Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: start broker on-demand during operation #33

Open
fmoessbauer opened this issue Sep 17, 2024 · 12 comments · Fixed by #34
Open

Feature request: start broker on-demand during operation #33

fmoessbauer opened this issue Sep 17, 2024 · 12 comments · Fixed by #34
Assignees

Comments

@fmoessbauer
Copy link
Member

Currently, the broker is started during the initial startup of the extension and via org.freedesktop.DBus->StartServiceByName. Later on, we just observe if it is running / not running and inform the browser component about the current status. However, this only works in case the broker is always running.

In [1] I got informed, that some people only run the broker temporarily and use the DBus activation feature to activate it whenever it is needed. With the current implementation of the extension, this is not supported, as we simply disable the extension once the service disappears (and re-enable once it is back). We also cannot easily change that, as the NativeMessaging backend uses introspection to create the DBus RPC wrapper on-demand. This introspection approach seems to be incompatible with DBus based activation [2]. At least I did not manage to make that work in either pydbus or dasbus. I further tried manually starting the service via dbus.StartServiceByName(), but this is not atomic, i.e. the call returns before the service can be introspected.

What I don't understand is why the introspection calls are not buffered until the service is running. Is this just a quirk in the pydbus / dasbus libraries, or is it a more fundamental issue? Probably we need to completely avoid the online introspection and use more low-level libraries to perform the dbus communication.

@fmoessbauer
Copy link
Member Author

I debugged this a bit further and actually the problem is a different one:

The microsoft-identity-broker.service is indeed DBus activated, however it exposes the object / path com/microsoft/identity/broker1 only after a couple of seconds. By that, showing up on DBus and being usable is not atomic. The DBus activation however only guarantees that the method call is delayed until the name shows up on the bus and then performs the call - which is too early for the broker.

IMHO this is a flaw in the implementation of the broker. This also explains, why the extension sometimes does not work on initial startup of the OS. I can try to implement a workaround, but nonetheless this should be fixed in the broker.

@nsballmann
Copy link

😬

@nsballmann
Copy link

@bovi The identity broker come from the Entra ID product group and are "just" a dependency by Intune (from the Intune product group). The identity brokers are, in my assumption, used by more Microsoft products than Intune, for example Edge (by probably a third product group).

If When Microsoft releases an RDP client for their Azure Virtual Desktop (new name Windows App, by another product group) that client will probably also depend on those brokers being present for device trust based SSO.

To get to the point: They aren't part of the endpoint management service.

They are just identity brokers talking with Entra ID for you. It might even be possible to write a PAM for Entra ID based device login interacting with the device broker.

@nsballmann
Copy link

@bovi jup.

@bluca
Copy link

bluca commented Sep 22, 2024

To get to the point: They aren't part of the endpoint management service.

They are just identity brokers talking with Entra ID for you.

Yes, this is correct, and it can be verified by simply installing the publicly available packages and running them through strace, and you'll see what they do. Even the Intune agent runs periodically, as you can see it is ran by a systemd timer once an hour. And to be clear: this is a good design. Run when needed transparently, and recover any state at any moment if they aren't. There's no need for any persistent service for any of this, consuming CPU and battery. Now the fact that 2 of the 3 components are Java program doesn't help with resource consumption, but that's due to historical reasons. I am happy enough that there is a supported solution at all for Linux, and I am grateful to the teams that delivered it. And I am also grateful to Siemens folks for implementing these extensions, as they make life a lot easier. Thanks!

What I noticed is that when the extension is enabled, the brokers get started even if I am not opening any website that goes through login.microsoft.com, so they are effectively always running again, hence my comment.

I debugged this a bit further and actually the problem is a different one:

The microsoft-identity-broker.service is indeed DBus activated, however it exposes the object / path com/microsoft/identity/broker1 only after a couple of seconds. By that, showing up on DBus and being usable is not atomic. The DBus activation however only guarantees that the method call is delayed until the name shows up on the bus and then performs the call - which is too early for the broker.

IMHO this is a flaw in the implementation of the broker. This also explains, why the extension sometimes does not work on initial startup of the OS. I can try to implement a workaround, but nonetheless this should be fixed in the broker.

Yeah that does sound like an issue in the broker, I can try and look into it after I am back from conferencing.

@bluca

This comment was marked as off-topic.

@fmoessbauer
Copy link
Member Author

Yeah that does sound like an issue in the broker, I can try and look into it after I am back from conferencing.

@bluca That would be much appreciated. It also would be great if you could give #34 a try. This should add support for your use-case.

@nsballmann
Copy link

And to be clear: this is a good design.

I wholeheartedly agree. I just have my problems with some implementation choices (especially the Java part) but I absolutely get why and how these choices were made and I also appreciate that the whole thing was made in the first place.

Yeah that does sound like an issue in the broker, I can try and look into it after I am back from conferencing.

@bluca If you need help with these MS internal efforts by backing them up with a support request from outside, please don't hesitate to ask. I can do this. If you think an SR would hurt these efforts (at this point in time), please tell me as well, then I'll back off.

@bluca
Copy link

bluca commented Oct 4, 2024

I debugged this a bit further and actually the problem is a different one:

The microsoft-identity-broker.service is indeed DBus activated, however it exposes the object / path com/microsoft/identity/broker1 only after a couple of seconds. By that, showing up on DBus and being usable is not atomic. The DBus activation however only guarantees that the method call is delayed until the name shows up on the bus and then performs the call - which is too early for the broker.

IMHO this is a flaw in the implementation of the broker. This also explains, why the extension sometimes does not work on initial startup of the OS. I can try to implement a workaround, but nonetheless this should be fixed in the broker.

I found the cause of this issue in the broker and fixed it, the fix has just been merged in the dev branch, so it should be part of the next release, whenever that happens

@fmoessbauer
Copy link
Member Author

I found the cause of this issue in the broker and fixed it

That's great news. Many thanks for fixing. The workaround #34 is included in v1.1.0 and can be reverted once the next version of Intune is released.

@fmoessbauer
Copy link
Member Author

fmoessbauer commented Jan 16, 2025

@bluca I just noticed, that the microsoft-identity-device-broker might need the same DBus activation fix. What I sometimes get after the first call to the broker is the following:

{
  "accounts": [],
  "error": {
    "context": "/com/microsoft/identity/devicebroker1 is not an object provided by this process.",
    "diagnostics": {
      "raw_error_code": "unknown_error",
      "exception_type": "com.microsoft.identity.common.exception.ClientException"
    },
    "errorCode": 0,
    "status": 0,
    "subStatus": 0,
    "tag": 0
  },
  "telemetry": {
    "ui_visible": "false",
    "os_version": "Debian GNU/Linux 12",
    "broker_version": "2.0.1",
    "error_location": "com.microsoft.identity.common.java.controllers.ExceptionAdapter#clientExceptionFromException#394",
    "dbus_method_name": "getAccounts"
  }
}

That indicates, that the microsoft-identity-device-broker is not fully functional when registering the service on the DBus.

PS: Reopening, as our workaround only covers the microsoft-identity-broker part.

@fmoessbauer fmoessbauer reopened this Jan 16, 2025
@bluca
Copy link

bluca commented Jan 16, 2025

The fix applied to both I think, but they haven't published the fixed version yet

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants