Skip to content

Allow Entra authentication when connecting to Redis #3047

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pharring wants to merge 7 commits into
base: main
Choose a base branch
from
+34 −3
Open

Allow Entra authentication when connecting to Redis #3047

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
a02948a
Allow Entra authentication when connecting to Redis
pharring Jan 10, 2026
35e4e75
Merge branch 'main' into dev/pharring/AddEntraAuthForRedisConnection
JerryNixon Jan 21, 2026
62d1ceb
Make localhost logic fit the comment
pharring Jan 27, 2026
2617bec
Merge branch 'dev/pharring/AddEntraAuthForRedisConnection' of https:/…
pharring Jan 27, 2026
e98df40
Merge branch 'main' into dev/pharring/AddEntraAuthForRedisConnection
pharring Jan 27, 2026
b7e008e
Merge branch 'main' into dev/pharring/AddEntraAuthForRedisConnection
pharring Jan 30, 2026
115b6a8
Merge branch 'main' into dev/pharring/AddEntraAuthForRedisConnection
Aniruddh25 Feb 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions src/Directory.Packages.props
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
<PackageVersion Include="Aspire.Hosting.SqlServer" Version="9.5.2" />
<PackageVersion Include="Aspire.Hosting.PostgreSQL" Version="9.5.2" />
<PackageVersion Include="Azure.Core" Version="1.47.1" />
<PackageVersion Include="Azure.Identity" Version="1.15.0" />
<PackageVersion Include="Azure.Identity" Version="1.17.1" />
<PackageVersion Include="Azure.Monitor.Ingestion" Version="1.1.2" />
<PackageVersion Include="Azure.Security.KeyVault.Secrets" Version="4.6.0" />
<PackageVersion Include="CommandLineParser" Version="2.9.1" />
Expand All @@ -34,6 +34,7 @@
<PackageVersion Include="Microsoft.AspNetCore.Mvc.Testing" Version="8.0.10" />
<PackageVersion Include="Microsoft.AspNetCore.TestHost" Version="8.0.10" />
<PackageVersion Include="Microsoft.Azure.Cosmos" Version="3.38.1" />
<PackageVersion Include="Microsoft.Azure.StackExchangeRedis" Version="3.3.1" />
<PackageVersion Include="Microsoft.Extensions.Caching.Memory" Version="8.0.1" />
<PackageVersion Include="Microsoft.Extensions.Caching.Abstractions" Version="9.0.0" />
<PackageVersion Include="Microsoft.Extensions.Primitives" Version="9.0.0" />
Expand All @@ -46,7 +47,7 @@
<PackageVersion Include="OpenTelemetry.Instrumentation.Runtime" Version="1.9.0" />
<!--When updating Microsoft.Data.SqlClient, update license URL in scripts/notice-generation.ps1-->
<PackageVersion Include="Microsoft.Data.SqlClient" Version="5.2.3" />
<PackageVersion Include="Microsoft.Extensions.Configuration.Binder" Version="8.0.1" />
<PackageVersion Include="Microsoft.Extensions.Configuration.Binder" Version="8.0.2" />
<PackageVersion Include="Microsoft.Extensions.Configuration.Json" Version="9.0.0" />
<PackageVersion Include="Microsoft.Extensions.Logging.ApplicationInsights" Version="2.22.0" />
<PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="8.1.2" />
Expand Down
1 change: 1 addition & 0 deletions src/Service/Azure.DataApiBuilder.Service.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@
<PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" />
<PackageReference Include="Microsoft.Extensions.Logging.ApplicationInsights" />
<PackageReference Include="Microsoft.Azure.Cosmos" />
<PackageReference Include="Microsoft.Azure.StackExchangeRedis" />
<PackageReference Include="Microsoft.Data.SqlClient" />
<PackageReference Include="Microsoft.Extensions.Configuration.Binder" />
<PackageReference Include="Microsoft.Extensions.Configuration.Json" />
Expand Down
31 changes: 30 additions & 1 deletion src/Service/Startup.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@

using System;
using System.IO.Abstractions;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Threading.Tasks;
Expand Down Expand Up @@ -435,7 +437,7 @@ public void ConfigureServices(IServiceCollection services)
else
{
// NOTE: this is done to reuse the same connection multiplexer for both the cache and backplane
Task<ConnectionMultiplexer> connectionMultiplexerTask = ConnectionMultiplexer.ConnectAsync(level2CacheOptions.ConnectionString);
Task<IConnectionMultiplexer> connectionMultiplexerTask = CreateConnectionMultiplexerAsync(level2CacheOptions.ConnectionString);
Copy link
Contributor

@souvikghosh04 souvikghosh04 Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we put this under a feature switch or DAB config flag for safer side or an option to opt-in/opt-out?

Copy link
Author

@pharring pharring Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it needs a switch because it's automatic. If you don't supply a password, and you're not using localhost, then we assume you want Entra auth.

