Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Add On-Behalf-Of (OBO) Auth Flow for the Microsoft Graph Team #15804

Closed
joshfree opened this issue Jun 17, 2021 · 4 comments · Fixed by #17137
Closed

Feature: Add On-Behalf-Of (OBO) Auth Flow for the Microsoft Graph Team #15804

joshfree opened this issue Jun 17, 2021 · 4 comments · Fixed by #17137
Assignees
@sadasant
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. feature-request This issue requires a new behavior in the product in order be resolved.
Milestone
[2021] September

Comments

@joshfree
Copy link
Member

The OAuth 2.0 On-Behalf-Of flow (OBO) serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate the delegated user identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from the Microsoft identity platform, on behalf of the user.

Related Links:
Prototype: jongio/azidext#41
Documenation: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
.NET Design: https://gist.github.com/christothes/15b9903f7da0954aee166166a8fa1919
MS Graph Team's tracking issue: microsoftgraph/msgraph-sdk-java-core#132
@joshfree joshfree added Client This issue points to a problem in the data-plane of the library. Azure.Identity feature-request This issue requires a new behavior in the product in order be resolved. labels Jun 17, 2021
@joshfree joshfree added this to the [2021] August milestone Jun 17, 2021
This was referenced Jun 17, 2021
Closed
Closed
Closed
Closed
@sadasant
Copy link
Contributor

.NET’s PR: Azure/azure-sdk-for-net#22146

@sadasant
Copy link
Contributor

sadasant commented Aug 6, 2021

Here’s the design proposals I’m proposing to the architects: https://gist.github.com/sadasant/ece98248cb8cd2df5edd03ab92749f35

@xirzec , @chradek , @bterlson , when you have the time, your feedback is appreciated.

cc: @schaabs

@sadasant
Copy link
Contributor

After discussing the designs with @xirzec , we believe the “swapping credentials” approach to be the most promising one. I will be working on a pull request.

This was referenced Aug 13, 2021
Closed
Closed
@sadasant sadasant mentioned this issue Aug 25, 2021
Closed
@sadasant
Copy link
Contributor

sadasant commented Aug 25, 2021
edited
Loading

Update:

  • Today we had a meeting regarding edge cases on OBO, and there are some questions to answer, like how to approach LROs (which is simpler in JS than in other languages), and what to do with AMQP clients.
  • We’ve decided to push the advanced OBO approach (with the authenticationOptions) outside of our October GA.
  • I’ll be making a PR soon with the most simple OBO credential, one that just receives all of the parameters on the constructor and passes them to MSAL, without more complexity.
  • In a future Milestone, I’ll come back with more information regarding the advanced OBO credential.

Based on that, I’ll move these issues to the backlog:

This was referenced Aug 25, 2021
Closed
Closed
Merged
@github-actions github-actions bot locked and limited conversation to collaborators Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@sadasant sadasant

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. feature-request This issue requires a new behavior in the product in order be resolved.
Projects
None yet
Milestone
[2021] September
Development

Successfully merging a pull request may close this issue.

[Identity] Simple OnBehalfOfCredential sadasant/azure-sdk-for-js
2 participants
@sadasant @joshfree