Azure credentials generation
Azure generates a set of access and refresh tokens that are put inside msal_token_cache.json inside .azure directory. Following is the procedure used to generate a set of credentials.
Azure Users profile info is saved in the azureProfile.json file inside the .azure directory.
Access strategy - login integration
Before accessing Azure sessions you now have to create an Azure integration. After that, these are the steps required to login and then retrieve Azure sessions.
- msal_token_cache and azureProfile.json files are cleaned for security reason.
- We execute
az login --tenantId <TENANTID>. We do this to obtain the updated user profile and the refresh token (associated to this integration).
- We extract all the Azure subscriptions associated with the integration and for each one we map a Leapp Azure session.
- We extract the refresh token, account, and profile information from msal_token_cache and azureProfile.json and persist them in the System's vault.
- We also remove the previous information from the original files, to increase security and avoid external tampering.
Access strategy - start session
In the current version of Leapp we can only start one Azure session at a time.
For each subscription retrieved upon login to a specific integration, we define a new Leapp Azure Session. To start an Azure session we follow these steps.
- Recover refresh token, account, and profile information from the Vault and we use them alongside sessionId (Subscription id) in the start operation.
- azureProfile.json is only filled with profile information from the current subscription.
- We write the account information and the refresh token back in the msal_token_cache
- We execute
az account get-access-token --subscriptionId <SUBSCRIPTIONID>, to retrieve the access token and the id token of the subscription.
- The previous command also write access and id token back to the msal_token_cache file.
- We update the expiration time of the session to the current datetime.
- We update the refresh token in the Vault with the new information.
- We remove the refresh token from the msal_token_cache.
- We finally start the session.
- The refresh token is a long term credential that potentially lasts for 90 days. The access token is a short term credential and last for 70 minutes. Source
Access strategy - rotate session
To rotate the session's credentials we do the following steps:
- We obtain the expiration time from the session we are rotating.
- We check with the current date to see if the session validity will expire in the next 20 minutes.
- If no, no other checks are necessary you can still use the current credentials.
If yes, we do the following operations:
- Remove access token from msal_token_cache.
- Recover refresh token from System's Vault.
- Insert the refresh token back into the msal_token_cache file.
- We redo the last 4 steps (6-9) from the start operation.
Access strategy - stop session
To stop the session (because we only have one active at a time) we do the following steps:
- We run
az logout, and we set session's status to INACTIVE. This operation cleans both msal_token_cache and azureProfile.json files.
Leapp enhances security by forcingly refresh access token every 20 minutes and by removing refresh token from the msal_token_cache.