Add | Add Workload Identity Support

[wsugarman]

Resolves #2158

In this pull request, I make two changes:

1. Use the User Id as the Client Id for workload identity if specified when using Authentication = Active Directory Default
2. Add a new value ActiveDirectoryWorkloadIdentity for the enum SqlAuthenticationMethod that operates very similarly to ActiveDirectoryManagedIdentity except that it uses WorkloadIdentityCredential instead.
   • Like with managed identities, it will use the value of the User Id parameter in the connection string for its Client Id if specified. But unlike managed identity, WorkloadIdentityCredentialOptions defaults its value from environment variables: AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_FEDERATED_TOKEN_FILE. As of writing this description, only the Client Id may be overridden by the connection string.

[wsugarman]

I still need to write test cases for auth when the test environment supports workload identity, but I need to do more research in how to write that.

[H-Yeo]

Sorry, kind of new here, but do you have an update on this? It's 2 months old.

[David-Engel]

Our automated test environment is unlikely to ever support workload identity unless there is a way to emulate it without setting up an expensive Kubernetes environment.

@wsugarman - Do you think that (emulation) could ever happen?

Either way, I'm okay with manual testing of this feature for now.

[wsugarman]

I'm unaware of any existing emulation of workload identity, but perhaps it may make its way into other AKS-based offerings that could be simpler to set-up, like Azure Container Apps? I think in the meantime, without AKS, it will need to be manually tested

[wsugarman]

Please let me know if you have any additional questions or asks. My team has actually been using our own SQL authentication provider in AKS using similar logic to that included in the PR.

[wsugarman]

Some of the properties are initialized using environment variables: https://github.com/Azure/azure-sdk-for-net/blob/99cc57c41c7fa2a3df564ad0c6a745c001cd4517/sdk/identity/Azure.Identity/src/Credentials/WorkloadIdentityCredentialOptions.cs#L13

[cheenamalhotra]

If this is documented well, it should work I suppose. I'll let @David-Engel take final call to review if this feature fits well in the AAD stack potentially in sync with other drivers as well.

[codecov]

Codecov Report

Attention: 18 lines in your changes are missing coverage. Please review.

Comparison is base (4203237) 72.58% compared to head (139bbd6) 72.40%.

Files	Patch %	Lines
...SqlClient/ActiveDirectoryAuthenticationProvider.cs	41.66%	7 Missing ⚠️
...nt/netfx/src/Microsoft/Data/SqlClient/TdsParser.cs	0.00%	4 Missing ⚠️
.../netcore/src/Microsoft/Data/SqlClient/TdsParser.cs	0.00%	2 Missing ⚠️
...ent/SqlAuthenticationProviderManager.NetCoreApp.cs	0.00%	1 Missing ⚠️
...core/src/Microsoft/Data/SqlClient/SqlConnection.cs	85.71%	1 Missing ⚠️
...Data/SqlClient/SqlAuthenticationProviderManager.cs	50.00%	1 Missing ⚠️
...etfx/src/Microsoft/Data/SqlClient/SqlConnection.cs	85.71%	1 Missing ⚠️
...rc/Microsoft/Data/SqlClient/SqlConnectionString.cs	50.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2159      +/-   ##
==========================================
- Coverage   72.58%   72.40%   -0.19%     
==========================================
  Files         309      309              
  Lines       61959    62003      +44     
==========================================
- Hits        44975    44894      -81     
- Misses      16984    17109     +125     

Flag	Coverage Δ
addons	92.88% <ø> (ø)
netcore	76.51% <62.50%> (-0.31%)	⬇️
netfx	69.92% <61.11%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[JRahnama]

@wsugarman,I have not investigated the details yet, but couldn’t’ve achieved this by setting a custom provider? I will dig deeper into this next week, but do we have to add every possible scenario to the driver?

[wsugarman]

@wsugarman,I have not investigated the details yet, but couldn’t’ve achieved this by setting a custom provider? I will dig deeper into this next week, but do we have to add every possible scenario to the driver?

I had no idea this API existed 😅 This would be a great workaround!
I do think the library will benefit from including it in the driver as it replaces more and more managed identity scenarios.

