Azure credentials generation
Azure generates a set of access and refresh tokens that are put inside msal_token_cache.json inside .azure directory. Following is the procedure used to generate a set of credentials.
In Windows OS the msal_token_cache is persisted on an encrypted file with dpapi API.
Starting from release 2.30 of Azure CLI, credentials are no more persisted in the original accessToken.json
Azure Users profile info is saved in the azureProfile.json file inside the .azure directory.
Access strategy - login integration
Before accessing Azure sessions you now have to create an Azure integration. After that, these are the steps required to login and then retrieve Azure sessions.
- msal_token_cache and azureProfile.json files are cleaned for security reason.
- We execute
az login --tenantId <TENANTID>. We do this to obtain the updated user profile and the refresh token (associated to this integration).
- We extract all the Azure subscriptions associated with the integration and for each one we map a Leapp Azure session.
- We extract the refresh token, account, and profile information from msal_token_cache and azureProfile.json and persist them in the System's vault.
- We also remove the previous information from the original files, to increase security and avoid external tampering.
Access strategy - start session
In the current version of Leapp we can only start one Azure session at a time.
For each subscription retrieved upon login to a specific integration, we define a new Leapp Azure Session. To start an Azure session we follow these steps.
- Recover refresh token, account, and profile information from the Vault and we use them alongside sessionId (Subscription id) in the start operation.
- azureProfile.json is only filled with profile information from the current subscription.
- We write the account information and the refresh token back in the msal_token_cache
- We execute
az account get-access-token --subscriptionId <SUBSCRIPTIONID>, to retrieve the access token and the id token of the subscription.
- The previous command also write access and id token back to the msal_token_cache file.
- We update the expiration time of the session to the current datetime.
- We update the refresh token in the Vault with the new information.
- We remove the refresh token from the msal_token_cache.
- We finally start the session.
- The refresh token is a long term credential that potentially lasts for 90 days. The access token is a short term credential and last for 70 minutes. Source
Access strategy - rotate session
To rotate the session's credentials we do the following steps:
- We obtain the expiration time from the session we are rotating.
- We check with the current date to see if the session validity will expire in the next 20 minutes.
- If no, no other checks are necessary you can still use the current credentials.
If yes, we do the following operations:
- Remove access token from msal_token_cache.
- Recover refresh token from System's Vault.
- Insert the refresh token back into the msal_token_cache file.
- We redo the last 4 steps (6-9) from the start operation.
Access strategy - stop session
To stop the session (because we only have one active at a time) we do the following steps:
- We run
az logout, and we set session's status to INACTIVE. This operation cleans both msal_token_cache and azureProfile.json files.
Leapp enhances security by forcingly refresh access token every 20 minutes and by removing refresh token from the msal_token_cache.