-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: start broker on-demand during operation #33
Comments
I debugged this a bit further and actually the problem is a different one: The IMHO this is a flaw in the implementation of the broker. This also explains, why the extension sometimes does not work on initial startup of the OS. I can try to implement a workaround, but nonetheless this should be fixed in the broker. |
😬 |
@bovi The identity broker come from the Entra ID product group and are "just" a dependency by Intune (from the Intune product group). The identity brokers are, in my assumption, used by more Microsoft products than Intune, for example Edge (by probably a third product group).
To get to the point: They aren't part of the endpoint management service. They are just identity brokers talking with Entra ID for you. It might even be possible to write a PAM for Entra ID based device login interacting with the device broker. |
@bovi jup. |
Yes, this is correct, and it can be verified by simply installing the publicly available packages and running them through strace, and you'll see what they do. Even the Intune agent runs periodically, as you can see it is ran by a systemd timer once an hour. And to be clear: this is a good design. Run when needed transparently, and recover any state at any moment if they aren't. There's no need for any persistent service for any of this, consuming CPU and battery. Now the fact that 2 of the 3 components are Java program doesn't help with resource consumption, but that's due to historical reasons. I am happy enough that there is a supported solution at all for Linux, and I am grateful to the teams that delivered it. And I am also grateful to Siemens folks for implementing these extensions, as they make life a lot easier. Thanks! What I noticed is that when the extension is enabled, the brokers get started even if I am not opening any website that goes through login.microsoft.com, so they are effectively always running again, hence my comment.
Yeah that does sound like an issue in the broker, I can try and look into it after I am back from conferencing. |
This comment was marked as off-topic.
This comment was marked as off-topic.
I wholeheartedly agree. I just have my problems with some implementation choices (especially the Java part) but I absolutely get why and how these choices were made and I also appreciate that the whole thing was made in the first place.
@bluca If you need help with these MS internal efforts by backing them up with a support request from outside, please don't hesitate to ask. I can do this. If you think an SR would hurt these efforts (at this point in time), please tell me as well, then I'll back off. |
I found the cause of this issue in the broker and fixed it, the fix has just been merged in the dev branch, so it should be part of the next release, whenever that happens |
That's great news. Many thanks for fixing. The workaround #34 is included in v1.1.0 and can be reverted once the next version of Intune is released. |
@bluca I just noticed, that the {
"accounts": [],
"error": {
"context": "/com/microsoft/identity/devicebroker1 is not an object provided by this process.",
"diagnostics": {
"raw_error_code": "unknown_error",
"exception_type": "com.microsoft.identity.common.exception.ClientException"
},
"errorCode": 0,
"status": 0,
"subStatus": 0,
"tag": 0
},
"telemetry": {
"ui_visible": "false",
"os_version": "Debian GNU/Linux 12",
"broker_version": "2.0.1",
"error_location": "com.microsoft.identity.common.java.controllers.ExceptionAdapter#clientExceptionFromException#394",
"dbus_method_name": "getAccounts"
}
} That indicates, that the PS: Reopening, as our workaround only covers the |
The fix applied to both I think, but they haven't published the fixed version yet |
Currently, the broker is started during the initial startup of the extension and via
org.freedesktop.DBus->StartServiceByName
. Later on, we just observe if it is running / not running and inform the browser component about the current status. However, this only works in case the broker is always running.In [1] I got informed, that some people only run the broker temporarily and use the DBus activation feature to activate it whenever it is needed. With the current implementation of the extension, this is not supported, as we simply disable the extension once the service disappears (and re-enable once it is back). We also cannot easily change that, as the
NativeMessaging
backend uses introspection to create the DBus RPC wrapper on-demand. This introspection approach seems to be incompatible with DBus based activation [2]. At least I did not manage to make that work in eitherpydbus
ordasbus
. I further tried manually starting the service viadbus.StartServiceByName()
, but this is not atomic, i.e. the call returns before the service can be introspected.What I don't understand is why the introspection calls are not buffered until the service is running. Is this just a quirk in the
pydbus
/dasbus
libraries, or is it a more fundamental issue? Probably we need to completely avoid the online introspection and use more low-level libraries to perform the dbus communication.The text was updated successfully, but these errors were encountered: