Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow the use of a client assertion in OnBehalfOfCredential #43769

Closed
MitchBodmer opened this issue Apr 29, 2024 · 2 comments · Fixed by #44368
Closed

Allow the use of a client assertion in OnBehalfOfCredential #43769

MitchBodmer opened this issue Apr 29, 2024 · 2 comments · Fixed by #44368
Assignees
@christothes
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request This issue requires a new behavior in the product in order be resolved. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team
Milestone
2024-06

Comments

@MitchBodmer
Copy link

MitchBodmer commented Apr 29, 2024
edited
Loading

Library name

Azure.Identity

Please describe the feature.

Currently it's possible to use MSAL to get an On-Behalf-Of token with a signed assertion from, for example, a managed identity like this:

AuthenticationResult authenticationResult = 
     await ConfidentialClientApplicationBuilder
          .Create(myAppId)
          .WithTenantId(myTenantId)
          .WithClientAssertion(new ManagedIdentityClientAssertion(myManagedIdentityClientId).GetSignedAssertion)
          .Build()
          .AcquireTokenOnBehalfOf(
               [myScope],
               new UserAssertion(myUserAccessToken))
          .WithSendX5C(true)
          .ExecuteAsync(cancellationToken)
          .ConfigureAwait(false);

My organization is moving away from secrets/certificates and toward federated credentials with managed identities, and it's forced me back to MSAL when I would much rather use Azure.Identity and the OnBehalfOfCredential. Something like:

AccessToken accessToken = 
    await new OnBehalfOfCredential(
        myTenantId,
        myAppId,
        new ManagedIdentityClientAssertion(myManagedIdentityClientId).GetSignedAssertion,
        myUserAccessToken,
        myOnBehalfOfCredentialOptions)
    .GetTokenAsync(new TokenRequestContext([myScope]), cancellationToken)
    .ConfigureAwait(false);
@github-actions github-actions bot added Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Apr 29, 2024
@github-actions GitHub Actions
Copy link

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@MitchBodmer
Copy link
Author

Here are a few related requests in other non-.Net projects:
Azure/azure-sdk-for-js#28726
AzureAD/microsoft-authentication-library-for-js#7013

@scottaddie scottaddie added the feature-request This issue requires a new behavior in the product in order be resolved. label May 2, 2024
@scottaddie scottaddie changed the title [FEATURE REQ] Allow the use of a client assertion in OnBehalfOfCredential. Allow the use of a client assertion in OnBehalfOfCredential May 2, 2024
@scottaddie scottaddie removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team labels May 2, 2024
@github-actions github-actions bot added the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label May 2, 2024
This was referenced May 2, 2024
Open
Open
Closed
Closed
@scottaddie scottaddie added this to the 2024-06 milestone May 2, 2024
@christothes christothes mentioned this issue Jun 3, 2024
Merged
@github-actions github-actions bot locked and limited conversation to collaborators Sep 3, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@christothes christothes

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request This issue requires a new behavior in the product in order be resolved. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team
Projects
Azure Identity SDK Improvements
Archived in project
Milestone
2024-06
Development

Successfully merging a pull request may close this issue.

Client Assertion for OnBehalfOfCredential christothes/azure-sdk-for-net
3 participants
@christothes @MitchBodmer @scottaddie