Support for encrypted token cache on Linux without GUI

[gabe-microsoft]

Is your feature request related to a problem? Please describe.
Currently, when running Linux without a GUI (e.g., Azure Linux VM) MSAL uses a plain-text token cache. My understanding is that MSAL supports libsecret/secret credential stores, but these don't work properly without a GUI.

Specifically, I'm using Git Credential Manager (GCM) on an Azure Linux VM to work with git repos stored in Azure DevOps (ADO). When using ADO, GCM uses MSAL to acquire and store AAD tokens. Since MSAL doesn't support an encrypted credential store, I get the following warning from GCM:

warning: cannot persist Microsoft authentication token cache securely!
warning: using plain-text fallback token cache

Describe the solution you'd like
MSAL could use an encrypted credential store like GPG/pass, which is used by GCM

[josejimenezluna]

Hi! I'm having the same issue. I was wondering whether there was any updates on this?

Cheers,

[bgavrilMS]

Hi @josejimenezluna - for now, you call fallback to a plaintext file, see the sample project in this repo.

We do not plan to add support for pass, but we would accept a contribution.

[jakeaufderheide]

I also have this problem. Is plaintext not insecure?

[bgavrilMS]

I also have this problem. Is plaintext not insecure?

Yes, it is. You could use an encrypted drive though.

Generally speaking, a malicious app can steal a token even if your file is encrypted - e.g. by sniffing the traffic or by decrypting the file - if the malicious app runs under the same user. Only Mac has app-level protection. App1 cannot access App2's keychain without permission from the user or special config.

[bgavrilMS]

This is not a priority for MSAL at the moment, but we could review a contribution. Fix should go here: https://github.com/AzureAD/microsoft-authentication-extensions-for-dotnet