private_key": private_key, "thumbprint": hexlify(fingerprint).decode("utf-8")}

Copy link
Member Author

@chlowell chlowell Aug 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need the private key and fingerprint in both cases. send_certificate=True means we need to include the cert content as well.

xiangyan99
xiangyan99 reviewed Aug 28, 2020
View reviewed changes
sdk/identity/azure-identity/azure/identity/_credentials/certificate.py
)


def extract_cert_chain(pem_bytes):
Copy link
Member

@xiangyan99 xiangyan99 Aug 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

public method?

Copy link
Member Author

@chlowell chlowell Aug 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Private package.

Copy link
Member

@xiangyan99 xiangyan99 Aug 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. But if we only want to use the method in this model, shouldn't we use _extract_cert_chain? Or we may want to use it in other models in the future?

@chlowell chlowell merged commit e2cac03 into Azure:master Sep 1, 2020
@chlowell chlowell deleted the sni branch September 1, 2020 16:14
iscai-msft added a commit to iscai-msft/azure-sdk-for-python that referenced this pull request Sep 2, 2020
@iscai-msft
Merge branch 'master' of https://github.com/Azure/azure-sdk-for-python
f7625ea 
…into link_om_sample

* 'master' of https://github.com/Azure/azure-sdk-for-python: (23 commits)
  Int32 serialization (Azure#13452)
  add output to opinion mining sample (Azure#13494)
  Add Document w/ Eng Sys Checks (Azure#13492)
  update version (Azure#13495)
  Remove resources post test (Azure#13379)
  bing_id -> bing_entity_search_api_id (Azure#13491)
  [EventGrid] Read me + improve docstrings (Azure#13484)
  Build AuthenticationRecords from ADFS identity tokens (Azure#13341)
  Support Subject Name/Issuer authentication (Azure#13350)
  Add KeyVaultAccessControlClient for data plane RBAC (Azure#13372)
  [text analytics] Add redacted_text (Azure#13449)
  add python sdk sample (Azure#13338)
  [text analytics] add versionadded sphinx documentation (Azure#13450)
  [text analytics] add bing_id property to LinkedEntity class (Azure#13446)
  fix typing for paging methods (Azure#13410)
  [text analytics] add domain_filter param (Azure#13451)
  fix issue Azure#11658 for is_valid_resource_id (Azure#11709)
  added create_table_if_not_exists method to table service client (Azure#13385)
  [ServiceBus] Test and failure improvements (Azure#13345)
  Proper encoding and decoding of source URLs - Fixes special characters in source URL issue (Azure#13275)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xiangyan99 xiangyan99 xiangyan99 approved these changes

@mccoyp mccoyp Awaiting requested review from mccoyp

@schaabs schaabs Awaiting requested review from schaabs

@g2vinay g2vinay Awaiting requested review from g2vinay

Assignees

No one assigned

Labels

Azure.Identity Client This issue points to a problem in the data-plane of the library.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support SubjectName/Issuer (SNI) authentication

2 participants

@chlowell @xiangyan99