AAD Authentication using AccessToken #546

paulmey · 2020-01-21T06:50:23Z

Although it leaves room for improvement with respect to convenience from the DSN, this PR implements AAD authentication through access tokens.
To test this implementation, create a SQL Azure database and set yourself as the AAD admin for the database. Then run

az login # if not already logged in
at=$(az account get-access-token --resource https://database.windows.net/ --q accessToken -o tsv)
export SQLSERVER_DSN="sqlserver://srv.database.windows.net?database=db&accesstoken=$at"
go test -v

To use a service principal, grant the service principal access to the database as described in the docs.

At least partially fixes #446

Access token tests can be run by first setting SQLSERVER_DSN="sqlserver://server.database.windows.net?database=testdb&accesstoken=$at" where $at is an access token for https://database.windows.net/ for an SPN/APP that has db_owner role on testdb.

codecov · 2020-01-21T07:48:42Z

Codecov Report

Merging #546 into master will decrease coverage by 0.19%.
The diff coverage is 61.29%.

@@            Coverage Diff            @@
##           master     #546     +/-   ##
=========================================
- Coverage    68.9%   68.71%   -0.2%     
=========================================
  Files          22       23      +1     
  Lines        5068     5187    +119     
=========================================
+ Hits         3492     3564     +72     
- Misses       1370     1410     +40     
- Partials      206      213      +7

Impacted Files	Coverage Δ
conn_str.go	`100% <ø> (ø)`	⬆️
token.go	`54.54% <0%> (-1.37%)`	⬇️
tds.go	`61.03% <66.66%> (+0.69%)`	⬆️
accesstokenconnector.go	`80% <80%> (ø)`

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1d7a30a...6d60088. Read the comment docs.

…ing SSPI when using accesstoken

paulmey · 2020-01-21T21:10:19Z

I'll try to raise code coverage a bit

kardianos

This looks really good. I only have nits.

The only real change I really want is to put a go.mod file in the example folder or at a min in the example/azure-managed-identity folder, so the mssql module doesn't depend on adal.

README.md

accesstokenconnector_test.go

examples/azure-managed-identity/managed_identity.go

tds.go

tds_test.go

token.go

paulmey · 2020-01-31T18:24:11Z

I added a go.mod in the specific example folder and fixed most of the nits. The go.mod in the example need to be removed to make the example work until this gets merged, but hopefully that's only going to be temporary.

mssql: add Azure Active Directory token based login Create a new connector that allows refreshing the access token based on an external identifier.

paulmey added 8 commits December 23, 2019 08:52

[raw] add AAD accesstoken login

d614fbd

Add test for AAD access token login packet

54b0a73

Make FeatureExt implementation more generic

4e90e37

Skip TestBadConnect for access tokens

b60d2f3

Access token tests can be run by first setting SQLSERVER_DSN="sqlserver://server.database.windows.net?database=testdb&accesstoken=$at" where $at is an access token for https://database.windows.net/ for an SPN/APP that has db_owner role on testdb.

Add token provider support

268b769

Add test for access token connect error handling

8f06da4

Add some docs

db55764

Make accesstokenconnector go1.10+

d5a11e5

Add example for managed identity

c2f6103

paulmey changed the title ~~Authenticate to AAD using AccessToken~~ AAD Authentication using AccessToken Jan 21, 2020

Change order of authentication precedence to prevent Windows from try…

c44a572

…ing SSPI when using accesstoken

paulmey mentioned this pull request Jan 22, 2020

Azure Active Directory authentication #548

Closed

kardianos requested changes Jan 30, 2020

View reviewed changes

kardianos mentioned this pull request Jan 30, 2020

Added support for federated authentication to enable Azure AD authentication #547

Open

paulmey added 9 commits January 31, 2020 18:08

rename example

34fc5c0

Add go.mod for AAD example to not pull in adal in main module

7222cad

Remove accesstoken parameter from connection string

a20c29c

Add field names for test case structs

44a597d

remove prepared statement from example

978966b

Use t.Log instead of fmt in tests

f66e8ac

PR review comments

f97dad5

Align field name with other PR

e63b2fe

Improve preloginFEDAUTHREQUIRED field check

632004e

fixup! Remove accesstoken parameter from connection string

6d60088

kardianos approved these changes Jan 31, 2020

View reviewed changes

kardianos merged commit 0f454e2 into denisenkom:master Jan 31, 2020

nikos06 mentioned this pull request Mar 17, 2021

Azure AD authentication / TLS issue #644

Open

This was referenced Jun 25, 2021

Add SqlServer MSI Support samfoxcode/migrate#2

Merged

Add SqlServer MSI Support golang-migrate/migrate#591

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AAD Authentication using AccessToken #546

AAD Authentication using AccessToken #546

paulmey commented Jan 21, 2020 •

edited

Loading

codecov bot commented Jan 21, 2020 •

edited

Loading

paulmey commented Jan 21, 2020

kardianos left a comment

paulmey commented Jan 31, 2020

AAD Authentication using AccessToken #546

AAD Authentication using AccessToken #546

Conversation

paulmey commented Jan 21, 2020 • edited Loading

codecov bot commented Jan 21, 2020 • edited Loading

Codecov Report

paulmey commented Jan 21, 2020

kardianos left a comment

Choose a reason for hiding this comment

paulmey commented Jan 31, 2020

paulmey commented Jan 21, 2020 •

edited

Loading

codecov bot commented Jan 21, 2020 •

edited

Loading