[David-Engel]

In addition to creating a custom provider that overrides existing authentication options, there is a new, simpler AccessTokenCallback property added in 5.2 preview 3 that makes implementing new token authentication methods much easier. (Not quite as easy as a connection string adjustment, but a-few-lines-of-code easy.)

using Azure.Core;
using Azure.Identity;
using Microsoft.Data.SqlClient;
...

            string s_defaultScopeSuffix = "/.default";
            DefaultAzureCredentialOptions options = new()
            {
                //set your options here
                ExcludeAzureCliCredential = true,
                ExcludeVisualStudioCredential = true
            };
            var cred = new DefaultAzureCredential(options);
            Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticationToken>> myTokenCallback = async (ctx, cancellationToken) =>
            {
                string scope = ctx.Resource.EndsWith(s_defaultScopeSuffix) ? ctx.Resource : ctx.Resource + s_defaultScopeSuffix;
                AccessToken token = await cred.GetTokenAsync(new TokenRequestContext(new[] { scope }), cancellationToken);
                return new SqlAuthenticationToken(token.Token, token.ExpiresOn);
            };

            using (SqlConnection sqlConnection = new SqlConnection("Server=name.database.windows.net;Database=db;"))
            {
                sqlConnection.AccessTokenCallback = myTokenCallback;
                sqlConnection.Open();
                Console.WriteLine("Connected successfully!");
            }

[wsugarman]

In addition to creating a custom provider that overrides existing authentication options, there is a new, simpler AccessTokenCallback property added in 5.2 preview 3 that makes implementing new token authentication methods much easier. (Not quite as easy as a connection string adjustment, but a-few-lines-of-code easy.)

using Azure.Core;
using Azure.Identity;
using Microsoft.Data.SqlClient;
...

            string s_defaultScopeSuffix = "/.default";
            DefaultAzureCredentialOptions options = new()
            {
                //set your options here
                ExcludeAzureCliCredential = true,
                ExcludeVisualStudioCredential = true
            };
            var cred = new DefaultAzureCredential(options);
            Func<SqlAuthenticationParameters, CancellationToken, Task<SqlAuthenticationToken>> myTokenCallback = async (ctx, cancellationToken) =>
            {
                string scope = ctx.Resource.EndsWith(s_defaultScopeSuffix) ? ctx.Resource : ctx.Resource + s_defaultScopeSuffix;
                AccessToken token = await cred.GetTokenAsync(new TokenRequestContext(new[] { scope }), cancellationToken);
                return new SqlAuthenticationToken(token.Token, token.ExpiresOn);
            };

            using (SqlConnection sqlConnection = new SqlConnection("Server=name.database.windows.net;Database=db;"))
            {
                sqlConnection.AccessTokenCallback = myTokenCallback;
                sqlConnection.Open();
                Console.WriteLine("Connected successfully!");
            }

Oh! That will be great! So, it will join the existing AccessToken property, but this will be a more generic callback complete with the auth parameters from the connection string?

That will be super helpful, but I still think a common scenario like workload identity will warrant inclusion in the driver. Otherwise, users will have to create the same workload identity SqlAuthenticationProvider or likely create some abstraction around SqlConnection that automatically assigns the AccessTokenCallback if there a lot of places in the codebase where a SqlConnection is created and opened.

[David-Engel]

Oh! That will be great! So, it will join the existing AccessToken property, but this will be a more generic callback complete with the auth parameters from the connection string?

Yes. The AccessToken property suffers from some major drawbacks that affect connection pooling:

• SqlClient doesn't know when the token will expire, resulting in errors when a connection with an expired token is obtained from the connection pool.
• Since it's part of the pool key, if you set min pool size, those min connections will never be automatically cleaned up unless ClearPool() or ClearAllPools() is called.

The callback gives SqlClient the expiration date and allows it to get a new token when a new physical connection is required, just like the built-in methods.

That will be super helpful, but I still think a common scenario like workload identity will warrant inclusion in the driver. Otherwise, users will have to create the same workload identity SqlAuthenticationProvider or likely create some abstraction around SqlConnection that automatically assigns the AccessTokenCallback if there a lot of places in the codebase where a SqlConnection is created and opened.

Oh definitely. It's just difficult to keep up with all the new Azure AD authentication methods they keep coming up with. So a generic method at least takes the pressure off implementing every new one ASAP. You can write a wrapper around SqlConnection to authenticate however you want and still have connection pooling work correctly.

[H-Yeo]

Sorry, kind of new here, but do you have an update on this? It's 2 months old.

[wsugarman]

@JRahnama - Thanks for merging it!