-
Notifications
You must be signed in to change notification settings - Fork 281
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature | Azure Active Directory Managed Identity authentication support #730
Feature | Azure Active Directory Managed Identity authentication support #730
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We also need to provide an synonym "ActiveDirectoryMSI" for the authentication keyword value to align the connection string with what all our other drivers use. The other drivers will eventually add a synonym for "ActiveDirectoryManagedIdentity".
src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/Common/DbConnectionStringCommon.cs
Show resolved
Hide resolved
src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlConnectionString.cs
Show resolved
Hide resolved
src/Microsoft.Data.SqlClient/netfx/src/Microsoft.Data.SqlClient.csproj
Outdated
Show resolved
Hide resolved
src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/Common/DbConnectionStringCommon.cs
Show resolved
Hide resolved
src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/Common/DbConnectionStringCommon.cs
Show resolved
Hide resolved
src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/SqlConnectionString.cs
Show resolved
Hide resolved
...crosoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs
Outdated
Show resolved
Hide resolved
3a135ab
to
0b30779
Compare
0b30779
to
b7d18fb
Compare
@cheenamalhotra I'd also love Azure.Identity support for seamless localdev. Once this PR is in, what is the recommended way to connect in localdev using the VS/CLI token stores? |
src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlInternalConnectionTds.cs
Show resolved
Hide resolved
src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsEnums.cs
Outdated
Show resolved
Hide resolved
...ft.Data.SqlClient/src/Microsoft/Data/SqlClient/AzureManagedIdentityAuthenticationProvider.cs
Show resolved
Hide resolved
...crosoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs
Outdated
Show resolved
Hide resolved
...ft.Data.SqlClient/src/Microsoft/Data/SqlClient/AzureManagedIdentityAuthenticationProvider.cs
Outdated
Show resolved
Hide resolved
You would be able to override our implementation of "Active Directory Managed Identity" authentication provider with your own class that implements "SqlAuthenticationProvider" and register it in your application by calling "SetProvider" API. There you can simply acquire token from Azure.Identity library when implementing "AcquireTokenAsync", using "DefaultAzureCredential" as they support .NET Core and .NET Framework 4.6.1+ and their "GetToken" API does the following, as you can find documented: The following credential types if enabled will be tried, in order:
Once you call SetProvider, all future connection requests for "Active Directory Managed Identity" authentication mode from driver will go through your implementation using same connection strings. |
@cheenamalhotra thanks for the notes, that seems doable. Is there an existing "Extensions" NuGet package that it would be possible to put something like that code in, where it would be OK to have the Identity library dependency? |
Is this available now with 3.x or 5.x? |
There is no version 5 of this provider. This feature is available in 3.0 preview, which will RTM quite soon, and this version work with both .nEt Core 3 and .Net 5 |
Fixes #616
Introduces AAD Managed Identity support with below authentication mode keywords:
Connection strings applicable:
Dev Notes:
No new dependency is added to driver.
This feature is supported with direct Rest API calls to IMDS and Identity endpoints (as MSSQL JDBC driver)
Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http