Allow the use of a client assertion in OnBehalfOfCredential
Closed this issue · 2 comments
MitchBodmer commented
Library name
Azure.Identity
Please describe the feature.
Currently it's possible to use MSAL to get an On-Behalf-Of token with a signed assertion from, for example, a managed identity like this:
AuthenticationResult authenticationResult =
await ConfidentialClientApplicationBuilder
.Create(myAppId)
.WithTenantId(myTenantId)
.WithClientAssertion(new ManagedIdentityClientAssertion(myManagedIdentityClientId).GetSignedAssertion)
.Build()
.AcquireTokenOnBehalfOf(
[myScope],
new UserAssertion(myUserAccessToken))
.WithSendX5C(true)
.ExecuteAsync(cancellationToken)
.ConfigureAwait(false);
My organization is moving away from secrets/certificates and toward federated credentials with managed identities, and it's forced me back to MSAL when I would much rather use Azure.Identity
and the OnBehalfOfCredential
. Something like:
AccessToken accessToken =
await new OnBehalfOfCredential(
myTenantId,
myAppId,
new ManagedIdentityClientAssertion(myManagedIdentityClientId).GetSignedAssertion,
myUserAccessToken,
myOnBehalfOfCredentialOptions)
.GetTokenAsync(new TokenRequestContext([myScope]), cancellationToken)
.ConfigureAwait(false);
github-actions commented
Thank you for your feedback. Tagging and routing to the team member best able to assist.
MitchBodmer commented
Here are a few related requests in other non-.Net projects:
Azure/azure-sdk-for-js#28726
AzureAD/microsoft-authentication-library-for-js#7013