Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable token encryption on macOS #27176

Open
glyph opened this issue Aug 15, 2023 · 5 comments
Open

Enable token encryption on macOS #27176

glyph opened this issue Aug 15, 2023 · 5 comments
Assignees
@jiasli
Labels
Account az login/account Auto-Assign Auto assign by bot Auto-Resolve Auto resolve by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. Feature Candidate feature-request
Milestone
Backlog

Comments

@glyph
Copy link

glyph commented Aug 15, 2023

Describe the bug

By default, on macOS, azure login places its OAuth tokens in .azure/msal_token_cache.json.

The only documentation for how to protect the tokens using Keychain appears to be in the code here:

azure-cli/src/azure-cli-core/azure/cli/core/util.py

Lines 1353 to 1361 in 3ae3c61

def should_encrypt_token_cache(cli_ctx):
# Only enable encryption for Windows (for now).
fallback = sys.platform.startswith('win32')
# EXPERIMENTAL: Use core.encrypt_token_cache=False to turn off token cache encryption.
# encrypt_token_cache affects both MSAL token cache and service principal entries.
encrypt = cli_ctx.config.getboolean('core', 'encrypt_token_cache', fallback=fallback)
return encrypt

The comment here is misleading, as it says EXPERIMENTAL: Use core.encrypt_token_cache=False to turn off token cache encryption. as if the default value is True, but it's actually False.

At least, encrypt_token_cache does not appear in the list of "core" configuration values here:

https://learn.microsoft.com/en-us/cli/azure/azure-cli-configuration#cli-configuration-values-and-environment-variables

MSAL for Python also gives a somewhat misleading summary of its security properties, as it says:

https://github.com/AzureAD/microsoft-authentication-extensions-for-python#microsoft-authentication-extensions-for-python

MAC - The MAC KeyChain is used.

Which is not true in the configuration that the azure CLI actually uses it.

Finally, once encrypt_token_cache is set to true, the keychain service name and account name are set to "my_service_name" and "my_account_name" here:

azure-cli/src/azure-cli-core/azure/cli/core/auth/persistence.py

Line 44 in 3ae3c61

return KeychainPersistence(location, "my_service_name", "my_account_name")

I verified that this is actually how it's stored in Keychain Access:

image

Related command

az login

Errors

No errors.

Issue script & Debug output

No relevant debug output.

Expected behavior

In general the credential storage situation just ought to be tightened up:

  • encryption / storage in macOS keychain should be the default
  • encrypt_token_cache ought to be documented
  • credential labels seem inappropriately generic, and it should say something more like a service name of "Azure CLI" and an account name of the user's email address.
  • credentials also really ought to be stored in separate keychain items so that applications can be granted access control to, for example, test credentials without granting them access to production credentials in the same keychain.

There's also the msal_http_cache.bin file which contains cookies and stuff, which maybe should also be encrypted somewhere; i don't know the privilege level of these cookies but it seems relevant to look at them.

Environment Summary

azure-cli                         2.50.0 *

core                              2.50.0 *
telemetry                          1.0.8 *

Dependencies:
msal                              1.22.0
azure-mgmt-resource             23.1.0b2

Python location '/opt/homebrew/Cellar/azure-cli/2.50.0_1/libexec/bin/python'
Extensions directory '/Users/glyph/.azure/cliextensions'

Python (Darwin) 3.10.12 (main, Jun 20 2023, 19:43:52) [Clang 14.0.3 (clang-1403.0.22.14.1)]

Legal docs and information: aka.ms/AzureCliLegal

Additional context

I am filing this as a regular bug and not as a security issue because I don't see an exploit here per se, and the tools don't directly claim any security properties that are subverted by this misconfiguration.
@glyph glyph added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Aug 15, 2023
@azure-client-tools-bot-prd
Copy link

Hi @glyph,

2.50.0 is not the latest Azure CLI(2.51.0).

Please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

@azure-client-tools-bot-prd azure-client-tools-bot-prd bot added the Auto-Resolve Auto resolve by bot label Aug 15, 2023
@yonzhan
Copy link
Collaborator

yonzhan commented Aug 15, 2023

Thank you for opening this issue, we will look into it.

@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot Account az login/account labels Aug 15, 2023
@microsoft-github-policy-service microsoft-github-policy-service bot added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Aug 15, 2023
@yonzhan yonzhan removed the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Aug 15, 2023
@yonzhan yonzhan added this to the Backlog milestone Aug 15, 2023
@jiasli jiasli changed the title on macOS, client credentials are stored plaintext, encryption is undocumented, and when it's turned on the service and account names are inappropriately generic Enable token encryption on macOS Aug 18, 2023
@jiasli jiasli added Feature Candidate feature-request and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Aug 18, 2023
@jiasli
Copy link
Member

jiasli commented Aug 18, 2023

Currently Azure CLI doesn't support token encryption on macOS and Linux (#23495). I am marking this issue as a Feature Candidate.

There is a draft work #20636 to support token encryption on macOS, but currently there is no ETA.

The only documentation for how to protect the tokens using Keychain appears to be in the code here

This is merely Azure CLI's source code. It is not public documentation.

At least, encrypt_token_cache does not appear in the list of "core" configuration values here

This is expected, as core.encrypt_token_cache is only used to disable token cache in some edge cases on Windows. Using it to enable token encryption on macOS or Linux is not supported.

@joergjo
Copy link

joergjo commented Apr 4, 2024

@jiasli #20636 refers to a pull request that hasn't been merged for quite some time. Will it be merged and made available in an upcoming release or is that blocked?

@muxmuse
Copy link

muxmuse commented Apr 8, 2024

The discussion in PR #20636 assumes an implementation using Apple Keyring / Keychain. One could instead allow configuration of an arbitrary password management command. This would allow Linux and Mac users to encrypt their tokens.

@erwinkramer erwinkramer mentioned this issue Nov 22, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
Account az login/account Auto-Assign Auto assign by bot Auto-Resolve Auto resolve by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. Feature Candidate feature-request
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
5 participants
@glyph @joergjo @jiasli @muxmuse @yonzhan