Open
Description
Core Library
MSAL Node (@azure/msal-node)
Wrapper Library
Not Applicable
Public or Confidential Client?
Public
Description
According to the managed identity docs for Service Fabric, there is an environment variable called "IDENTITY_SERVER_THUMBPRINT": https://learn.microsoft.com/en-us/azure/service-fabric/how-to-managed-identity-service-fabric-app-code#acquiring-an-access-token-using-rest-api
And per those docs, the thumbprint should be used as part of the steps to retrieve a token:
To obtain a token, the client performs the following steps:
- forms a URI by concatenating the managed identity endpoint (IDENTITY_ENDPOINT value) with the API version and the resource (audience) required for the token
- creates a GET http(s) request for the specified URI
- adds appropriate server certificate validation logic
- adds the authentication code (IDENTITY_HEADER value) as a header to the request
- submits the request
The docs don't describe what 'appropriate' validation entails and this was not in the original design for MI support in MSAL, however Azure Identity does perform this step for the Java and .NET libraries:
- For Java, the thumbprint is added to the HttpsURLConnection object that manages the HTTP requests
- Related issue in MSAL Java repo: [Bug] Service Fabric MI Auth doesn't validate server cert. microsoft-authentication-library-for-java#758
- For .NET, a callback is added that compares the server's environment variable to another cert
- Related issue in MSAL .NET repo: [Feature Request] Service Fabric MI Auth doesn't validate server cert. microsoft-authentication-library-for-dotnet#4462
- For Python they have not implemented any validation logic to copy, and simply hardcode the relevant 'connection_verify' flag to false.
- Related issue in MSAL Python repo: [Feature Request] Add cert validation for MI auth in Service Fabric microsoft-authentication-library-for-python#654
Source
Internal (Microsoft)