-
Notifications
You must be signed in to change notification settings - Fork 339
-
Notifications
You must be signed in to change notification settings - Fork 339
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] instance aware support #2524
Comments
|
Makes sense for PCA, but what about confidential client? The work has been done on android/ios, but they only support PCA, as noted in the above list, all PCA related concepts. I thought our initial concern was for impact on CCA...? |
@bgavrilMS we can add parameters to the auth code request, but i'm not familiar w/instance aware, so would have to understand it better. for ASP.NET Classic, people would mainly be using MSAL.NET and ID Web only for the cache serialization and cert loading. |
@bgavrilMS I think something like the query param can be added in |
@pmaytak that's what i meant by "we can add parameters to the auth code request", but after reading about instance_aware, I have opened a separate work item in Id web, which @jmprieur can prioritize against the other items there. The work in id web is not related to, nor dependent on, the work to be done in MSAL.NET. |
Additional MSAL.NET requests to consider are:
|
|
@pmaytak:
|
Reading the spec, it looks like this only works when contacting the /authorize endpoint or the /ws-trust endpoint (for IWA and some usages of ROPC). I.e. the response from these endpoints will tell us the sovereign authority . So when you contact the /token endpoint, we must target the correct authority. For AcquireTokenSilent the spec says there is nothing to do, as it is expected that the developer uses the IAccount and env of the interactive login, smth like AuthenticationResult result = AcquireTokenInteractive(PublicCloud); // user logs into German Cloud
// later
AcquireTokenSilent(account: result.Account, authority: result.Authority); It is important to use the correct authority for silent flows. To me, the big question is how will the developer code look like? You set a flag to true, but then what? For Public Client
For Confidential Client
For Public Client, we can read the MSAL.Android code and have a chat with someone who knows about this scenario. |
After meeting with the service, it turns out that:
Conclusion: we don't need to do the work |
Instance Aware is an opt-in feature, so even if we choose to support it only via the brokers we need to enable it. As such we need to understand:
I'm pretty sure all that needs doing is to pass in "instance_aware=true" as extra query param. We should be sending the extra query params to all brokerks, but this needs testing. For example, for WAM |
I'm also unsure if we can say "supported only via brokers" since this creates a bad app developer experience. Our broker strategy is to fallback to browsers in case the broker is not available. In this case, the user will get an obscure error, as they will get an auth_code from German cloud but they try to redeem it against WW. |
Let's get this going with priority for CCA. |
@bgavrilMS The comments above mentions "instance aware is not yet supported by the service for confidential client applications". Did something change? |
Discussed offline with @bgavrilMS. Currently priority is to support instance_aware for AcquireTokenInteractive / AcquireTokenSilent on PCA using browser. Next step would be to get it work when broker is used. It is a consistency item with Android and iOS SDKs |
@neha-bhargava - can you pls create a separate work item for brokers to keep track? |
Feature 824881: [MSAL.NET] Sovereign cloud aware is supported by MSAL
If a client indicates that it's "instance_aware" then EVO will authenticated against the cloud associated with the account attempting to authenticate and will instruct the client library (MSAL) where to redeem the resulting authorization code for a token.
https://identitydivision.visualstudio.com/DevEx/_git/AuthLibrariesApiReview/pullrequest/1450?_a=files&path=%2F%5BXplat%5D%20Instance%20Aware%2Finstance_aware_flows.md
Auth Client spec: https://identitydivision.visualstudio.com/DevEx/_git/AuthLibrariesApiReview?path=%2F%5BXplat%5D%20Instance%20Aware%2Finstance_aware_flows.md&_a=contents&version=GBdev
.js implementation details:
MSAL.js v2: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/1804/files
Docs: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/instance-aware.md
The text was updated successfully, but these errors were encountered: