Skip to content

Add support for sending X5C when using a service principal with certificate for authentication#1666

Merged
mjcheetham merged 5 commits intogit-ecosystem:mainfrom
spongemike2:mlyons
Jul 19, 2024
Merged

Add support for sending X5C when using a service principal with certificate for authentication#1666
mjcheetham merged 5 commits intogit-ecosystem:mainfrom
spongemike2:mlyons

Conversation

@spongemike2
Copy link
Copy Markdown

@spongemike2 spongemike2 commented Jul 18, 2024

When using a service principal with certificate authentication, every time the certificate is renewed, the new certificate needs to be uploaded to the service principal's AAD app registration in order for authentication to continue to work.

However, a technology called "X5C" has made this unnecessary by allowing any certificate, with a specific subject, issued by a known, trusted, predetermined CA, to be used.

For this to work, the AAD app registration's manifest needs to be updated to reflect the subject name, and during authentication, the request for "X5C" authentication needs to be sent along with the certificate's signature.

This change enables that to take place.

spongyryno
spongyryno reviewed Jul 18, 2024
View reviewed changes
Copy link
Copy Markdown

@spongyryno spongyryno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should version be removed?

mjcheetham
mjcheetham requested changes Jul 18, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@mjcheetham mjcheetham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this addition! Just a few things please:

  • address the comment about parsing the config values
  • drop the VERSION file change
  • please can you also add docs for the GCM_AZREPOS_SP_CERT_SEND_X5C and credential.azreposServicePrincipalCertificateSendX5C settings to the corresponding markdown docs in /docs!

😄

copiden

This comment was marked as spam.

Sign in to view

mjcheetham
mjcheetham approved these changes Jul 19, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@mjcheetham mjcheetham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great stuff! Thank you!

@mjcheetham mjcheetham merged commit 1d06bd5 into git-ecosystem:main Jul 19, 2024
@spongemike2 spongemike2 deleted the mlyons branch September 4, 2024 20:06
@mjcheetham mjcheetham mentioned this pull request Sep 30, 2024
Merged
mjcheetham pushed a commit that referenced this pull request Sep 30, 2024
Release GCM 2.6 (#1712)
3c28096 
**Changes:**

- Drop no longer needed workflows (#1659)
- Documentation fixes (#1664, #1697)
- Configurable GPG store path via Git config (#1698)
- Fix Visual Studio build problems and update dependencies (#1711)
- Support sending X5C with certificate auth (#1666)
@github-actions github-actions bot mentioned this pull request Sep 30, 2024
Closed
kamsatantalani19
kamsatantalani19 reviewed Dec 30, 2024
View reviewed changes
src/shared/Microsoft.AzureRepos/AzureReposHostProvider.cs

This comment was marked as outdated.

Sign in to view

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mjcheetham mjcheetham mjcheetham approved these changes

+3 more reviewers

@spongyryno spongyryno spongyryno left review comments

@copiden copiden copiden left review comments

@kamsatantalani19 kamsatantalani19 kamsatantalani19 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@spongemike2 @mjcheetham @spongyryno @copiden @kamsatantalani19 @calebglawson0628-jpg