[Feature Request] Service Fabric MI Auth doesn't validate server cert. #4462
Assignees
Comments
g2vinay
added
needs attention
pmaytak
removed
untriaged
|
We have agreed with Azure SDK to not extend the HttpClient factory for this. It is acceptable for MSAL use it's own HttpClient that doesn't go through the extensibility pipeline. Retry policies etc. are still required. |
|
@neha-bhargava - it's acceptable for this call to MSI to not use IHttpClientFactory / an HttpClient created externally. But try to find a way so as to keep the code path testable. If you need to make changes to HttpManager, please see @gladjohn 's PR on SLC first, as it has a sweeping refactor of that. Maybe it's worth pulling that refactor out. |
This was referenced Mar 5, 2024
Closed
|
Is this still blocked? |
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
MSAL client type
Managed identity
Problem Statement
Currently, MSAL .NET reads the Thumbprint from env but doesn't use it to validate the cert from the server in the transport layer.
This logic needs to be implemented.
Proposed solution
.NET Identity SDK does this, this logic can be ported from here:
https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/ServiceFabricManagedIdentitySource.cs#L55
Other languages
java: https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java#L1032
Py: (not implemented) https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/azure/identity/_credentials/service_fabric.py#L38
JS: (not implemented) https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/src/credentials/managedIdentityCredential/fabricMsi.ts#L128
The text was updated successfully, but these errors were encountered: