Comments

• 

  14 days ago by dmulder | Reply

  Day 1

  I've found that we can authenticate as a personal account, but it's not as simple as I had hoped. Microsoft MSA login (personal accounts) uses a completely different protocol from Entra Id. It's some in-house-baked thing, only remotely similar to OAuth2. Apparently it was created prior to OAuth2 being spec'd. Anyway, you can use the https://login.microsoft.com/consumers/oauth2/v2.0/ endpoints to authenticate as personal accounts. This is just that old protocol, kludged into OAuth2 (with various forwarding requests). The quickest way to a win here, will be implementing a DAG request via this consumers endpoint. I already have a rough prototype (which still breaks in lots of places). This is going to be a very different experience for users, since device join is totally different, etc. Also, we really can't support an MFA flow like we have in the past. There is a concept similar to device join in this protocol, and I'm going to try to take advantage of it. We may have to create an all new provider in Himmelblau to handle these personal accounts. I'm trying to see if I can shim it all into the existing architecture, but it is difficult.

×
Edit Comment 11589
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

- Use hyphens
- for unordereed
- lists

This is an [link to example.com](http://example.com/)

This is an image ![an openSUSE geeko icon](https://en.opensuse.org/images/d/d0/Icon-distribution.png)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview
# Day 1 I've found that we **can** authenticate as a personal account, but it's not as simple as I had hoped. Microsoft MSA login (personal accounts) uses a completely different protocol from Entra Id. It's some in-house-baked thing, only remotely similar to OAuth2. Apparently it was created prior to OAuth2 being spec'd. Anyway, you can use the https://login.microsoft.com/consumers/oauth2/v2.0/ endpoints to authenticate as personal accounts. This is just that old protocol, kludged into OAuth2 (with various forwarding requests). The quickest way to a win here, will be implementing a DAG request via this consumers endpoint. I already have a rough prototype (which still breaks in lots of places). This is going to be a very different experience for users, since device join is totally different, etc. Also, we really can't support an MFA flow like we have in the past. There is a concept similar to device join in this protocol, and I'm going to try to take advantage of it. We may have to create an all new provider in Himmelblau to handle these personal accounts. I'm trying to see if I can shim it all into the existing architecture, but it is difficult.
 
×
Reply to dmulder
Day 1
I've found that we can authenticate as a personal account, but it's not as simple as I had hoped. Microsoft MSA login (personal accounts) uses a completely different protocol from Entra Id. It's some in-house-baked thing, only remotely similar to OAuth2. Apparently it was created prior to OAuth2 being spec'd. Anyway, you can use the https://login.microsoft.com/consumers/oauth2/v2.0/ endpoints to authenticate as personal accounts. This is just that old protocol, kludged into OAuth2 (with various forwarding requests). The quickest way to a win here, will be implementing a DAG request via this consumers endpoint. I already have a rough prototype (which still breaks in lots of places). This is going to be a very different experience for users, since device join is totally different, etc. Also, we really can't support an MFA flow like we have in the past. There is a concept similar to device join in this protocol, and I'm going to try to take advantage of it. We may have to create an all new provider in Himmelblau to handle these personal accounts. I'm trying to see if I can shim it all into the existing architecture, but it is difficult.
---
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

- Use hyphens
- for unordereed
- lists

This is an [link to example.com](http://example.com/)

This is an image ![an openSUSE geeko icon](https://en.opensuse.org/images/d/d0/Icon-distribution.png)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview
 
• 

  13 days ago by dmulder | Reply

  Day 2

  Got a simple prototype working for DAG authentication for personal accounts. Then integrated this into Himmelblau. Had to alter the way we handle device joins, since we can't join a MSA authenticated device. A simple setup with Hello PINs disabled is now working. Integrated vanilla refreshtokens into the existing PRT cache, as an alternative (since we can't fetch a PRT for personal accounts). This was a prerequisite to getting Hello PINs working (since we place a PRT/refreshtoken into the cache bound to the PIN). Debugging some issues with Hello PINs now.

×
Edit Comment 11724
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

- Use hyphens
- for unordereed
- lists

This is an [link to example.com](http://example.com/)

This is an image ![an openSUSE geeko icon](https://en.opensuse.org/images/d/d0/Icon-distribution.png)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview
# Day 2 Got a simple prototype working for DAG authentication for personal accounts. Then integrated this into Himmelblau. Had to alter the way we handle device joins, since we can't join a MSA authenticated device. A simple setup with Hello PINs disabled is now working. Integrated vanilla refresh_tokens into the existing PRT cache, as an alternative (since we can't fetch a PRT for personal accounts). This was a prerequisite to getting Hello PINs working (since we place a PRT/refresh_token into the cache bound to the PIN). Debugging some issues with Hello PINs now.
 
×
Reply to dmulder
Day 2
Got a simple prototype working for DAG authentication for personal accounts. Then integrated this into Himmelblau. Had to alter the way we handle device joins, since we can't join a MSA authenticated device. A simple setup with Hello PINs disabled is now working. Integrated vanilla refreshtokens into the existing PRT cache, as an alternative (since we can't fetch a PRT for personal accounts). This was a prerequisite to getting Hello PINs working (since we place a PRT/refreshtoken into the cache bound to the PIN). Debugging some issues with Hello PINs now.
---
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

- Use hyphens
- for unordereed
- lists

This is an [link to example.com](http://example.com/)

This is an image ![an openSUSE geeko icon](https://en.opensuse.org/images/d/d0/Icon-distribution.png)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview
 
• 

  13 days ago by dmulder | Reply

  https://github.com/himmelblau-idm/himmelblau/pull/910

×
Edit Comment 11727
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

- Use hyphens
- for unordereed
- lists

This is an [link to example.com](http://example.com/)

This is an image ![an openSUSE geeko icon](https://en.opensuse.org/images/d/d0/Icon-distribution.png)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview
https://github.com/himmelblau-idm/himmelblau/pull/910
 
×
Reply to dmulder
https://github.com/himmelblau-idm/himmelblau/pull/910
---
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

- Use hyphens
- for unordereed
- lists

This is an [link to example.com](http://example.com/)

This is an image ![an openSUSE geeko icon](https://en.opensuse.org/images/d/d0/Icon-distribution.png)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview
 
• 

  10 days ago by dmulder | Reply

  MSA Personal Account Sign-In

  Himmelblau now includes experimental support for Microsoft Personal Accounts (MSA), enabling users to authenticate with their outlook.com, hotmail.com, and other consumer identities alongside standard Entra ID accounts.

  Device Authorization Grant (DAG) Sign-In

  Personal accounts use a different authentication stack than Entra ID, but Himmelblau now implements a working DAG flow against the consumers OAuth2 endpoint. This allows login from a terminal or GUI without launching an embedded browser, using the familiar "enter a code at microsoft.com/link" flow.

  Hello PIN Provisioning

  After DAG sign-in, Himmelblau will automatically offer Linux Hello PIN setup, mirroring the experience of Windows users. The PIN is bound to a local TPM key.

  SSO Status

  Full SSO for personal accounts is not yet implemented, due to protocol differences and the lack of a PRT for MSA accounts. However, you can already obtain usable OAuth2 tokens via:

  linux-entra-sso -i acquireTokenSilently

  This provides a functional access_token suitable for testing APIs that accept MSA OAuth2 v2.0 tokens.

×
Edit Comment 12123
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

- Use hyphens
- for unordereed
- lists

This is an [link to example.com](http://example.com/)

This is an image ![an openSUSE geeko icon](https://en.opensuse.org/images/d/d0/Icon-distribution.png)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview
# MSA Personal Account Sign-In Himmelblau now includes experimental support for Microsoft Personal Accounts (MSA), enabling users to authenticate with their `outlook.com`, `hotmail.com`, and other consumer identities alongside standard Entra ID accounts. ## Device Authorization Grant (DAG) Sign-In Personal accounts use a different authentication stack than Entra ID, but Himmelblau now implements a working DAG flow against the `consumers` OAuth2 endpoint. This allows login from a terminal or GUI without launching an embedded browser, using the familiar "enter a code at microsoft.com/link" flow. ## Hello PIN Provisioning After DAG sign-in, Himmelblau will automatically offer Linux Hello PIN setup, mirroring the experience of Windows users. The PIN is bound to a local TPM key. ## SSO Status Full SSO for personal accounts is not yet implemented, due to protocol differences and the lack of a PRT for MSA accounts. However, you can already obtain usable OAuth2 tokens via: ``` linux-entra-sso -i acquireTokenSilently ``` This provides a functional `access_token` suitable for testing APIs that accept MSA OAuth2 v2.0 tokens.
 
×
Reply to dmulder
MSA Personal Account Sign-In
Himmelblau now includes experimental support for Microsoft Personal Accounts (MSA), enabling users to authenticate with their outlook.com, hotmail.com, and other consumer identities alongside standard Entra ID accounts.
Device Authorization Grant (DAG) Sign-In
Personal accounts use a different authentication stack than Entra ID, but Himmelblau now implements a working DAG flow against the consumers OAuth2 endpoint. This allows login from a terminal or GUI without launching an embedded browser, using the familiar "enter a code at microsoft.com/link" flow.
Hello PIN Provisioning
After DAG sign-in, Himmelblau will automatically offer Linux Hello PIN setup, mirroring the experience of Windows users. The PIN is bound to a local TPM key.
SSO Status
Full SSO for personal accounts is not yet implemented, due to protocol differences and the lack of a PRT for MSA accounts. However, you can already obtain usable OAuth2 tokens via:
linux-entra-sso -i acquireTokenSilently
This provides a functional access_token suitable for testing APIs that accept MSA OAuth2 v2.0 tokens.
---
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

- Use hyphens
- for unordereed
- lists

This is an [link to example.com](http://example.com/)

This is an image ![an openSUSE geeko icon](https://en.opensuse.org/images/d/d0/Icon-distribution.png)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview