GithubHelp home page GithubHelp logo

Targeting NET Standard about armclient HOT 11 OPEN

projectkudu avatar projectkudu commented on August 22, 2024 2
Targeting NET Standard

from armclient.

Comments (11)

snobu avatar snobu commented on August 22, 2024 4

I believe this effort is now abandoned in favor of Azure CLI's az rest which is cross-platform from birth.

Example -

~ $ az rest --help

Command
    az rest : Invoke a custom request.
        This command automatically authenticates using the logged-in credential: If Authorization
        header is not set, it attaches header `Authorization: Bearer <token>`, where `<token>` is
        retrieved from AAD. The target resource of the token is derived from --url if --url starts
        with an endpoint from `az cloud show --query endpoints`. You may also use --resource for a
        custom resource.
        If Content-Type header is not set and --body is a valid JSON string, Content-Type header
        will default to application/json.

$ az rest --method get --url https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>?api-version=2021-01-01

{
  "authorizationSource": "Legacy",
  "displayName": "xx",
  "id": "/subscriptions/xxxxxxxx",
  "managedByTenants": [
    {
      "tenantId": "xxxxxxx"
    },
    {
      "tenantId": "xxxxxxx"
    }
  ],
  "state": "Enabled",
  [...]

from armclient.

davidebbo avatar davidebbo commented on August 22, 2024

Yes, would be great to have it work on Core. For auth, I think we'd need to switch to a model like what xplat CLI is doing. It gives you some code that you have to paste in a browser page, and then auth continues without needed to ever pop up UI. It's just too hard to pop up a browser window in a portable way.

Here is what it looks like with cli, though I don't know about implementation:

info:    Executing command login
info:    To sign in, use a web browser to open the page https://aka.ms/devicelogin and enter the code EKCCKBJ6D to authenticate.

from armclient.

snobu avatar snobu commented on August 22, 2024

I saw that in the Mac PowerShell and az as well, so it must be coming from ADAL. I'll do some detective work since PowerShell is now open. This magic must be revealed.

from armclient.

snobu avatar snobu commented on August 22, 2024

Alright, so it's called OAuth 2.0 Device Flow Grant, it's in ADAL and it goes like this:

https://github.com/Azure-Samples/active-directory-dotnet-deviceprofile/blob/master/DirSearcherClient/Program.cs#L205-L209

DeviceCodeResult codeResult = ctx.AcquireDeviceCodeAsync(resource, clientId).Result;
Console.WriteLine("You need to sign in.");
Console.WriteLine("Message: " + codeResult.Message + "\n");
result = ctx.AcquireTokenByDeviceCodeAsync(codeResult).Result;

Result:

image

So it's definitely doable. I'll take a shot at adding it to ARMClient (unless you guys want to do it - i'm finding it difficult to commit time lately).

Vittorio's blog post on ADAL 3.x and Device Flow here:
http://www.cloudidentity.com/blog/2015/12/02/new-adal-3-x-previewdevice-profile-linux-and-os-x-sample/

from armclient.

davidebbo avatar davidebbo commented on August 22, 2024

Ha yes, now that I hear 'device flow', that rings a bell from some thread I was on when they were coming up with it for xplat CLI. If you can make it work here, that's awesome.

And hopefully that's the only thing preventing it from using Core (or Mono). The rest should be very portal http request logic.

from armclient.

snobu avatar snobu commented on August 22, 2024

Well, Device Flow login now works (build this branch) but i broke the X509 cert auth in the process and i'm not sure how to get out of this one:
image

C:\lab\armclient\bin\Debug>armclient devicelogin
Using OAuth 2.0 Device Flow
You need to sign in.
Message: To sign in, use a web browser to open the page https://aka.ms/devicelogin and
enter the code DY2RRGXVN to authenticate.

Got Bearer token from Device Flow: eyJ0eXAiOiJKV1QiLCJh..
User: [email protected], Tenant: xxxxxxxxxxxxxxxx (microsoft.onmicrosoft.com)
        There are 3 subscriptions
        Subscription 6xxxxxxxxxxxxxxxx (yyyyyyyyyy)
        Subscription axxxxxxxxxxxxx (zzzzzzzzzzzzzzzz)
        Subscription bxxxxxxxxxxxxxxx (qqqqqqqqqqqqqq)

User: [email protected], Tenant: xxxxxxxxxxxxxxxxxxxx (swearjarbank.onmicrosoft.com)
        There are 0 subscriptions


C:\lab\armclient\bin\Debug>armclient get %testurl%
{
  "id": "/subscriptions/axxxx-xxxx-xxxxx-xxxxxx/resourceGroups/securitywhat",
  "name": "securitywhat",
  "location": "eastus",
  "properties": {
    "provisioningState": "Succeeded"
  }
}

C:\lab\armclient\bin\Debug>armclient listcache
User: [email protected], Tenant: xxxxx-xxxxx-xxxxxx-xxxxxx (microsoft.onmicrosoft.com)
        There are 3 subscriptions
        Subscription xxxxxxxx
        Subscription yyyyyyy
        Subscription zzzzzzzz

User: [email protected], Tenant: xxxx-xxxx-xxxx-xxxx (swearjarbank.onmicrosoft.com)
        There are 0 subscriptions

Not sure about:

  • Token store and refresh tokens, since ADAL 3.0 no longer exposes refresh tokens. Seems the token gets stored correctly in %userprofile%\.arm, but will it work in 1 hour? Didn't test.
  • I'm using common here as tenant, am i doing it right? The token seems to be fine.
  • There's no more context.AcquireTokenByRefreshTokenAsync() - so do we just do this instead?

I'm still fixing and testing but would value your input here @davidebbo @ahmelsayed

from armclient.

snobu avatar snobu commented on August 22, 2024

Looks like i broke the token refresh mechanism.
This is what happens after >1h from devicelogin:

C:\lab\armclient\bin\Debug>armclient get "https://management.azure.com/subscriptions/x-x-x-x/resourceGroups/?api-version=2014-04-01"

The method or operation is not implemented.

Which i believe is this line here.

Well, back to the drawing board.

back

from armclient.

davidebbo avatar davidebbo commented on August 22, 2024

Presumably, the xplat CLI is able to continue to work after one hour? Sorry, I'm not very familiar with the refresh mechanism.

from armclient.

snobu avatar snobu commented on August 22, 2024

Yes it is. I suspect i'm not saving the correct thing to offline cache with ADAL 3. I'll figure it out.

from armclient.

fawohlsc avatar fawohlsc commented on August 22, 2024

Any plans to make armclient cross-platform by porting to .NET Core? Would be handy to have it in Cloud Shell, Linux and Mac.

from armclient.

fawohlsc avatar fawohlsc commented on August 22, 2024

Thanks @snobu!

from armclient.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.