Code Monkey home page Code Monkey logo

Comments (10)

rayluo avatar rayluo commented on June 26, 2024 1

@chatter92 Your research effort on this topic is amazing!

Given that the Kubernetes side has fixed this and is probably in the process of releasing/rolling out their new version, would you consider checking their release plan and see if you can wait? Because, even if you somehow find a workaround to add that legacy api_version=1.0 behavior into your code base, your code would likely still break when the aforementioned Kubernetes fix would be deployed to your environment.

from azure-activedirectory-library-for-java.

sangonzal avatar sangonzal commented on June 26, 2024

@yubhat The reason this is happening is because ADAL Python hardcodes the api-version in the endpoints they are hitting ("api-verseion=1.0"), while Java does not. ADAL Java is in maintenance mode and we are not making updates unless they are security related.

Do you own the Kubernetes service which you using the token for?

from azure-activedirectory-library-for-java.

chatter92 avatar chatter92 commented on June 26, 2024

@sangonzal unfortunately, we dont own the Kubernetes service, hence we cannot make any changes there. If there is any way in which we can pass the api-version via the java sdk (adal or msal), it will solve this issue for us.

from azure-activedirectory-library-for-java.

rayluo avatar rayluo commented on June 26, 2024

@yubhat @chatter92 Out of curiosity, how do you initialize ADAL Python in your code? Did you explicitly use its api_version parameter? In their recent samples, that parameter is typically left undefined in order to trigger the default behavior (rather than using api_version="1.0").

from azure-activedirectory-library-for-java.

chatter92 avatar chatter92 commented on June 26, 2024

@rayluo yes, we have explicitly set api_version to 1.0 in our script.

from azure-activedirectory-library-for-java.

sangonzal avatar sangonzal commented on June 26, 2024

@yubhat @chatter92 ADAL is in maintenance mode and we are not planning on making changes unless they are security related.

The Kubernetes service should accept tokens with the new format. Have you tried contacting the owners and asking them to update?

from azure-activedirectory-library-for-java.

rayluo avatar rayluo commented on June 26, 2024

@chatter92 Thanks for sharing this info! Back then when I implemented that api_version parameter in ADAL Python so that developers could opt in for the old behavior for backward compatibility, we did not exactly know which service(s) would require such old behavior. Now I/we learn from you that "Kubernetes service expects audience as SPN:Client_ID".

As @sangonzal correctly pointed out, ideally the Kubernetes service would better accept new format of token.

By the way, @chatter92 have you folks even try using our MSAL library (either MSAL Python or MSAL Java)? Will the token acquired by those libraries work for Kubernetes service? If not, that will be another topic that we would like to figure out.

//CC our PMs @navyasric @jmprieur as a FYI.

from azure-activedirectory-library-for-java.

chatter92 avatar chatter92 commented on June 26, 2024

@rayluo we did try using the MSAL java library (1.1.0), but it looks like even that is generating tokens without the "spn" prefix, so it didnt work with our cluster.
It is possible that the k8s clusters that we use are on an older version, and as @yubhat had mentioned, a PR was raised on the Kubernetes repo for the same: kubernetes/kubernetes#86412
But it was fairly recent and may not even have been released yet.

So till the time we get a k8s update, if we could get the token in the older format, it would great for us.

from azure-activedirectory-library-for-java.

chatter92 avatar chatter92 commented on June 26, 2024

Yeah that's the thing. We don't know when we will get an update on the cluster, so we dont know how long we have to wait. If you can expose this api_version parameter, we can keep it configurable in our service in, say, a properties file. So today, that property can say api_version=1.0. Tomorrow, when they do rollout the fix, we can just update the properties file to say api_version=2.0 or something

from azure-activedirectory-library-for-java.

henrik-me avatar henrik-me commented on June 26, 2024

Closing. We will not be addressing this in adal4j.

Migrating to MSAL can be found here:
https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-adal-msal-java

from azure-activedirectory-library-for-java.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.