prelogin fields data structure breaks when using access token for federated auth with AWS RDS Proxy MS SQL support about go-mssqldb HOT 7 CLOSED

sounds good to me! Thx for working it out. Now I need some other curious-and-motivated community members to add Always Encrypted support.

from go-mssqldb.

Update: After looking at the dotnet SqlClient code - it makes sense why it works - the implementation logic is different for prelogin response.

I am guessing the switch statement never hits case (int)PreLoginOptions.FEDAUTHREQUIRED as that option is not returned. So technically Microsoft.Data.SqlClient is breaking the specification.

https://github.com/dotnet/SqlClient/blob/20d4c199923c9b4ea2ffd44d9304fcb306c5efb5/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParser.cs#L1054

from go-mssqldb.

I think your scenario doesn't need to use the azuread package. There's a fedauth connector you can leverage that doesn't take any dependency on MSAL SDK for Go. Have you tried using NewSecurityTokenConnector directly?

from go-mssqldb.

sure - but I get the same problem - as I have to use the azuread driver for federation - I do not see any other option?
As soon as it sees fedauth in the connection string - it resets p.fedAuthLibrary from the default of mssql.FedAuthLibraryReserved as per:

I tried this:

connString := fmt.Sprintf("odbc:server=%s;port=%d;fedauth=FedAuthLibraryReserved;",
		server, port)
	//print(authToken)

	//conn, err := sql.Open(azuread.DriverName, connString)
	tokenProviderWithCtx := func(ctx context.Context) (string, error) {
		return authToken, nil
	}

	connector, err := mssql.NewConnectorWithAccessTokenProvider(connString, tokenProviderWithCtx)
	conn := sql.OpenDB(connector)

Maybe we need an extra fedauth option for non AAD federation which keeps p.fedAuthLibrary as default. But that would seem messy I guess as all the federation code is in the azuread package.

Technically it doesn't matter who is the token provider, azuread does the job except for this issue.

from go-mssqldb.

azuread package is simply an AAD-specific federation implementation which implements the token fetch callback using MSAL SDK for Go. The federation implementation is part of the core mssql code, split between fedauth.go and tds.go. I think having a new method in fedauth.go to create a config that has both fedAuthRequired == true and fedAuthLibrary == FedAuthLibraryReserved for this scenario is probably ok.

Alternately - does it make sense for the prelogin response validation to check for both FedAuthLibrarySecurityToken and FedAuthLibraryReserved as possible inputs instead of just the one? After all, both values have the semantic that the server doesn't need to provide any information for the client to provide the token.

Pulling in azuread is just going to bloat your binary for little benefit.

from go-mssqldb.

I get it now. Leave it with me and I will find some time to try it. Thanks for the pointer!

from go-mssqldb.

How about this.

else if fe.FedAuthLibrary != FedAuthLibraryReserved && fe.ADALWorkflow > 0 {
		return 0, fmt.Errorf("federated authentication is not supported by the server")
	}

NewSecurityTokenConnector does not set the ADALWorkflow. I think you only care about the above error message if its actually going through the ADALWorkflow somehow and didn't get the preloginFEDAUTHREQUIRED response?

For a generic access token provided by the user the above should be enough as they just want to auth and we don't want to check for the support.

from go-mssqldb.