question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support regional ESTS (ests-r)

See original GitHub issue

Problem

AAD is adding support for regional STS (ESTSR). Currently only S2S (client_credentials) flow and available via opt-in (1st party only for now). Although a DNS-only solution is preferred, this is not practical. The client SDK needs to help route the traffic to the regional authority.

Goals

  1. Provide an API that allows traffic to be routed to a regional authority (P0)
  2. Help developers detect the region (P1)
  3. Existing telemetry needs to work. We must detect if user region != detected region and report it via telemetry.

Proposal


// if app knows the region, use it as MSAL cannot reliably detect it
string region = Config.Region ?? ConfidentialClientApplication.AttemptRegionDiscovery;

var cca = ConfidentialClientApplicationBuilder(client_id)
                  .WithAuthority(AzureCloud.PublicCloud)
                  .WithRegion(region)  
                  .Build();

Behavior

  • if region = null, ignore
  • if cloud is PUBLIC cloud, use {region}.microsoft.com
  • otherwise, use {region}.environment

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:12 (7 by maintainers)

github_iconTop GitHub Comments

1reaction
henrik-mecommented, Mar 26, 2021

@jabbera, thanks for the added details to your question. Networking issues including DNS issues are not covered with this change, for DNS and network handling we allow you to pass in a HttpClientFactory where you can do what is right for your service to mitigate those issues (e.g. small outages to DNS would typically not be felt as DNS is cached on the node and only refreshed at certain intervals, you can decide which interval would be the right for your scenario).

Two other perspectives that regional and MSAL in general helps with for the scenario you are describing is:

  1. MSAL has tokens in the cache and depending on the outage period and the lifetime of the token there will be less of a need to call AAD for a token, and thus mitigates if say just AAD in the region is down.
  2. AAD regional also have lots of failure modes covered, including a gateway in front of it which can re-direct traffic as needed.

Hope this helped bring some perspectives to the question you raised. Please also feel free to share what you believe should happen and how it can be done.

1reaction
henrik-mecommented, Mar 26, 2021

@jabbera : Not sure exactly what you mean. Can you please provide more context to the question?

Region means the traffic will stay in the region, thus impacts from other regions or even global will not impact a service running in a another region.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Region discovery troubleshooting - MSAL.NET
In this article ... Azure AD has adding support for regional STS (ESTS-Regional). Currently only the service to service flow (client_credentials / ...
Read more >
Xbox Supported Countries & Regions
Find a list of countries and regions where Xbox consoles, games, and services are supported. See what products are available in your country...
Read more >
Sacramento Regional Transit Real Estate
Current Properties for Sale ... SacRT's Transit Oriented Development program seeks to create mixed-use and mixed-income equitable communities through development ...
Read more >
Cambiar el país o la región de tu Apple ID
Consulta los Términos y condiciones de Apple Media Services. * Si no quieres ingresar un método de pago, espera a estar físicamente en...
Read more >
Banking Services: Checking, Savings, Mortgage | Regions Bank
Regions offers a full spectrum of banking services. Visit us online or at one of our many bank branch locations for checking, savings,...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found