Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Can user use certificate which private key is on AWS cloud HSM?
See original GitHub issueLogs and Network traces This is a question from https://github.com/Azure/azure-powershell/issues/14814 User stores certificate but private key on AWS cloud HSM. When user login with certificate thumbprint, the private key cannot be found. The track is below. Is it supported?
Which Version of MSAL are you using ?
Microsoft.Identity.Client.Extensions.Msal 2.16.6.0
Platform
netcore
What authentication flow has the issue?
- Desktop / Mobile
- Interactive
- Integrated Windows Auth
- Username Password
- Device code flow (browserless)
- Web App
- Authorization code
- OBO
- Daemon App
- Service to Service calls
Other? - please describe;
Is this a new or existing app?
Repro
var your = (code) => here;
Expected behavior A clear and concise description of what you expected to happen (or code).
Actual behavior A clear and concise description of what happens, e.g. exception is thrown, UI freezes
Possible Solution
Additional context/ Logs / Screenshots
Message : The certificate certificate does not have a private key.
StackTrace : at Microsoft.Identity.Client.ConfidentialClientApplicationBuilder.WithCertificate(X509Certificate2 certificate)
at Azure.Identity.MsalConfidentialClient.<CreateClientAsync>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Threading.Tasks.ValueTask`1.get_Result()
at Azure.Identity.MsalClientBase`1.<GetClientAsync>d__16.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Azure.Identity.MsalConfidentialClient.<AcquireTokenForClientAsync>d__7.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Azure.Identity.ClientCertificateCredential.<GetTokenAsync>d__22.MoveNext()
Exception : Microsoft.Identity.Client.MsalClientException
InvocationInfo : {Connect-AzAccount}
Line : Connect-AzAccount -ServicePrincipal -CertificateThumbprint $cert.ThumbPrint -ApplicationID $sp.ApplicationID -Tenant $TenantID
Position : At line:1 char:1
+ Connect-AzAccount -ServicePrincipal -CertificateThumbprint $cert.Thum ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I’ll let @dingmeng-xue chime in for the operations available in PowerShell. Note that PowerShell’s
Connect-AzAccountis a higher-level API over MSAL. MSAL is the identity SDK, but it is somewhat low-level.Service principals, which can call Graph with app permissions, are part of the confidential client OAuth flows. Confidentiality is ensured by the fact that the machine making the call has a dedicated / confidential connection to the token issuer (AAD). So you should only deploy the cert onto server-side / back-end machines. User machines cannot ensure confidentiality.
If you want to explore using MSAL directly, which would allow you more control over the signing operations, please have a look at:
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Client-credential-flows (there is a sample at the bottom of the page)
and for full control over the signing operation:
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Client-Assertions#signed-assertions
Thanks for the detailed response @bgavrilMS. The challenge we are trying to solve is that its not really possible to ensure confidentiality even on a server machine without the HSM. With the HSM we can ensure that not even a machine admin could take the private key and use it outside of the environment. We’ll take a look at the options for taking full control of the signing operations.
Thanks again. We really appreciate your time.