saryeHaddadi commented on issue #4096: URL: https://github.com/apache/arrow-rs/issues/4096#issuecomment-1518339681
I'd like to share my researches in case it helps. My conclusion is that, in the below HTTP call, one needs to pass in a "resource" instead of a "scope". This can be done by extracting the ressource from the scope (see _scopes_to_resource() mentioned above). - https://github.com/apache/arrow-rs/blob/master/object_store/src/azure/credential.rs#L427 How I reached that conclusion. ### First, what is the definition of a scope > In OAuth 2.0, scopes and permissions are used interchangeably to define the level of access that a client has to a protected resource. Scopes are used to specify the level of access that a client has to a protected resource, but they do not provide the granularity necessary to define what the client can do with that resource. Permissions are represented as string values and are used by an app to request the permissions it needs by specifying them in the scope query parameter > > In other words, scopes are per client app while permissions are per user. For example, one client app can have a scope(s) to access certain API(s), but the users of this client app will have different permissions in this API based on their roles. Scope examples: - `User.Read.All`, `Directory.ReadWrite.All` - There are some "well-known" scopes like `email`, `profile` - And (in Azure at least) `.default` Sources: [1. learn.microsoft.com](https://learn.microsoft.com/EN-US/azure/active-directory/develop/scopes-oidc) [2. permit.io](https://www.permit.io/blog/oauth2-scopes-for-authz) [3. stackoverflow.com](https://stackoverflow.com/questions/48351332/oauth-scopes-and-application-roles-permissions) [4. stackoverflow.com](https://stackoverflow.com/questions/60942114/oauth-2-0-jwt-guidance-about-when-to-use-scope-vs-roles) ### What is the `.default` scope → See Microsoft [documentation](https://learn.microsoft.com/en-us/azure/active-directory/develop/scopes-oidc#the-default-scope). In particular, it states how, from a `resource`, to reference the `.default` scope. > The scope parameter value is constructed by using the identifier URI for the resource and `.default`, separated by a forward slash (`/`). For example, if the resource's identifier URI is `https://contoso.com`, the scope to request is `https://contoso.com/.default`. So I understand that Scopes & Ressources are two different kinds of objects. Now I'd like to confirm how, from a `ressource identifier`, I can construct a `scope`. [link to doc](https://learn.microsoft.com/EN-US/azure/active-directory/develop/consent-types-developer#requesting-individual-user-consent) > The scope parameter is a space-separated list of delegated permissions that the application is requesting. Each permission is indicated by appending the permission value to the resource's identifier (the application ID URI). [Examples 1](https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-v1-app-scopes#scopes-to-request-access-to-specific-oauth2-permissions-of-a-v10-application) > var scopes = new [] { ResourceId+"/user_impersonation"}; [Example 2](https://learn.microsoft.com/EN-US/azure/active-directory/develop/consent-types-developer#requesting-individual-user-consent) > GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize? client_id=6731de76-14a6-49ae-97bc-6eba6914391e &response_type=code &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F &response_mode=query &**scope= https%3A%2F%2Fgraph.microsoft.com%2Fcalendars.read%20 <---- '%20' : space separated-list https%3A%2F%2Fgraph.microsoft.com%2Fmail.send** &state=12345 ### When using a Managed-Identity, how to get an Access Token An App is deployed on a VM. And an Identity (= a service-principal) is given to the VM. The App doesn't need to have its own service-principale, but can ask the get authorized with the same rights than the VM. For that, the App needs to query the Azure Instance Metadata Service (IMDS). > IMDS is a REST API that's available at a well-known, non-routable IP address (169.254.169.254). You can only access it from within the VM. This IMDS service exposes a number of APIs, among them the `/identity/oauth2/token` API. As per the documentation, this API accepts a `ressource` parameter, but does not accept a `scope` as a parameter. See [Swagger spec](https://github.com/Azure/azure-rest-api-specs/tree/main/specification/imds/data-plane/Microsoft.InstanceMetadataService/stable/2019-08-01) for IMDS API, version 2019-08-01. - imds.json L109-114: "This is the urlencoded identifier URI of the sink resource for the requested Azure AD token." => Not a scope. - examples/GetIdentityToken.json: The ressource parameter is not given a scope, but a ressource. Related Readings 1. [learn.microsoft.co - Instance Metadata Service](https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=windows) 2. [learn.microsoft.co - Get a Token using HTTP](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http) Also, from the source code, [this call](https://github.com/apache/arrow-rs/blob/master/object_store/src/azure/credential.rs#L332-L346) passes a scope value to a `scope` argument.  While [that call](https://github.com/apache/arrow-rs/blob/master/object_store/src/azure/credential.rs#L425-L428), passes a scope value to a `resource` argument, here is the issue.  -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
