Skip to content

Commit a098426

Browse files
authored
Add Entra ID Auth to Authentication doc (#3023)
1 parent ac7ab7f commit a098426

1 file changed

Lines changed: 20 additions & 15 deletions

File tree

docs/Authentication.md

Lines changed: 20 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,4 @@
1-
Authentication
2-
===
1+
# Authentication
32

43
There are multiple ways of connecting to a Redis server, depending on the authentication model. The simplest
54
(but least secure) approach is to use the `default` user, with no authentication, and no transport security.
@@ -12,10 +11,9 @@ var muxer = await ConnectionMultiplexer.ConnectAsync("myserver"); // or myserver
1211
This approach is often used for local transient servers - it is simple, but insecure. But from there,
1312
we can get more complex!
1413

15-
TLS
16-
===
14+
## TLS
1715

18-
If your server has TLS enabled, SE.Redis can be instructed to use it. In some cases (AMR, etc), the
16+
If your server has TLS enabled, SE.Redis can be instructed to use it. In some cases (Azure Managed Redis, etc), the
1917
library will recognize the endpoint address, meaning: *you do not need to do anything*. To
2018
*manually* enable TLS, the `ssl` token can be used:
2119

@@ -44,8 +42,7 @@ Alternatively, in advanced scenarios: to provide your own custom server validati
4442
can be used; this uses the normal [`RemoteCertificateValidationCallback`](https://learn.microsoft.com/dotnet/api/system.net.security.remotecertificatevalidationcallback)
4543
API.
4644

47-
Usernames and Passwords
48-
===
45+
## Usernames and Passwords
4946

5047
Usernames and passwords can be specified with the `user` and `password` tokens, respectively:
5148

@@ -56,15 +53,25 @@ var muxer = await ConnectionMultiplexer.ConnectAsync("myserver,ssl=true,user=myu
5653
If no `user` is provided, the `default` user is assumed. In some cases, an authentication-token can be
5754
used in place of a classic password.
5855

59-
Client certificates
60-
===
56+
## Managed identities
57+
58+
If the server is an Azure Managed Redis resource, connections can be secured using Microsoft Entra ID authentication. Use the [Microsoft.Azure.StackExchangeRedis](https://github.com/Azure/Microsoft.Azure.StackExchangeRedis) extension package to handle the authentication using tokens retrieved from Microsoft Entra. The package integrates via the ConfigurationOptions class, and can use various types of identities for token retrieval. For example with a user-assigned managed identity:
59+
60+
```csharp
61+
var options = ConfigurationOptions.Parse("mycache.region.redis.azure.net:10000");
62+
await options.ConfigureForAzureWithUserAssignedManagedIdentityAsync(managedIdentityClientId);
63+
```
64+
65+
For details and samples see [https://github.com/Azure/Microsoft.Azure.StackExchangeRedis](https://github.com/Azure/Microsoft.Azure.StackExchangeRedis)
66+
67+
## Client certificates
6168

6269
If the server is configured to require a client certificate, this can be supplied in multiple ways.
6370
If you have a local public / private key pair (such as `MyUser2.crt` and `MyUser2.key`), the
6471
`options.SetUserPemCertificate(...)` method can be used:
6572

6673
``` csharp
67-
config.SetUserPemCertificate(
74+
options.SetUserPemCertificate(
6875
userCertificatePath: userCrtPath,
6976
userKeyPath: userKeyPath
7077
);
@@ -74,7 +81,7 @@ If you have a single `pfx` file that contains the public / private pair, the `op
7481
method can be used:
7582

7683
``` csharp
77-
config.SetUserPfxCertificate(
84+
options.SetUserPfxCertificate(
7885
userCertificatePath: userCrtPath,
7986
password: filePassword // optional
8087
);
@@ -85,8 +92,7 @@ can be used; this uses the normal
8592
[`LocalCertificateSelectionCallback`](https://learn.microsoft.com/dotnet/api/system.net.security.remotecertificatevalidationcallback)
8693
API.
8794

88-
User certificates with implicit user authentication
89-
===
95+
## User certificates with implicit user authentication
9096

9197
Historically, the client certificate only provided access to the server, but as the `default` user. From 8.6,
9298
the server can be configured to use client certificates to provide user identity. This replaces the
@@ -114,8 +120,7 @@ var user = (string?)await conn.GetDatabase().ExecuteAsync("acl", "whoami");
114120
Console.WriteLine(user); // writes "MyUser2"
115121
```
116122

117-
More info
118-
===
123+
## More info
119124

120125
For more information:
121126

0 commit comments

Comments
 (0)