Skip to content

[Core] Support Continuous Access Evaluation #23635

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jiasli merged 3 commits into from
Sep 5, 2022
Merged

[Core] Support Continuous Access Evaluation #23635

jiasli merged 3 commits into from
Sep 5, 2022

Conversation

@jiasli
Copy link
Member

@jiasli jiasli commented Aug 23, 2022
edited
Loading

Description

Close #21296

Support Continuous Access Evaluation. For details of CAE, see

Testing Guide

az login now passes CP1 client capability to MSAL and AAD eSTS server:

az login
az account get-access-token

Decode the retrieved access token at https://jwt.ms/ to verify it has CP1 in xms_cc:

  "xms_cc": [
    "CP1"
  ],

Revoke all sessions:

az rest -m POST -u https://graph.microsoft.com/v1.0/me/revokeSignInSessions

Retry calling ARM until failure:

> az group list
WARNING: Acquiring new access token silently for tenant 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a with claims challenge: {"access_token":{"nbf":{"essential":true, "value":"1661241267"}}}
AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2022-08-23T07:42:08.0617654Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2022-08-23T07:43:29.0000000Z'.
Trace ID: 23138fe7-e03f-4be2-b22d-4bf997b80a00
Correlation ID: b61947d7-37e2-4678-b397-d2de4eef5868
Timestamp: 2022-08-23 07:54:28Z
Interactive authentication is needed. Please run:
az logout
az login --scope https://management.core.windows.net//.default --claims eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwgInZhbHVlIjoiMTY2MTI0MTI2NyJ9fX0=

Log in again with the returned claims challenge:

az login --scope https://management.core.windows.net//.default --claims eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwgInZhbHVlIjoiMTY2MTI0MTI2NyJ9fX0=

Additional information

However, as explained in #21296 (comment), according to AAD document:

https://docs.microsoft.com/en-us/azure/active-directory/develop/app-resilience-continuous-access-evaluation#the-code

try
{
    authResult = await _clientApp.AcquireTokenSilent(scopes, firstAccount)
        .WithClaims(claimChallenge)
        .ExecuteAsync()
        .ConfigureAwait(false);
}
catch (MsalUiRequiredException)
{
    try
    {
        authResult = await _clientApp.AcquireTokenInteractive(scopes)
            .WithClaims(claimChallenge)
            .WithAccount(firstAccount)
            .ExecuteAsync()
            .ConfigureAwait(false);
    }
    // ...

claims challenge should be sent back to interactive re-auth. But Azure PowerShell cmdlet Connect-AzAccount doesn't expose -Claims parameter, and everything still works as expected.

We still need to decide whether Azure CLI wants to expose --claims in az login.

2022-08-33 Update

As discussed with Azure PowerShell, Azure CLI will not support --claims for now until further required.

> az group list
Acquiring new access token silently for tenant 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a with claims challenge: {"access_token":{"nbf":{"essential":true, "value":"1661831250"}}}
AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2022-08-30T03:44:31.6241251Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2022-08-30T03:44:55.0000000Z'.
Trace ID: 19e0cb8b-a0bc-4743-a639-5f122c051b00
Correlation ID: cf0dc7d9-7042-4c7f-83f0-0a00a5c3bb7a
Timestamp: 2022-08-30 03:47:31Z
Interactive authentication is needed. Please run:
az login --scope https://management.core.windows.net//.default

Azure CLI will support AZURE_IDENTITY_DISABLE_CP1 to align with Azure PowerShell, .NET Azure Identity SDK and Python Azure Identity SDK.

@ghost ghost added Auto-Assign Auto assign by bot Core CLI core infrastructure labels Aug 23, 2022
@ghost ghost requested a review from yonzhan August 23, 2022 08:21
@ghost ghost assigned jiasli Aug 23, 2022
@ghost ghost added this to the Aug 2022 (2022-09-06) milestone Aug 23, 2022
@ghost ghost requested a review from wangzelin007 August 23, 2022 08:21
@ghost ghost added the Graph az ad label Aug 23, 2022
@ghost ghost requested review from calvinhzy and evelyn-ys August 23, 2022 08:21
@ghost ghost added the AAD label Aug 23, 2022
@jiasli
Copy link
Member Author

jiasli commented Aug 23, 2022

I accidentally bumped into a scenario where silent re-auth works, without interactive re-auth:

> az login

# Switch to a tenant 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a where I am a guest
> az account set -s 0b1f6471-1bf0-4dda-aec3-cb9272f09590

# Revoke all sessions
> az rest -m POST -u https://graph.microsoft.com/v1.0/me/revokeSignInSessions

> az group list > $null
WARNING: Acquiring new access token silently for tenant 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a with claims challenge: {"access_token":{"nbf":{"essential":true, "value":"1661243399"}}}

I guess it is because I didn't revoke sessions in home tenant 72f988bf-86f1-41af-91ab-2d7cd011db47, which makes the fresh token still valid. Silent re-auth can successfully get a new access token for tenant 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a.

@jiasli
Copy link
Member Author

jiasli commented Aug 30, 2022

The implementation with az login --claims is pushed to https://github.com/jiasli/azure-cli/tree/cae-login-claims

@jiasli jiasli marked this pull request as ready for review September 5, 2022 05:30
jiasli
jiasli commented Sep 5, 2022
View reviewed changes
src/azure-cli/azure/cli/command_modules/profile/tests/latest/test_auth_e2e.py
result = self.cmd('account get-access-token').get_output_in_json()
access_token = result['accessToken']
decoded = decode_access_token(access_token)
self.assertEqual(decoded['xms_cc'], ['CP1']) # xms_cc: extension microsoft client capabilities
Copy link
Member Author

@jiasli jiasli Sep 5, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems xms_ssm claims is dropped from GA version of CAE, so this test is no longer needed:

self.assertEqual(decoded['xms_ssm'], '1')  # xms_ssm: extension microsoft smart session management

@jiasli jiasli merged commit f7c30cb into Azure:dev Sep 5, 2022
@jiasli jiasli deleted the cae branch September 5, 2022 07:02
@jiasli jiasli mentioned this pull request Sep 9, 2022
Closed
3 tasks
@jiasli jiasli mentioned this pull request Nov 18, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@yonzhan yonzhan yonzhan approved these changes

@wangzelin007 wangzelin007 Awaiting requested review from wangzelin007

@calvinhzy calvinhzy Awaiting requested review from calvinhzy calvinhzy is a code owner

@jsntcy jsntcy Awaiting requested review from jsntcy jsntcy is a code owner

@kairu-ms kairu-ms Awaiting requested review from kairu-ms kairu-ms is a code owner

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms zhoxing-ms is a code owner

@necusjz necusjz Awaiting requested review from necusjz necusjz is a code owner

Assignees

@jiasli jiasli

Labels

AAD Auto-Assign Auto assign by bot Core CLI core infrastructure Graph az ad

Projects

None yet

Milestone

Sep 2022 (2022-10-12) - For Ignite

Development

Successfully merging this pull request may close these issues.

[Feature Request] Support CAE

3 participants

@jiasli @evelyn-ys @yonzhan