Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[FEATURE REQ] Add Integrated Windows Authentication support within TokenCredential interface
See original GitHub issueLibrary name
Azure.Storage.Blobs
Please describe the feature.
I am running into this issue with Azure.Storage.Blobs but I believe this will be the case for other libraries accepting TokenCredential as well. I tried to make it work with Integrated Windows Authentication but failed to find the appropriate descendant of TokenCredential to supply into the constructor of BlobContainerClient. After asking a question on StackOverflow I was pointed to the migration guide where IWA is marked is not supported.
I am not sure why Integrated Windows Authentication is not supported. This must be pretty popular demand in the Enterprise world.
I ended up writing my own implementation of TokenCredential interface:
internal class IwaCredential : TokenCredential
{
private readonly IPublicClientApplication _application;
private readonly string[] _scopes;
public IwaCredential(IPublicClientApplication app, string[] scopes)
{
_application = app;
_scopes = scopes;
}
private async Task<AuthenticationResult> AuthenticateAsync()
{
AuthenticationResult? result = null;
var accounts = await _application.GetAccountsAsync();
if (accounts.Any())
{
try
{
result = await _application.AcquireTokenSilent(_scopes, accounts.FirstOrDefault()).ExecuteAsync();
}
catch (MsalUiRequiredException)
{
}
}
if (result == null)
{
result = await _application.AcquireTokenByIntegratedWindowsAuth(_scopes).ExecuteAsync();
}
return result;
}
private async Task<AccessToken> GetAccessTokenAsync()
{
var authResult = await AuthenticateAsync();
return new AccessToken(authResult.AccessToken, authResult.ExpiresOn);
}
public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
{
return GetAccessTokenAsync().GetAwaiter().GetResult();
}
public override ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
{
return new ValueTask<AccessToken>(GetAccessTokenAsync());
}
}
Now we are able to supply it into BlobContainerClient (or other):
var appOptions = new PublicClientApplicationOptions
{
ClientId = "...",
TenantId = "...",
};
var app = PublicClientApplicationBuilder.CreateWithApplicationOptions(appOptions).Build();
var cred = new IwaCredential(app, new string[] { "https://storage.azure.com/user_impersonation" });
var client = new BlobContainerClient(new Uri("https://foobar.blob.core.windows.net/upload"), cred);
// obtain your file...
var res = await client.UploadBlobAsync("prefix/my.file", file);
Console.WriteLine(res);
}
I ask you to please include an equivalent of IwaCredential above into the standard of Azure.Identity.
See also my question on StackOverflow (and comments).
Issue Analytics
- State:
- Created a year ago
- Comments:7 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
See also #12219 where you promise to close the gap to AppAuthentication. Funny that Microsoft abandons their own enterprise platform and its paying users.
Thank you for your feedback. Tagging and routing to the team member best able to assist.