AzureCredential credential sequence and flow
The following are used by the AzureCredential
- Environment - Refer to this link for env variables used (https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#environment-variables)
- Workload Identity
- Managed Identity
- Visual Studio
- Visual Studio Code
- Azure CLI -
- Azure PowerShell
- Azure Developer CLI
- Interactive browser
As shown in the graphic above, the API server calls the AKS webhook server and performs the following steps:
kubectl
uses the Microsoft Entra client application to sign in users with OAuth 2.0 device authorization grant flow.- Microsoft Entra ID provides an access_token, id_token, and a refresh_token.
- The user makes a request to
kubectl
with an access_token fromkubeconfig
. kubectl
sends the access_token to API Server.- The API Server is configured with the Auth WebHook Server to perform validation.
- The authentication webhook server confirms the JSON Web Token signature is valid by checking the Microsoft Entra public signing key.
- The server application uses user-provided credentials to query group memberships of the logged-in user from the MS Graph API.
- A response is sent to the API Server with user information such as the user principal name (UPN) claim of the access token, and the group membership of the user based on the object ID.
- The API performs an authorization decision based on the Kubernetes Role/RoleBinding.
- Once authorized, the API server returns a response to
kubectl
. kubectl
provides feedback to the user.
Comments