-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature | Introduce "Active Directory Default" authentication mode #1043
Conversation
src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/Common/DbConnectionStringCommon.cs
Outdated
Show resolved
Hide resolved
...crosoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs
Outdated
Show resolved
Hide resolved
That's a lot of boilerplate and repetition. It's be nice if it wasn't quite as complicated to plug in new authentication schemes. |
I will be working on merge for AAD stuff in another PR |
What is "Active Directory Default" - is that the one that works with Visual Studio etc? |
Yes. We acquire credential using DefaultAzureCredential from Azure Identity. This API uses all non-interactive token credential implementations sequentially that provide password-less solution for best security. It can also be seen as an extension to Managed Identity based authentication to allow developers to continue using same connection string in both dev and deploy environments. We named it Active Directory Default following the DefaultAzureCredential nomenclature. I'll update PR description tomorrow and we will definitely be documenting officially once it's released in GA 🙂 |
That's amazing! I've been building manual token acquisition and caching solutions in my apps to leverage AAD auth with managed identity, so it's fantastic to see it supported natively by the SQL driver. My only "grip" with this PR is that it doesn't provide the capability to select which sources to use: Visual Studio, VS Code, or the Azure CLI. I don't know in what order Azure.Identity tries them, but I could be logged in to the wrong account in the first source, and Azure.identity would pick this one. I understand it might be super hard / impossible to expose a way to "pick" sources through the connection string, but has it been considered? Something similar to |
Yes, as of this feature, this is only going to allow default settings of "DefaultAzureCredential", if you need more specialized authentication support, you may acquire token yourself with all the customization options this class already gives and pass the token directly to "SqlConnection.AccessToken" property. |
OK, thanks.
Does that mean that in the future more configuration options might be exposed through the SQL driver? |
@mderriey seems out of scope for SQL client, since you can always obtain access token yourself. |
One could argue that's also the case for the managed identity case, and the development time case that this PR addresses. The massive benefit of having it taken care of by the SQL client is that it also performs token caching, which Azure Identity doesn't do. All good, though, it's still going to make it so much easier for so many peeps, thanks for the great work. |
Hi @mderriey
This was chosen to be implemented as many customers migrating from System.Data.SqlClient were using App Authentication library which already handled multiple credentials, and migration lead to many issues (attached to PR) as there was no alternative to same experience. To universalize the authentication experience using Azure.Identity and multi-credential support using Active Directory Default our objective is to ease out migration and provide a developer friendly passwordless solution. |
src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/ConnectivityTests/AADConnectionTest.cs
Outdated
Show resolved
Hide resolved
doc/snippets/Microsoft.Data.SqlClient/SqlAuthenticationMethod.xml
Outdated
Show resolved
Hide resolved
Co-authored-by: Johnny Pham <[email protected]>
@cheenamalhotra thank you for this! Would a PR be accepted to allow the user to control which sources to use? One reason is that we (and other users) have to disable the VS/VSCode token source because of a bug in them when using an Azure tenant as an AAD Guest. Using Default as this is currently hardcoded won't work for us. Cheers!!! |
Here's some background (there are a number of issues created that have the same root cause): |
Please feel free to open a new feature request in this repo with all this information to request this support. We will prioritize based on community interest. 👍 |
@cheenamalhotra it looks like the issue that we (and others) are experiencing is planned on being fixed in Azure.Identity in Q3. Then the original question about allowing the ability to customize sources isn't needed. |
Sure, sounds good! |
This PR introduces a new SQL Authentication method "Active Directory Default". With this mode of authentication, the driver widens possibilities of user authentication, extending login solutions to Client environment, Visual Studio Code, Visual Studio, Azure CLI etc. It enhances developer experience for applications that will be deployed to Azure.
With this authentication mode, the driver uses "DefaultAzureCredential" from Azure Identity library to acquire access token. The driver enables below mentioned credential types, to be attempted to acquire access token, in below order:
Note that InteractiveBrowserCredential is disabled in the driver implementation of "Active Directory Default", and "Active Directory Interactive" continues to be the only method to acquire token using MFA/Interactive authentication.
Additional changes: