Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authentication provider for 'Active Directory Interactive' should maintain access token cache globally #989

Closed
Rookian opened this issue Mar 16, 2021 · 6 comments · Fixed by #1043

Comments

@Rookian
Copy link

Rookian commented Mar 16, 2021

Is your feature request related to a problem? Please describe.

For now we have used Azure CLI and Azure.Identity to use AAD authentication when working locally. We used 'az login' and we could then start and restart several of our services without logging in again and again.
With this solution we have had to gain an access token for a SqlConnection manually.

With the new Authentication provider 'Active Directory Interactive' we don't need to take care of access token handling anymore.
Unfortunately we now have to login every time we start a service. So it seems like that the access token is cached within the current application instance.
We can't use 'Active Directory Integrated', because of MFA.

Describe the solution you'd like

It would be nice when 'Active Directory Interactive' would work like Azure CLI (az login) where we just have to login once for a while.

e.g. When I run 2 or more applications at once or I restart my application(s), I only want to login once.

@cheenamalhotra
Copy link
Member

Hi @Rookian

This has been considered with issue #616 where we will bring in direct support of Azure.Identity and a new option would be provided to fetch "DefaultAzureCredential" from client environment.

In the mean time, you can follow this approach: #730 (comment) with latest Microsoft.Data.SqlClient driver.

Since we're tracking this change with #616, is there anything else you'd need help with?

@Basssiiie
Copy link

Hello @Rookian , did this global cache fix for 'Active Directory Interactive' work for you? For me it does not seem to be cached and I have to login every time I start the application like you originally described.

Currently 'Active Directory Default' is not feasible for me either, as it does not include the interactive mode enabled as last fallback.

Thank you for your time. 🙂

@David-Engel
Copy link
Contributor

@Basssiiie The built-in "cache" for Active Directory Interactive is only in the scope of the process. So if you restart your application, the driver's cache is gone. There is another feature request to provide an API that will allow applications to define their own cache that can persist across processes. #1895

@Basssiiie
Copy link

@David-Engel Thank you for your reply. Would it be possible to configure a global cache with #1895 purely through the connection string or do we need custom code in the application for that as well?

My use case is that I would like an easy to use connection string that uses their AD account (so we can disable SQL accounts) and that would work for all our developers, regardless of whether they use VS, VSCode, Rider or another tool. We also have a microservice project, and currently the AD Interactive gets triggered for every microservice the developer starts every startup. 🙂

@David-Engel
Copy link
Contributor

@Basssiiie You would need custom code. But it sounds like Active Directory Default would be the closest thing to what you are asking for. It uses Azure.Identity's DefaultAzureCredential under the covers, which traverses a chain of credentials, trying various known, cached credentials (excluding Interactive as MDS disables that to avoid UI issues in headless apps):
https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet

@Basssiiie
Copy link

Basssiiie commented Sep 18, 2024

@David-Engel Yeah Azure Directory Default would work best at the moment, though it is too bad the interactive mode cannot be toggled/enabled as a fallback here if all other options fail.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants