Skip to content

.Net: Adds support for providing own sql connection to the vector store connector #13421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MarvinPogoda wants to merge 2 commits into
base: main
Choose a base branch
from
Open

.Net: Adds support for providing own sql connection to the vector store connector #13421

MarvinPogoda wants to merge 2 commits into from

Conversation

@MarvinPogoda
Copy link

@MarvinPogoda MarvinPogoda commented Dec 17, 2025
edited
Loading

Motivation and Context

A connection string tends to carry secrets as plain text, which easily leak into logs, telemetry, or configuration dumps.

Description

Providing a Func avoids passing secrets around entirely and allows credentials to be resolved securely at connection-creation time.

Contribution Checklist
@MarvinPogoda MarvinPogoda requested a review from a team as a code owner December 17, 2025 12:59
@moonbox3 moonbox3 added the .NET Issue or Pull requests regarding .NET code label Dec 17, 2025
@github-actions github-actions bot changed the title .NET: Adds support for providing own sql connection to the vector store connector Dec 17, 2025
@MarvinPogoda
Copy link
Author

MarvinPogoda commented Dec 17, 2025

@microsoft-github-policy-service agree
@roji
Copy link
Member

roji commented Dec 31, 2025

@MarvinPogoda first, SqlClient provides multiple ways to connect to SQL Server without specifying the password in the connection string (SSPI, Active Directory auth, Entra ID...). These are indeed recommended as alternatives that remove the password entirely from your application.

If you're concerned about the connection string leaking, the above are the right techniques to prevent that; I'm not sure how accepting a SqlConnection provider quite achieves that. If the provided given by the user simply returns a SqlConnection constructed with a connection string, than this has achieved very little - the application still uses connection strings with passwords, and has only moved around the construction of the SqlConnection. On the other hand, if e.g. Entra ID is in use, then your proposed SqlConnection provider hasn't actually achieved anything, since the application was already secure. So how exactly do you see this as improving security?

I do agree that it makes sense to have a concept of a "connection factory" in SqlClient, which is responsible for all the details of constructing an authentication and closes over all the possible configuration. That's the idea behind the ADO.NET DbDataSource abstraction - see dotnet/SqlClient#2119 for the issue tracking this on the SqlClient side. With the PostgreSQL provider, for example, instead of passing in a connection string one can pass in an NpgsqlDataSource, which is conceptually similar to your Func - but is a first-class concept of the database driver itself. Once SqlClient implements SqlDataSource (the issue above), I agree that we should absolutely accept it here, but I'd rather not introduce a separate Func in the meantime as proposed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

.NET Issue or Pull requests regarding .NET code

3 participants

@MarvinPogoda @roji @moonbox3