Support plain text file cache fallback in headless linux #410
Comments
|
But @kyle-rader-msft wouldn't that be a security issue as it's a plain text? |
|
I don't think this is a security issue that outweighs the experience and risk of training employees to click log in because every single action requires a prompt.
The Git Credential manager already has set a precedent for this plain text fall back method, and on Linux the text file can have permissions set to only the current user. Linux machines are also now managed devices, to get to the Linux machines we want to use this on you have MFA into the Wave Work system to begin with.
Also note that while access tokens can be exfiltrated, they are short lived, and defense in depth has helped break apart what any bad actor can do with a single access token, given they are short lived, and better scoped. Refresh tokens from that cache are bound to the computer they were issued for and will not work from any new location or machine.
Kyle Rader (he/him<https://www.mypronouns.org/what-and-why>)
Microsoft.Azure.AHSI.SCHIE.DPU-SDK
…________________________________
From: Manuha Vancha ***@***.***>
Sent: Friday, September 20, 2024 11:34 AM
To: AzureAD/microsoft-authentication-cli ***@***.***>
Cc: Mention ***@***.***>; Author ***@***.***>
Subject: Re: [AzureAD/microsoft-authentication-cli] Support plain text file cache fallback in headless linux (Issue #410)
But @kyle-rader-msft<https://github.com/kyle-rader-msft> wouldn't that be a security issue as it's a plain text?
—
Reply to this email directly, view it on GitHub<#410 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/A6GC2DL4EXXMDB625NHSQ33ZXRTDXBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVE2DMMZTGU3TQMZZQKSHI6LQMWSWS43TOVS2K5TBNR2WLKRSGUZTMOJZHEYDMMFHORZGSZ3HMVZKMY3SMVQXIZI>.
You are receiving this email because you were mentioned.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
|
Hey @kyle-rader-msft , I am Huijing.
Am I reading your feature request correctly that you want us to persist access token in plain-text file just like what Git Credential Manager does? |
|
Not just the access token, but the MSAL cache, yes. If the normal MSAL cache persistence check fails, and we're running on Linux, enable using a plain text file fall back as the cache source. This file can be created with permissions only for the current user.
The normal KeyRing cache mechanism, on Linux requires a UI, and in Azure, Wave Workspaces are powered via SSH connections to your Linux VM remotely in VSCode. The web auth flow works just fine and is propagated to the host already, but the cache persistence check fails, resulting in a prompt on every invovation.
Kyle Rader (he/him<https://www.mypronouns.org/what-and-why>)
Microsoft.Azure.AHSI.SCHIE.DPU-SDK
…________________________________
From: Huijing Huang ***@***.***>
Sent: Wednesday, September 25, 2024 2:10 PM
To: AzureAD/microsoft-authentication-cli ***@***.***>
Cc: Mention ***@***.***>; Author ***@***.***>; Comment ***@***.***>
Subject: Re: [AzureAD/microsoft-authentication-cli] Support plain text file cache fallback in headless linux (Issue #410)
Hey @kyle-rader-msft<https://github.com/kyle-rader-msft> , I am Huijing.
It would be great to have azureauth also allow a plain text fallback in this scenario.
Am I reading your feature request correctly that you want us to persist access token in plain-text file just like what Git Credential Manager does?
—
Reply to this email directly, view it on GitHub<#410 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/A6GC2DKITEGDMMPCFXD7WZLZYMRELBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVE2DMMZTGU3TQMZZQKSHI6LQMWSWS43TOVS2K5TBNR2WLKRSGUZTMOJZHEYDMMFHORZGSZ3HMVZKMY3SMVQXIZI>.
You are receiving this email because you were mentioned.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
|
Allowing an opt-in to plaintext credential caching is fine IMO, though I'm not confident enough in the space to want to suggest making it default behavior. Perhaps naming the setting something like "allow plaintext cache storage"? Ultimately, as long as the cache file itself is only user-readable (and not group/world-readable), then that seems pretty reasonable to me. |
|
To add some more weight to this request: This is the current GCM experience we have in Wave Workspaces: Using AzureAuth through a VSCode Remote dev experience on Linux, you actually get a native web browser on your host and can 1 click auth! But... the token caching doesn't work, so this happens everytime. If we enable plain text token cache on Linux, the auth experience for Wave Space and remote Linux dev through VS Code would be so much more awesome! |
|
Just wanted to comment that implementing this support would also help our usage of AzureAuth in Linux environments where we have customers wanting to build on top of our platform in Linux Environments. |
|
My knowledge of the authentication is limited. however, would it be possible to integrate with Linux's keyring? |
|
We already do use the Linux keyring if we can. The problem is that when using Linux in a headless environment, (over SSH, VSCode Remote tunnel, etc) the keyring isn't usable because there's no GUI to unlock it (or at least this used to be the case).
