Open
Conversation
…179) Adds certificate-based and client-secret confidential client auth modes for enterprise Azure AD tenants where 'Allow public client flows' is disabled. Public client flow (existing default) is unchanged when no new config is set. New optional Profile fields: client_secret, client_certificate_path, client_certificate_key_path. When certificate paths are set, authenticate_oidc sends a signed RS256 JWT client_assertion (x5t thumbprint, 5-min lifetime) instead of relying on public client flow. When only client_secret is set, it is injected as a standard confidential client secret.
When provider domain resolves to azure, the wizard now asks the user to choose between public client (existing default), client secret, or certificate-based confidential client. Certificate mode includes inline instructions for generating a self-signed cert with openssl. Config round-trips correctly on re-run (existing values used as defaults).
Adds Section 5 covering both client secret and certificate-based confidential client setup, updates Step 4.2 to explain the public vs confidential client choice rather than blindly enabling public flows, updates the wizard prompt example in Section 8, adds troubleshooting entry for AADSTS7000218, and revises security best practices to recommend certificate auth for production.
…isplay - package.py: export client_certificate_path/key_path or client_secret to config.json when packaging a profile - test.py: display Azure auth mode (certificate, client secret, or public client) in test command output
- credential_provider: read client secret from keyring at runtime when azure_auth_mode == "secret"; add --set-client-secret flag for end-user and MDM provisioning - init.py: write secret to keyring during wizard, never to config; store azure_auth_mode field instead - package.py: write azure_auth_mode to config.json; remove client_secret - test.py: use azure_auth_mode from config for auth mode display - config.py: add azure_auth_mode field to Profile - docs: update entra-id-setup.md with per-user distribution steps and secret rotation guidance; add --set-client-secret to CLI_REFERENCE.md
…ient Using "Mobile and desktop applications" platform causes Azure AD to skip client credential enforcement, making confidential client auth appear to succeed without a valid secret or certificate. Added explicit instructions to use "Web" platform for confidential client setups, updated the verification checklist, and added a troubleshooting entry for the silent success symptom.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if not secret: | ||
| try: | ||
| keyring.delete_password("claude-code-with-bedrock", f"{args.profile}-client-secret") | ||
| except Exception: |
Check notice
Code scanning / Bandit
Try, Except, Pass detected. Note
| private_key = serialization.load_pem_private_key(key_pem, password=None) | ||
|
|
||
| # SHA-1 thumbprint of the DER-encoded certificate (x5t header) | ||
| thumbprint = cert.fingerprint(hashes.SHA1()) # noqa: S303 # nosec B303 # nosemgrep: python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1 — required by OIDC spec (x5t) |
Check warning
Code scanning / Semgrep OSS
Semgrep Finding: python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1 Warning
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue #, if available: #179
Description of changes:
Extends the Entra ID authentication flow with two new modes alongside the existing public client:
The setup wizard (init) prompts for the auth mode and stores the choice in the profile. The package command exports cert paths so packaged distributions can be pre-configured for certificate auth. Tests and Entra ID setup documentation updated accordingly.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.