Allow the use of a client assertion in OnBehalfOfCredential

Question

Allow the use of a client assertion in OnBehalfOfCredential

Closed this issue 5 days ago · 2 comments

Library name

Azure.Identity

Please describe the feature.

Currently it's possible to use MSAL to get an On-Behalf-Of token with a signed assertion from, for example, a managed identity like this:

AuthenticationResult authenticationResult = 
     await ConfidentialClientApplicationBuilder
          .Create(myAppId)
          .WithTenantId(myTenantId)
          .WithClientAssertion(new ManagedIdentityClientAssertion(myManagedIdentityClientId).GetSignedAssertion)
          .Build()
          .AcquireTokenOnBehalfOf(
               [myScope],
               new UserAssertion(myUserAccessToken))
          .WithSendX5C(true)
          .ExecuteAsync(cancellationToken)
          .ConfigureAwait(false);

My organization is moving away from secrets/certificates and toward federated credentials with managed identities, and it's forced me back to MSAL when I would much rather use Azure.Identity and the OnBehalfOfCredential. Something like:

AccessToken accessToken = 
    await new OnBehalfOfCredential(
        myTenantId,
        myAppId,
        new ManagedIdentityClientAssertion(myManagedIdentityClientId).GetSignedAssertion,
        myUserAccessToken,
        myOnBehalfOfCredentialOptions)
    .GetTokenAsync(new TokenRequestContext([myScope]), cancellationToken)
    .ConfigureAwait(false);

Answer 1 · 2024-04-29T21:38:07.000Z

Thank you for your feedback. Tagging and routing to the team member best able to assist.

Answer 2 · 2024-04-29T21:38:58.000Z

Here are a few related requests in other non-.Net projects:
Azure/azure-sdk-for-js#28726
AzureAD/microsoft-authentication-library-for-js#7013