Are the generated tokens encrypted on my device?

[plamber]

Hello @pnp/cli-for-microsoft-365-maintainers,
the CLI is storing the cli msal and tokens information on my user directory.

I can open these files and see all values in clear text. I can also find the refresh token in clear text. I can take these files and copy them to another machine. I haven't it tried yet but in theory I could then continue on that machine without being required to login again. This might become a security vulnerability to my understanding.

My suggestion would be to encrypt the file on filesystem based on userid and machine name.

What are your thoughts?

[waldekmastykarz]

Unfortunately there is no way to encrypt tokens in any way in a client tool that's open source. Whatever mechanism, we'd implement, anyone could reverse engineer. At some point we used Windows Credential Manager and Keychain to store credentials but since any application can access them, it wouldn't protect the credentials in any way.

[plamber]

Hi,
PowerShell for example provides an encryption of passwords using the logged in user's certificate here. I think this is better than just keeping a plain text lying around.

Windows Credential Manager and Keychain is also better than having clear texts lying around.

What do you think?

br,

[waldekmastykarz]

How does using either of these capabilities prevent any other app from accessing the credentials?
Azure CLI uses the same approach as we do.

One thing that's different with PowerShell comparing to other shells is that it has the notion of a session, where you could theoretically sign in, store credentials in the session without persisting them on disk, and reuse them across cmdlets. Unfortunately, as far as I know, this is not possible in other shells and persisting credentials on disk is the only way to reuse them across multiple commands.

[plamber]

I am not worried about other apps to be honest. I am more worried about users with administrative account having a shared environment.

I can go to your profile copy the local file and impersonate myself as you without you noticing anything. If the file is encrypted with the current user the impact is smaller because I am able to copy the file but I am not able to decrypt it with my user session.

In PowerShell this is the preferred way to store credentials on the current machine and user session without having passwords in plain text or worrying that some other machine administrator is able to get my credentials.

[waldekmastykarz]

If there is a secure way to do it that works in any shell and OS we should consider it.

[plamber]

I am surprised to read that the Azure CLI behaves the same. Can we open an issue there to see what their feedback will be?

[waldekmastykarz]

Originally, they used Windows Credential Manager, Keychain or nothing on linux (apparently there is no standardized way of handling credentials across the different distros). At some point I saw, they switched to a plain-text file with which we aligned. I'm not sure about the latest state of it. I saw that MSAL offers OS-specific credentials storages for its cache but not sure if it's used in the Azure CLI, so that's something that we'd need to research first before opening an issue.