Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Identity] Implement Continuous Access Evaluation #13156

Closed
sadasant opened this issue Jan 12, 2021 · 1 comment · Fixed by #13888
Closed

[Identity] Implement Continuous Access Evaluation #13156

sadasant opened this issue Jan 12, 2021 · 1 comment · Fixed by #13888
Assignees
@sadasant @jeremymeng
Labels
Azure.Identity blocking-release Blocks release Client This issue points to a problem in the data-plane of the library.
Milestone
[2021] May

Comments

@sadasant
Copy link
Contributor

sadasant commented Jan 12, 2021
edited
Loading

You can see the Python changes here: https://github.com/Azure/azure-sdk-for-python/compare/feature/cae

Here's the one for .Net: https://github.com/schaabs/azure-sdk-for-net/tree/feature/caesupport

Here's the full documentation of the Continuous Access Evaluation authentication flow: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation
@sadasant sadasant added Client This issue points to a problem in the data-plane of the library. Azure.Identity labels Jan 12, 2021
@sadasant sadasant added this to the [2021] February milestone Jan 12, 2021
@sadasant sadasant self-assigned this Jan 12, 2021
@sadasant sadasant added the blocking-release Blocks release label Jan 25, 2021
@sadasant sadasant mentioned this issue Jan 26, 2021
Closed
12 tasks
@sadasant sadasant modified the milestones: [2021] February, [2021] March Feb 9, 2021
@sadasant sadasant mentioned this issue Feb 19, 2021
Merged
@sadasant sadasant modified the milestones: [2021] March, [2021] April Mar 15, 2021
@sadasant sadasant mentioned this issue Mar 15, 2021
Closed
5 tasks
@sadasant sadasant mentioned this issue Mar 31, 2021
Closed
@ramya-rao-a ramya-rao-a modified the milestones: [2021] April, [2021] May Apr 9, 2021
@ramya-rao-a
Copy link
Contributor

Feedback from API review for API alignment copied over from #14787

  • Change "authenticate" for "authorize" in the challenge callbacks.
  • Do not pass challenge: string on authenticateRequestOnChallenge, pass the whole response through ChallengeCallbackOptions.'
  • Do not expose the default callbacks on the public API.

@ramya-rao-a ramya-rao-a mentioned this issue Apr 13, 2021
Closed
jeremymeng pushed a commit that referenced this issue Apr 26, 2021
@sadasant
[core-rest-pipeline] Challenge callbacks (#13888)
1c33917 
This PR adds Continuous Assessment Evaluation (CAE) support to core-rest-pipeline.

CAE support at the core level is about the following:

- Some way to pre-process requests.
- Some way to identify challenges.
- Some way to process challenges.
- Some way to handle the challenges, for example, use "scope" and "claims" from the challenges in the subsequent calls to retrieve access tokens.

For more information about CAE, see https://docs.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation

The changes this PR introduces:

- Add a new `bearerTokenChallengeAuthenticationPolicy` that provides a skeleton of handling CAE flow. There are two extensible points: `authorizeRequest` and `authroizeRequestOnChallenge` callbacks.
  - `authorizeRequest` allows customizing the policy to alter how it authorizes a request before sending it. By default when no callbacks are specified, this policy has the same behavior as `bearerTokenAuthenticationPolicy`. It will retrieve the token from the underlying token credential, and if it gets one, it will cache the token and set it to the outgoing request..
  - `authorizeRequestOnChallenge`, which gets called only if we've found a challenge in the response. This callback has access to the original request and its response and is expected to handle the challenge. If this callback returns true, the request, usually updated after handling the challenge, will be sent again. If this call back returns false, no further actions will be taken.

Fixes #13156
@github-actions github-actions bot locked and limited conversation to collaborators Apr 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@sadasant sadasant

@jeremymeng jeremymeng

Labels
Azure.Identity blocking-release Blocks release Client This issue points to a problem in the data-plane of the library.
Projects
None yet
Milestone
[2021] May
3 participants
@sadasant @jeremymeng @ramya-rao-a