Add -Force to Get-AzAccessToken #21558
Replies: 5 comments 3 replies
-
|
Beta Was this translation helpful? Give feedback.
-
Hi, not sure if it's perhaps a wrong tag, but I don't think I can provide an answer here :) |
Beta Was this translation helpful? Give feedback.
-
@Agazoth - how are you checking group membership? Are you parsing the access token? Clients should not parse access tokens - this is a security / resilience issue - access token is not meant for client, but for protected resource, e.g. Azure SQL or Graph; token format is not guranteed to stay JWT, OAUTH spec does not force JWT, e.g. AAD might start issuing encrypted JWT (JWE) and it'll break the client. Solution is to parse ID Token, as this is meant for the app. But probably the better solution is to use Microsoft Graph to figure out the groups. You can even get it to issue change notifications. @isra-fel yes you can use |
Beta Was this translation helpful? Give feedback.
-
@bgavrilMS I checked the groups in jwt.io. I just want to be able to force a new token via Get-AzAccessToken, when testing AAD group membership during configuration of new access. A -Force switch on Get-AzAccessToken would be great when doing that kind of test. As @isra-fel suggests, it might be possigle to have Get-AzAccessToken use the WithForceRefresh option. I cannot find any documentation on WithForceREfresh on the AcquireTokenSilent API. Is that awailable somewhere? |
Beta Was this translation helpful? Give feedback.
-
@bgavrilMS that was also what my debugging indicated. How can we request a change to the Azure SDK? I find it quite hard to navigate that project and find the exact spot where the functionality could be implemented. I am fine with looking at group membership via Graph, but that does not enable me to test things like sql queries from a logged in PowerShell session until the current token expires, when using Get-AzAccessToken. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Recently we have been working with different roles in Azure SQL databases and data masking. The masking is based on Azure AD group membership. We are testing masking by adding and removing users to and from Azure AD groups and then querying the database from PowerShell using the sqlserver cmdlets combined with Get-AzAccessToken.
Get-AzAccessToken uses the MSAL cache for tokens and only refreshes the token, if it is close to expiration. That is a god thing in stable scenarios, but in this scenario, where the token changes often, it would be great to be able to override the default behavior and force creation of a new token.
A -Force switch on the Get-AzAccessToken cmdlet would be a logical solution to this scenario, but looking at the code it seems there is no easy way to force a token refresh.
Would this be a useful feature? If so, is it on a backlog somewhere?
Beta Was this translation helpful? Give feedback.
All reactions