Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MSAL MSI with Credentials - Authentication Design #5096

Merged
merged 24 commits into from
Feb 20, 2025
Merged
Changes from 1 commit
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
54cfce2
init
GladwinJohnson Jan 22, 2025
837ef5b
doc links
GladwinJohnson Jan 22, 2025
4bda98e
apis
GladwinJohnson Jan 22, 2025
8f09566
typo
GladwinJohnson Jan 22, 2025
b55a948
Update MSI V2 authentication steps and API table
gladjohn Jan 27, 2025
7cdffc2
Create slc_revocation_spec.md
gladjohn Jan 27, 2025
8a1ebe3
Add MSAL EPIC link to related documents.
gladjohn Jan 27, 2025
ff0c095
Update revocation spec with unspecified credential issue
gladjohn Jan 28, 2025
3faf363
Refactor JSON body construction in documentation
gladjohn Feb 6, 2025
8d74f29
pr comments
GladwinJohnson Feb 6, 2025
2d83f71
pr comments
GladwinJohnson Feb 11, 2025
3467f25
pr comments
GladwinJohnson Feb 19, 2025
219580a
pr comments
GladwinJohnson Feb 19, 2025
3811e41
azure_sdk
GladwinJohnson Feb 19, 2025
1184363
BindingCertificateRefreshed
GladwinJohnson Feb 19, 2025
4db52cb
Add mermaid sequence diagram for MSI V2 process
gladjohn Feb 20, 2025
2649b55
Add sequence diagram to credential probe doc
gladjohn Feb 20, 2025
47f864d
Update IMDS header handling logic
gladjohn Feb 20, 2025
28c3c8b
Add sequence diagram for SLC revocation.
gladjohn Feb 20, 2025
97457bb
Add mermaid sequence diagram for SLC revocation
gladjohn Feb 20, 2025
43892c2
Add sections on SLC revocation and claims challenge
gladjohn Feb 20, 2025
9bc500f
Add sequence diagram for mTLS communication
gladjohn Feb 20, 2025
9842ba7
Remove mermaid sequence diagram from guidance document
gladjohn Feb 20, 2025
f81b7b3
Merge branch 'main' into gladjohn/msi_vs_design
gladjohn Feb 20, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Update MSI V2 authentication steps and API table
gladjohn authored Jan 27, 2025
commit b55a9484f8b4988fd6f4768baa0b8d66863b1ef8
9 changes: 5 additions & 4 deletions docs/msi_with_credential_design.md
Original file line number Diff line number Diff line change
@@ -69,11 +69,11 @@ If identified, MSAL will use the appropriate legacy MSI endpoint for that resour

This section outlines the necessary steps to acquire an access token using the MSI V2 `/credential` endpoint.

### 1. Check for an Existing Certificate
- Search for a valid self-signed certificate in `Cert:\LocalMachine\My`.
### 1. Check for an Existing (Platform) Certificate
- Search for a specific certificate (`devicecert.mtlsauth.local`) in `Cert:\LocalMachine\My`.
- If found, extract its thumbprint and use it for authentication.

### 2. Generate a New Certificate (if not found)
### 2. Generate a New Certificate (if specific certificate is not found)
- Create a new self-signed certificate with a 90-day validity.
- Ensure the certificate has:
- Subject name `CN=mtls-auth` (name not final).
@@ -210,11 +210,12 @@ try {

| API Name | Purpose |
|----------------------------------|-----------------------------------------------------------|
| `WithProofOfPossession()` | Requests a PoP token instead of a default Bearer token. |
| `WithClientCapabilities()` | Allows client capabilities |
| `WithClaims()` | Allows passing of claims (bypasses cache). |
| `GetBindingCertificate()` | Helper method to get the binding certificate. |
| `GetManagedIdentitySourceAsync()`| Helper method to get the managed identity source. |
| `WithProofOfPossession()` | Requests a PoP token instead of a default Bearer token. |


## Related Documents