-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support retrieving client certificate from Azure Key Vault #2235
base: MOODLE_311_STABLE
Are you sure you want to change the base?
Conversation
@FMCorz please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.
Contributor License AgreementContribution License AgreementThis Contribution License Agreement (“Agreement”) is agreed to by the party signing below (“You”),
|
This comment was marked as duplicate.
This comment was marked as duplicate.
@FMCorz the command you issued was incorrect. Please try again. Examples are:
and
|
@microsoft-github-policy-service agree company="Branch Up" |
Hi @FMCorz, I'm trying to test this PR with aim to include this as part of the next release. Can I ask you to provide some instructions on how to set up Key Vault to get this working please. Especially I'm interested to know how/where to get the configuration settings on the auth_oidc configuration page from Key Vault. Many thanks. Regards, |
Hi @weilai-irl, Thank you for taking a look at this. Unfortunately, I have not been involved in setting this up myself, I was mostly the recipient of the testing credentials, and as such I know the theory more than the practical implementation. The best I can do is direct you to some of the documentation pages and what I would assume to be the process:
I hope this is helpful. @MURBASLMS may be more helpful. |
Hi @FMCorz, Am I right in understanding that the implementation assumes the Moodle site are hosted in a VM in Azure? My reasoning is I see requests are made to "http://169.254.169.254/metadata/identity/oauth2/token" to get tokens, which is a magic IP address in Azure for Instance Metadata Service. I have tried to run the logic from a ubuntu machine which is outside of Azure VM, and got a connection timeout error. Could you confirm my suspicion please. If this is the case, please look into providing a universal solution - it's a too big assumption to make that the Moodle site is hosted in Azure VMs. Regards, |
Yes, you are correct that the Moodle VM would have to be hosted in Azure for the Key Vault tokens to be obtained this way. |
We haven't explored the option to connect to the Key Vault with a different method, but it would likely negate the benefits of placing the certificate in the Key Vault. Connecting to the Key Vault without Managed Identity would probably require a certificate, and there won't be any benefit to the situation if said certificate is not itself in a Key Vault. There may be other avenues to connect to a Key Vault, but I am not aware of them. |
Hi @weilai-irl any update on this one please? anything we need to discuss? cheers Mike |
Hi @MURBASLMS, Due to the fact that this will only work on Azure VM, it introduces additional complexity in the support of the feature. The Microsoft education team, who is sponsoring the maintenance of plugins, have been briefed about this and they are considering if to official support this feature or not. So far a decision hasn't been made yet. I'll post updates when I have them. Regards, |
No worries, if we need to discuss with them let us know. Our view is that while this initial code is focused on Key Vault in Azure, it serves as a basis for extending to include other infrastructure in the config to provide properly secured credentials using whatever means an institution prefers. |
hi, any word on this one please? |
Hi @MURBASLMS We are still waiting on a decision from Microsoft on whether to support this one or not. There are some cost related to ongoing support of this feature, as we will need to set up additional environment for the test of this, and it will require additional effort to test this feature in every future release. I'll post back when a decision is made. Regards, |
This patch acts as a working proof of concept to retrieve the certificate from an Azure Key Vault using managed identities.
The security requirements of some institutions may limit the number of permissions given to the Azure Application as the certificate is stored in plain text in Moodle admin settings. Serving the certificate from a Key Vault (authenticated with managed identities) adds a level of protection to the Azure Application as Moodle users (including admins) cannot access the certificate directly.
Notes:
curlsecurityblockedhosts
, as it probably should.This development was funded by Murdoch University.