Copy link
Contributor

@souvikghosh04 souvikghosh04 Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's fine. we will have this documented. thanks!


fusionCacheBuilder
.WithSerializer(new FusionCacheSystemTextJsonSerializer())
Expand Down Expand Up @@ -470,6 +472,33 @@ public void ConfigureServices(IServiceCollection services)
services.AddControllers();
}

/// <summary>
/// Creates a ConnectionMultiplexer for Redis with support for Azure Entra authentication.
/// </summary>
/// <param name="connectionString">The Redis connection string.</param>
/// <returns>A task that represents the asynchronous operation. The task result contains the connected IConnectionMultiplexer.</returns>
private static async Task<IConnectionMultiplexer> CreateConnectionMultiplexerAsync(string connectionString)
{
ConfigurationOptions options = ConfigurationOptions.Parse(connectionString);

// Determine if an endpoint is localhost/loopback
static bool IsLocalhostEndpoint(EndPoint ep) => ep switch
{
DnsEndPoint dns => string.Equals(dns.Host, "localhost", StringComparison.OrdinalIgnoreCase),
IPEndPoint ip => IPAddress.IsLoopback(ip.Address),
_ => false,
};

// If no password is provided, and the endpoint (or at least one of them) is non-localhost,
// attempt to use Entra authentication.
if (string.IsNullOrEmpty(options.Password) && options.EndPoints.Any(static ep => !IsLocalhostEndpoint(ep)))
{
options = await options.ConfigureForAzureWithTokenCredentialAsync(new DefaultAzureCredential());
}
Comment on lines +482 to +497
Copy link
Contributor

@souvikghosh04 souvikghosh04 Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it would be good to have some error handling and loggings for this function.

Copy link
Author

@pharring pharring Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for being dense, but can you show me what that might look like for your code base? Remember this is in startup, so exceptions are generally fatal and will be handled at the top-level.

Copy link
Contributor

@souvikghosh04 souvikghosh04 Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this can be addressed based on the discussion here- #3047 (comment). feel free to close this as duplicate.


return await ConnectionMultiplexer.ConnectAsync(options);
Comment on lines +496 to +499
Copy link

Copilot AI Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CreateConnectionMultiplexerAsync method lacks error handling for Azure credential failures or Redis connection failures. When DefaultAzureCredential fails to authenticate (e.g., no managed identity is available, or credentials are misconfigured), or when ConfigureForAzureWithTokenCredentialAsync fails, the method will throw an unhandled exception. Consider adding try-catch blocks with more descriptive error messages to help users troubleshoot authentication or connection issues.

Suggested change
options = await options.ConfigureForAzureWithTokenCredentialAsync(new DefaultAzureCredential());
}
return await ConnectionMultiplexer.ConnectAsync(options);
try
{
options = await options.ConfigureForAzureWithTokenCredentialAsync(new DefaultAzureCredential());
}
catch (CredentialUnavailableException ex)
{
throw new InvalidOperationException(
"Failed to acquire Azure credentials for Redis. " +
"Ensure that a managed identity or other Azure credentials are correctly configured " +
"for this environment before enabling Entra authentication for Redis.",
ex);
}
catch (AuthenticationFailedException ex)
{
throw new InvalidOperationException(
"Azure authentication for Redis failed while using DefaultAzureCredential. " +
"Verify that the configured identity has permission to access the Redis resource " +
"and that all required environment settings are correct.",
ex);
}
}
try
{
return await ConnectionMultiplexer.ConnectAsync(options);
}
catch (RedisConnectionException ex)
{
throw new InvalidOperationException(
"Failed to connect to Redis using the provided configuration. " +
"Verify that the Redis connection string, network connectivity, and Redis instance " +
"configuration are correct.",
ex);
}

Copilot uses AI. Check for mistakes.
Copy link
Collaborator

@Aniruddh25 Aniruddh25 Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pharring, this suggestion from copilot seems reasonable to fix, thoughts?

Copy link
Contributor

@souvikghosh04 souvikghosh04 Jan 31, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot is right to suggest the improvement. also, we should have an additional catch block to catch rest of the exceptions if any.

Copy link
Author

@pharring pharring Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again, sorry for being dense/uninformed here, but what's the guidance in this repo regarding exception handling? Copilot's suggestion is to wrap inner exceptions in InvalidOperationException. I don't see that pattern anywhere else in startup. Is it what you want?

We could create a specialized "L2CacheException" to wrap any exceptions thrown in L2 cache setup. Is that what you want?

Copy link
Contributor

@souvikghosh04 souvikghosh04 Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, that should be fine. DAB is self-hosted and users would look for the logs to troubleshoot during a failure. for this scenario we don't need a special wrapper since we just want to log it based on possible error types and possibly guide the user based on the failure may be.. feel free to close this if you feel that's not needed.

}
Comment on lines 480 to 500
Copy link

Copilot AI Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new CreateConnectionMultiplexerAsync method and its Entra authentication logic lack test coverage. Consider adding unit tests to verify:

  1. Correct behavior when password is provided (should not use Entra)
  2. Correct behavior when connecting to localhost without password (should not use Entra)
  3. Correct behavior when connecting to a non-localhost endpoint without password (should use Entra)
  4. Behavior with mixed localhost and non-localhost endpoints

Copilot uses AI. Check for mistakes.
Copy link
Collaborator

@Aniruddh25 Aniruddh25 Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pharring, would these unit tests be useful at least - since we are not adding integration tests?


/// <summary>
/// Configure GraphQL services within the service collection of the
/// request pipeline.
Expand Down