Comments (10)
@chatter92 Your research effort on this topic is amazing!
Given that the Kubernetes side has fixed this and is probably in the process of releasing/rolling out their new version, would you consider checking their release plan and see if you can wait? Because, even if you somehow find a workaround to add that legacy api_version=1.0
behavior into your code base, your code would likely still break when the aforementioned Kubernetes fix would be deployed to your environment.
from azure-activedirectory-library-for-java.
@yubhat The reason this is happening is because ADAL Python hardcodes the api-version in the endpoints they are hitting ("api-verseion=1.0"), while Java does not. ADAL Java is in maintenance mode and we are not making updates unless they are security related.
Do you own the Kubernetes service which you using the token for?
from azure-activedirectory-library-for-java.
@sangonzal unfortunately, we dont own the Kubernetes service, hence we cannot make any changes there. If there is any way in which we can pass the api-version via the java sdk (adal or msal), it will solve this issue for us.
from azure-activedirectory-library-for-java.
@yubhat @chatter92 Out of curiosity, how do you initialize ADAL Python in your code? Did you explicitly use its api_version
parameter? In their recent samples, that parameter is typically left undefined in order to trigger the default behavior (rather than using api_version="1.0"
).
from azure-activedirectory-library-for-java.
@rayluo yes, we have explicitly set api_version to 1.0 in our script.
from azure-activedirectory-library-for-java.
@yubhat @chatter92 ADAL is in maintenance mode and we are not planning on making changes unless they are security related.
The Kubernetes service should accept tokens with the new format. Have you tried contacting the owners and asking them to update?
from azure-activedirectory-library-for-java.
@chatter92 Thanks for sharing this info! Back then when I implemented that api_version
parameter in ADAL Python so that developers could opt in for the old behavior for backward compatibility, we did not exactly know which service(s) would require such old behavior. Now I/we learn from you that "Kubernetes service expects audience as SPN:Client_ID".
As @sangonzal correctly pointed out, ideally the Kubernetes service would better accept new format of token.
By the way, @chatter92 have you folks even try using our MSAL library (either MSAL Python or MSAL Java)? Will the token acquired by those libraries work for Kubernetes service? If not, that will be another topic that we would like to figure out.
//CC our PMs @navyasric @jmprieur as a FYI.
from azure-activedirectory-library-for-java.
@rayluo we did try using the MSAL java library (1.1.0), but it looks like even that is generating tokens without the "spn" prefix, so it didnt work with our cluster.
It is possible that the k8s clusters that we use are on an older version, and as @yubhat had mentioned, a PR was raised on the Kubernetes repo for the same: kubernetes/kubernetes#86412
But it was fairly recent and may not even have been released yet.
So till the time we get a k8s update, if we could get the token in the older format, it would great for us.
from azure-activedirectory-library-for-java.
Yeah that's the thing. We don't know when we will get an update on the cluster, so we dont know how long we have to wait. If you can expose this api_version parameter, we can keep it configurable in our service in, say, a properties file. So today, that property can say api_version=1.0. Tomorrow, when they do rollout the fix, we can just update the properties file to say api_version=2.0 or something
from azure-activedirectory-library-for-java.
Closing. We will not be addressing this in adal4j.
Migrating to MSAL can be found here:
https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-adal-msal-java
from azure-activedirectory-library-for-java.
Related Issues (20)
- Create QuickStart sample HOT 1
- daemon certificate credential HOT 2
- "The server was unable to process the request due to an internal error" when using app-only auth with only client ID and client secret HOT 3
- Why do specific Overloads of acquireToken(..) do not return refreshTokens? HOT 3
- AdalCallable logs ERROR when acquireToken fails HOT 2
- object aad is not a member of package com.microsoft HOT 3
- x509CertThumbprint is deprecated HOT 2
- Make library dependencies have an upper version limit. HOT 7
- "AADSTS700003: Device object was not found in the tenant" issue started since the beginning of September HOT 3
- MSAL Java AcquireToken service is returning invalid access token sometimes in MSAL java web HOT 1
- Confusion arises when using Graph, Office combined permission to get access Token HOT 2
- adal4j with java 6 HOT 7
- can use it for SCIM HOT 1
- java.lang.NoClassDefFoundError: com/nimbusds/oauth2/sdk/http/CommonContentTypes HOT 1
- Latest adal4j 1.6.6 uses oauth2-oidc-sdk 7.4 which is vulnerable to XXE Injection HOT 3
- Vulnerability introduced by com.nimbusds:oauth2-oidc-sdk v9.4
- CVE Issue in ADAL4j's oauth2-oidc-sdk dependency
- Dependency error due to jCenter() outage
- Impact of Azure AD Graph API deprecation
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azure-activedirectory-library-for-java.