Issue with TokenLibrary on Synapse - can't authenticate to a normal oauth2 scope

Question

Issue with TokenLibrary on Synapse - can't authenticate to a normal oauth2 scope

dbeavon opened this issue 2 years ago · comments

The nuget library Microsoft.Spark.Extensions.Azure.Synapse.Analytics.Utils points back to this project so I'm hoping I can get some help with TokenLibrary.

I'd like to connect to resources using the managed identity of synapse. For some things it is easy (like a keyvault with a linked service in the synapse workspace).

But if I want to authenticate to some generic scope, like a custom api, or database, then it doesn't seem to work. Here is the scope of my API.

api://d2a88e08-1263-42a6-9d12-01970716ea3e/.default

Here is a database:

https://database.windows.net/.default

I'm trying to authenticate by way of the method "GetAccessToken" like so:

using Microsoft.Spark.Extensions.Azure.Synapse.Analytics.Utils;

string x = TokenLibrary.GetAccessToken( resource: @"{""audience"": ""https://database.windows.net/"" }");
Console.WriteLine(x);

That always results in an error like so:
Access token couldn't be obtained
Audience has invalid characters: https://database.windows.net/.

I'm not sure what I'm supposed to do for the "audience" value in order to authenticate to a scope using oauth2. There are certain things that work successfully for me, like what you see below. However when I introduce "api://" or "https://" then it fails.

string x = TokenLibrary.GetAccessToken( resource: @"{""audience"": ""storage"" }");
Console.WriteLine(x);

I don't have a long history with ADAL, and I'm guessing that TokenLibrary hasn't been updated for scopes. Please let me know if there is any way to create an access token for a custom api or for database.

David Beavon · Answer 1 · Sat Sep 10 2022 04:22:23 GMT+0800 (China Standard Time)

I believe that I found the list of "audience" values that are allowed from "GetAccessToken":

https://docs.microsoft.com/en-us/azure/synapse-analytics/spark/microsoft-spark-utilities?pivots=programming-language-csharp#get-token

Unfortunately it doesn't appear that this functionality is going to allow me to authenticate for a generic scope. This TokenLibrary seems very limited. If I find another option, I will try to circle back and update this issue with more information.

Niharika Dutta · Answer 2 · Wed Sep 14 2022 07:24:55 GMT+0800 (China Standard Time)

@dbeavon As of today TokenLibrary doesn't provide tokens for custom APIs or databases, if you have this as a feature request, please feel free to ask on the Synapse support channel (azuresynapsediscussion@service.microsoft.com)and the right people can help answer your queries or provide more information.

Niharika Dutta · Answer 3 · Wed Sep 14 2022 07:25:35 GMT+0800 (China Standard Time)

As this is not directly in scope of .NET for Apache Spark, is it ok if we close this issue? cc: @dbeavon