Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support regional ESTS (ests-r)

See original GitHub issue

Problem

AAD is adding support for regional STS (ESTSR). Currently only S2S (client_credentials) flow and available via opt-in (1st party only for now). Although a DNS-only solution is preferred, this is not practical. The client SDK needs to help route the traffic to the regional authority.

Goals

Provide an API that allows traffic to be routed to a regional authority (P0)
Help developers detect the region (P1)
Existing telemetry needs to work. We must detect if user region != detected region and report it via telemetry.

Proposal


// if app knows the region, use it as MSAL cannot reliably detect it
string region = Config.Region ?? ConfidentialClientApplication.AttemptRegionDiscovery;

var cca = ConfidentialClientApplicationBuilder(client_id)
                  .WithAuthority(AzureCloud.PublicCloud)
                  .WithRegion(region)  
                  .Build();

Behavior

if region = null, ignore
if cloud is PUBLIC cloud, use {region}.microsoft.com
otherwise, use {region}.environment

Issue Analytics

State:
Created 2 years ago
Comments:12 (7 by maintainers)

Top GitHub Comments

1reaction

henrik-mecommented, Mar 26, 2021

@jabbera, thanks for the added details to your question. Networking issues including DNS issues are not covered with this change, for DNS and network handling we allow you to pass in a HttpClientFactory where you can do what is right for your service to mitigate those issues (e.g. small outages to DNS would typically not be felt as DNS is cached on the node and only refreshed at certain intervals, you can decide which interval would be the right for your scenario).

Two other perspectives that regional and MSAL in general helps with for the scenario you are describing is:

MSAL has tokens in the cache and depending on the outage period and the lifetime of the token there will be less of a need to call AAD for a token, and thus mitigates if say just AAD in the region is down.
AAD regional also have lots of failure modes covered, including a gateway in front of it which can re-direct traffic as needed.

Hope this helped bring some perspectives to the question you raised. Please also feel free to share what you believe should happen and how it can be done.

1reaction

henrik-mecommented, Mar 26, 2021

@jabbera : Not sure exactly what you mean. Can you please provide more context to the question?

Region means the traffic will stay in the region, thus impacts from other regions or even global will not impact a service running in a another region.

Top Results From Across the Web

Region discovery troubleshooting - MSAL.NET

In this article ... Azure AD has adding support for regional STS (ESTS-Regional). Currently only the service to service flow (client_credentials / ...

Xbox Supported Countries & Regions

Find a list of countries and regions where Xbox consoles, games, and services are supported. See what products are available in your country...

Sacramento Regional Transit Real Estate

Current Properties for Sale ... SacRT's Transit Oriented Development program seeks to create mixed-use and mixed-income equitable communities through development ...

Cambiar el país o la región de tu Apple ID

Consulta los Términos y condiciones de Apple Media Services. * Si no quieres ingresar un método de pago, espera a estar físicamente en...

Banking Services: Checking, Savings, Mortgage | Regions Bank

Regions offers a full spectrum of banking services. Visit us online or at one of our many bank branch locations for checking, savings,...