spark icon indicating copy to clipboard operation
spark copied to clipboard
verified publisher icon dotnet

Issue with TokenLibrary on Synapse - can't authenticate to a normal oauth2 scope

Open dbeavon opened this issue 3 years ago • 3 comments

The nuget library Microsoft.Spark.Extensions.Azure.Synapse.Analytics.Utils points back to this project so I'm hoping I can get some help with TokenLibrary.

I'd like to connect to resources using the managed identity of synapse. For some things it is easy (like a keyvault with a linked service in the synapse workspace).

But if I want to authenticate to some generic scope, like a custom api, or database, then it doesn't seem to work. Here is the scope of my API.

api://d2a88e08-1263-42a6-9d12-01970716ea3e/.default

Here is a database:

https://database.windows.net/.default

I'm trying to authenticate by way of the method "GetAccessToken" like so:

using Microsoft.Spark.Extensions.Azure.Synapse.Analytics.Utils;

string x = TokenLibrary.GetAccessToken( resource: @"{""audience"": ""https://database.windows.net/"" }"); Console.WriteLine(x);

That always results in an error like so: Access token couldn't be obtained Audience has invalid characters: https://database.windows.net/.

I'm not sure what I'm supposed to do for the "audience" value in order to authenticate to a scope using oauth2. There are certain things that work successfully for me, like what you see below. However when I introduce "api://" or "https://" then it fails.

string x = TokenLibrary.GetAccessToken( resource: @"{""audience"": ""storage"" }"); Console.WriteLine(x);

I don't have a long history with ADAL, and I'm guessing that TokenLibrary hasn't been updated for scopes. Please let me know if there is any way to create an access token for a custom api or for database.

dbeavon avatar Sep 09 '22 18:09 dbeavon

I believe that I found the list of "audience" values that are allowed from "GetAccessToken":

https://docs.microsoft.com/en-us/azure/synapse-analytics/spark/microsoft-spark-utilities?pivots=programming-language-csharp#get-token

image

Unfortunately it doesn't appear that this functionality is going to allow me to authenticate for a generic scope. This TokenLibrary seems very limited. If I find another option, I will try to circle back and update this issue with more information.

dbeavon avatar Sep 09 '22 20:09 dbeavon

@dbeavon As of today TokenLibrary doesn't provide tokens for custom APIs or databases, if you have this as a feature request, please feel free to ask on the Synapse support channel ([email protected])and the right people can help answer your queries or provide more information.

Niharikadutta avatar Sep 13 '22 23:09 Niharikadutta

As this is not directly in scope of .NET for Apache Spark, is it ok if we close this issue? cc: @dbeavon

Niharikadutta avatar Sep 13 '22 23:09 Niharikadutta