Support plain text file cache fallback in headless linux #410
Comments
|
But @kyle-rader-msft wouldn't that be a security issue as it's a plain text? |
|
I don't think this is a security issue that outweighs the experience and risk of training employees to click log in because every single action requires a prompt.
The Git Credential manager already has set a precedent for this plain text fall back method, and on Linux the text file can have permissions set to only the current user. Linux machines are also now managed devices, to get to the Linux machines we want to use this on you have MFA into the Wave Work system to begin with.
Also note that while access tokens can be exfiltrated, they are short lived, and defense in depth has helped break apart what any bad actor can do with a single access token, given they are short lived, and better scoped. Refresh tokens from that cache are bound to the computer they were issued for and will not work from any new location or machine.
Kyle Rader (he/him<https://www.mypronouns.org/what-and-why>)
Microsoft.Azure.AHSI.SCHIE.DPU-SDK
…________________________________
From: Manuha Vancha ***@***.***>
Sent: Friday, September 20, 2024 11:34 AM
To: AzureAD/microsoft-authentication-cli ***@***.***>
Cc: Mention ***@***.***>; Author ***@***.***>
Subject: Re: [AzureAD/microsoft-authentication-cli] Support plain text file cache fallback in headless linux (Issue #410)
But @kyle-rader-msft<https://github.com/kyle-rader-msft> wouldn't that be a security issue as it's a plain text?
—
Reply to this email directly, view it on GitHub<#410 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/A6GC2DL4EXXMDB625NHSQ33ZXRTDXBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVE2DMMZTGU3TQMZZQKSHI6LQMWSWS43TOVS2K5TBNR2WLKRSGUZTMOJZHEYDMMFHORZGSZ3HMVZKMY3SMVQXIZI>.
You are receiving this email because you were mentioned.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
|
Hey @kyle-rader-msft , I am Huijing.
Am I reading your feature request correctly that you want us to persist access token in plain-text file just like what Git Credential Manager does? |
|
Not just the access token, but the MSAL cache, yes. If the normal MSAL cache persistence check fails, and we're running on Linux, enable using a plain text file fall back as the cache source. This file can be created with permissions only for the current user.
The normal KeyRing cache mechanism, on Linux requires a UI, and in Azure, Wave Workspaces are powered via SSH connections to your Linux VM remotely in VSCode. The web auth flow works just fine and is propagated to the host already, but the cache persistence check fails, resulting in a prompt on every invovation.
Kyle Rader (he/him<https://www.mypronouns.org/what-and-why>)
Microsoft.Azure.AHSI.SCHIE.DPU-SDK
…________________________________
From: Huijing Huang ***@***.***>
Sent: Wednesday, September 25, 2024 2:10 PM
To: AzureAD/microsoft-authentication-cli ***@***.***>
Cc: Mention ***@***.***>; Author ***@***.***>; Comment ***@***.***>
Subject: Re: [AzureAD/microsoft-authentication-cli] Support plain text file cache fallback in headless linux (Issue #410)
Hey @kyle-rader-msft<https://github.com/kyle-rader-msft> , I am Huijing.
It would be great to have azureauth also allow a plain text fallback in this scenario.
Am I reading your feature request correctly that you want us to persist access token in plain-text file just like what Git Credential Manager does?
—
Reply to this email directly, view it on GitHub<#410 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/A6GC2DKITEGDMMPCFXD7WZLZYMRELBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVE2DMMZTGU3TQMZZQKSHI6LQMWSWS43TOVS2K5TBNR2WLKRSGUZTMOJZHEYDMMFHORZGSZ3HMVZKMY3SMVQXIZI>.
You are receiving this email because you were mentioned.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
|
Allowing an opt-in to plaintext credential caching is fine IMO, though I'm not confident enough in the space to want to suggest making it default behavior. Perhaps naming the setting something like "allow plaintext cache storage"? Ultimately, as long as the cache file itself is only user-readable (and not group/world-readable), then that seems pretty reasonable to me. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've been using azureauth in Wave Workspaces (a C+AI alternative to microsoft devbox) where you connect via VSCode to a Linux VM. Azureatuh can be installed here, and ... through VSCode, it actually can already launch a web browser auth prompt! Which is great!
The problem is that you get the cache persistence check failures, because it's headless. And there is no cache. Meanwhile, the git credential manager in the same environment, is not launching a web prompt and forces me to do device code login - but it caches in a plain text file, so it doesn't prompt after that.
It would be great to have azureauth also allow a plain text fallback in this scenario.
The text was updated successfully, but these errors were encountered: