Skip to content

CSR Metadata request acts as a probe for ImdsV2 #5359

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 29 commits into
base: rginsburg/msiv2_feature_branch
Choose a base branch
from
Open

CSR Metadata request acts as a probe for ImdsV2 #5359

wants to merge 29 commits into from
+787 −90

Conversation

Robbie-Microsoft
Copy link
Contributor

@Robbie-Microsoft Robbie-Microsoft commented Jun 23, 2025
edited
Loading

This PR introduces ImdsV2 as a Managed Identity source, and focuses on executing a network request to get metadata to be used in the rest of the flow.

@Robbie-Microsoft Robbie-Microsoft requested a review from a team as a code owner June 23, 2025 21:40
trwalke
trwalke reviewed Jun 26, 2025
View reviewed changes
neha-bhargava
neha-bhargava requested changes Jul 1, 2025
View reviewed changes
Copy link
Contributor

@neha-bhargava neha-bhargava left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to undo the changes to public API to get the managed identity source

@Robbie-Microsoft
Copy link
Contributor Author

Robbie-Microsoft commented Jul 31, 2025
edited
Loading

Need to undo the changes to public API to get the managed identity source

@neha-bhargava: done, after refactoring some code

bgavrilMS
bgavrilMS reviewed Aug 1, 2025
View reviewed changes
bgavrilMS
bgavrilMS reviewed Aug 1, 2025
View reviewed changes
src/client/Microsoft.Identity.Client/ManagedIdentity/ImdsV2ManagedIdentitySource.cs
retryPolicy: retryPolicy)
.ConfigureAwait(false);
}
catch (Exception ex)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe @gladjohn said that probe failure occurs exclusively on 404?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(i.e. delete the catch block)

bgavrilMS
bgavrilMS reviewed Aug 1, 2025
View reviewed changes
src/client/Microsoft.Identity.Client/ManagedIdentity/ImdsV2ManagedIdentitySource.cs
}
}

if (response.StatusCode != HttpStatusCode.OK)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gladjohn to review this. I believe you said probe failure should only happen on 404

Copy link
Contributor

@gladjohn gladjohn Aug 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IF probe returns 404 - then no /metadata endpoint, flows continues with other source detection, if none are found we fallback to IMDS (Kubernetes etc.)

We should pass a "." in the body to the endpoint and if it exists we will get a bad request (400), then we should inspect the header, spec here

We should not throw anywhere if probe fails or if we do not find the endpoint.

something like,

        private bool EvaluateProbeResponse(HttpResponse response)
        {
            if (response == null)
            {
                _logger.Info("[Probe] No response received from the server.");
                return false;
            }

            _logger.Info($"[Probe] Evaluating response from credential endpoint. Status Code: {response.StatusCode}");

            if (response.HeadersAsDictionary.TryGetValue("Server", out string serverHeader) &&
                serverHeader.StartsWith(ImdsHeader, StringComparison.OrdinalIgnoreCase))
            {
                _logger.Info($"[Probe] Credential endpoint supported. Server: {serverHeader}");
                return true;
            }

            _logger.Info($"[Probe] Credential endpoint not supported. Status Code: {response.StatusCode}");
            return false;
        }

bgavrilMS
bgavrilMS reviewed Aug 1, 2025
View reviewed changes
src/client/Microsoft.Identity.Client/ManagedIdentity/ImdsV2ManagedIdentitySource.cs

if (!ValidateCsrMetadataResponse(response, requestContext.Logger, probeMode))
{
return null;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not a good way to fail. Just throw exception like InvalidOperationException or smth

bgavrilMS
bgavrilMS reviewed Aug 1, 2025
View reviewed changes
src/client/Microsoft.Identity.Client/ManagedIdentity/ImdsV2ManagedIdentitySource.cs
string serverHeader = response.HeadersAsDictionary.TryGetValue("server", out var value) ? value : null;
if (serverHeader == null)
{
if (probeMode)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment. ProbeMode only look at 404?

bgavrilMS
bgavrilMS reviewed Aug 1, 2025
View reviewed changes
src/client/Microsoft.Identity.Client/ManagedIdentity/ImdsV2ManagedIdentitySource.cs
);
if (!match.Success || !int.TryParse(match.Groups[1].Value, out int version) || version <= 1324)
{
if (probeMode)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same comment

neha-bhargava
neha-bhargava reviewed Aug 1, 2025
View reviewed changes
src/client/Microsoft.Identity.Client/ManagedIdentityApplication.cs
@@ -55,13 +55,28 @@ public AcquireTokenForManagedIdentityParameterBuilder AcquireTokenForManagedIden
resource);
}

/// <inheritdoc/>
public async Task<ManagedIdentitySource> GetManagedIdentitySourceAsync()
Copy link
Contributor

@neha-bhargava neha-bhargava Aug 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not keep this as static as well. The method to get the source was created static so that Azure Identity can detect if managed identity is available before creating the source. Was this discussed with them?

Copy link
Contributor Author

@Robbie-Microsoft Robbie-Microsoft Aug 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@neha-bhargava, this method passes the Service Bundle through the ManagedIdentityClient's GetManagedIdentitySourceAsync method, and into ImdsV2ManagedIdentitySource, where the csr metadata probe uses things from the Service Bundle: IdType, UserAssignedId, RetryPolicyFactory, HttpManager, Logger, etc.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gladjohn Can you confirm that this would work with Azure Identity? Did you discuss with them?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bgavrilMS bgavrilMS bgavrilMS left review comments

@trwalke trwalke trwalke left review comments

@neha-bhargava neha-bhargava neha-bhargava requested changes

@gladjohn gladjohn Awaiting requested review from gladjohn

Assignees
No one assigned
Labels
Feature Branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Robbie-Microsoft @bgavrilMS @trwalke @neha-bhargava @gladjohn