Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azcopy login - Support SNI (Subject Name & Issuer Authentication) (AKA --use-cert-sn-issuer / x5c / send_certificate_chain) #2815

Open
ohads-MSFT opened this issue Sep 24, 2024 · 1 comment
Open

azcopy login - Support SNI (Subject Name & Issuer Authentication) (AKA --use-cert-sn-issuer / x5c / send_certificate_chain) #2815

ohads-MSFT opened this issue Sep 24, 2024 · 1 comment
Labels
feature request

Comments

@ohads-MSFT
Copy link

ohads-MSFT commented Sep 24, 2024
edited
Loading

Which version of the AzCopy was used?

v10.26.0 (latest)

Which platform are you using? (ex: Windows, Mac, Linux)

Linux (though I'm pretty sure it doesn't matter)

What command did you run?

azcopy login --service-principal --certificate-path /XXX.pfx --application-id YYYYYYYYY

What problem was encountered?

Failed to perform login command: ClientCertificateCredential authentication failed. FromAssertion(): http call(
https://login.microsoftonline.com/common/oauth2/v2.0/token)(POST) error: reply status code was 401:
{"error":"invalid_client","error_description":"AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client: 'XXXXX', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'XXXXX'. Review the documentation at
https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and
https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http
to build a query request URL, such as https://graph.microsoft.com/beta/applications/XXX
']. Alternatively, SNI may be configured on the app. Please ensure that client assertion is being sent with the x5c claim in the JWT header using MSAL's WithSendX5C() method so that Azure Active Directory can validate the certificate being used

How can we reproduce the problem in the simplest way?

Enable SNI auth on any service principal and try to login using a matching certificate

Have you found a mitigation/solution?

Logging in with az login --use-cert-sn-issuer and then reusing its token via AZCOPY_AUTO_LOGIN_TYPE="AZCLI" should work, but the latter is broken: #2794

This makes azcopy login --service-principal --certificate-path won't work for most MS-internal scenarios, as I'm sure you know cert pinning is disallowed.
@adreed-msft
Copy link
Member

BTW, I forgot to note, this is added to our backlog for next release. No guarantees it makes it in, but, it is there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adreed-msft @ohads-MSFT