Kyle Rader (he/him<https://www.mypronouns.org/what-and-why>)
Microsoft.Azure.AHSI.SCHIE.DPU-SDK
…________________________________
From: Arash Bannazadeh-Mahani ***@***.***>
Sent: Thursday, January 30, 2025 10:57 AM
To: AzureAD/microsoft-authentication-cli ***@***.***>
Cc: Author ***@***.***>; Comment ***@***.***>
Subject: Re: [AzureAD/microsoft-authentication-cli] Support plain text file cache fallback in headless linux (Issue #410)
My knowledge of the authentication is limited. however, would it be possible to integrate with Linux's keyring?
https://docs.keeper.io/en/privileged-access-manager/secrets-manager/integrations/linux-keyring#linux-keyring-utility
—
Reply to this email directly, view it on GitHub<#410 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/A6GC2DJY4Y4JWTWLXYNLN4L2NJY2RBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVE2DMMZTGU3TQMZZQKSHI6LQMWSWS43TOVS2K5TBNR2WLKRSGUZTMOJZHEYDMMFHORZGSZ3HMVZKMY3SMVQXIZI>.
You are receiving this email because you authored the thread.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
|
I found this SOF post which talks about Also, launching GUI in SSH session is a pain or not possible.. In Not as convenient as using keyring, but it helps. |
|
This isn't as much an issue for WSL, since WSL can launch the Windows azureauth installation for a better auth experience using the windows auth broker.
I think libsecret is already in use under the hood, this is handled by the msal-extensions library: See https://github.com/AzureAD/microsoft-authentication-cli/blob/5520cb01a745f6032fb3762eed09f382c7eebe58/src/MSALWrapper/PCACache.cs#L55
Kyle Rader (he/him<https://www.mypronouns.org/what-and-why>)
Microsoft.Azure.AHSI.SCHIE.DPU-SDK
…________________________________
From: Arash Bannazadeh-Mahani ***@***.***>
Sent: Thursday, January 30, 2025 11:50 AM
To: AzureAD/microsoft-authentication-cli ***@***.***>
Cc: Author ***@***.***>; Comment ***@***.***>
Subject: Re: [AzureAD/microsoft-authentication-cli] Support plain text file cache fallback in headless linux (Issue #410)
I found this SOF<https://askubuntu.com/questions/262698/how-do-i-get-passwords-from-the-keyring-in-the-terminal-for-usage-in-scripts> post which talks about keyring (python) and secret-tools libsecret-tools package.. can any of these be used to store the creds?
I know cargo has support for libsecret.
Also, launching GUI in SSH session is a pain or not possible..
However, with WSL you can enable its GUI<https://github.com/microsoft/wslg> feature which allows to run X11 apps (Code, MS Edge, ..) on Linux.
In ${env:USERPROFILE}/.wslconfig add:
[wsl2]
guiApplications=true
Not as convenient as using keyring, but it helps.
—
Reply to this email directly, view it on GitHub<#410 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/A6GC2DK6CI7BSMC27CCVSHD2NJ67FBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVE2DMMZTGU3TQMZZQKSHI6LQMWSWS43TOVS2K5TBNR2WLKRSGUZTMOJZHEYDMMFHORZGSZ3HMVZKMY3SMVQXIZI>.
You are receiving this email because you authored the thread.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've been using azureauth in Wave Workspaces (a C+AI alternative to microsoft devbox) where you connect via VSCode to a Linux VM. Azureatuh can be installed here, and ... through VSCode, it actually can already launch a web browser auth prompt! Which is great!
The problem is that you get the cache persistence check failures, because it's headless. And there is no cache. Meanwhile, the git credential manager in the same environment, is not launching a web prompt and forces me to do device code login - but it caches in a plain text file, so it doesn't prompt after that.
It would be great to have azureauth also allow a plain text fallback in this scenario.
The text was updated successfully, but these errors were encountered: