Uploaded image for project: 'Debezium'
  1. Debezium
  2. DBZ-9323

[SQL Server] Add built-in support for acquiring MSAL access tokens for ActiveDirectoryAccessToken authentication

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Unresolved
    • Icon: Major Major
    • Backlog
    • None
    • sqlserver-connector
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      Debezium's SQL Server connector currently supports specifying database.authentication=ActiveDirectoryAccessToken, allowing token-based authentication to Azure SQL when a valid access token is provided in the connection properties. However, Debezium does not currently provide a built-in mechanism to acquire this token using the Microsoft Identity Platform (MSAL) client credentials flow.

      This proposal adds first-class support for Azure AD service principal authentication by enabling Debezium to directly acquire an access token using client_id, client_secret, and tenant_id, and pass that token to the Microsoft JDBC driver.

      Proposed Feature:

      • Add support for:
        database.authentication = ActiveDirectoryAccessToken
      • Introduce new optional configuration fields:
        • database.azure.client.id
        • database.azure.client.secret
        • database.azure.tenant.id
      • When these fields are set and ActiveDirectoryAccessToken is selected, Debezium should:
        1. Use MSAL4J to acquire an access token for the scope https://database.windows.net/.default
        1. Connect using the Microsoft JDBC driver with:
          jdbc:sqlserver://<host>:<port>;database=<name>;authentication=ActiveDirectoryAccessToken
          and pass the token using the accessToken connection property.

      Benefits:

      • Enables secure, fully automated access to Azure SQL from Debezium in environments that require Azure AD/Entra ID service principal authentication
      • Aligns with Microsoft's official and recommended authentication mechanisms
      • Eliminates the need for wrapper classes, external token injection, or shell scripts
      • Reduces operational complexity in cloud-native and enterprise environments

      Implementation Notes:

      • Token logic is isolated and only invoked if ActiveDirectoryAccessToken is selected and MSAL credentials are provided
      • Credentials are handled securely using ConfigDef.Type.PASSWORD
      • No behavioral change or performance impact for users using username/password authentication

      References:

              Unassigned Unassigned
              tfrazer-vald Tim Frazer (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: