From 93319342b8bec591593ebac936318ce4682eafc7 Mon Sep 17 00:00:00 2001 From: kellyyangsong <69649063+kellyyangsong@users.noreply.github.com> Date: Thu, 18 Apr 2024 14:53:12 -0700 Subject: [PATCH] Bringing token exchange url commit into rel/v2 (#2774) * Allow token exchange URL configuration (#2767) * initial commit adding configurable token exchange url * Apply suggestions from code review Co-authored-by: Jean-Marc Prieur * use abstractions 5.2.0 * separate ctor overload * add msi fic support to changelog --------- Co-authored-by: Jean-Marc Prieur * bring back abstractions 5.2.0! --------- Co-authored-by: Jean-Marc Prieur --- Directory.Build.props | 2 +- changelog.md | 9 ++++++++- ...ssertionFromManagedIdentityCredentialLoader.cs | 10 +++------- .../CertificatelessConstants.cs | 11 +++++++++++ .../ManagedIdentityClientAssertion.cs | 15 ++++++++++++++- 5 files changed, 37 insertions(+), 10 deletions(-) create mode 100644 src/Microsoft.Identity.Web.Certificateless/CertificatelessConstants.cs diff --git a/Directory.Build.props b/Directory.Build.props index 5e3a0cad4..6724bdc3e 100644 --- a/Directory.Build.props +++ b/Directory.Build.props @@ -86,7 +86,7 @@ 4.36.0 4.57.0-preview 3.1.3 - 5.1.0 + 5.2.0 diff --git a/changelog.md b/changelog.md index 0c3c48f61..cb5cfcd17 100644 --- a/changelog.md +++ b/changelog.md @@ -1,3 +1,10 @@ +Pending Next Release +========= +- Update to Microsoft.Identity.Abstractions 5.2.0 + +### New features +- Added support for Managed Identity Federated Identity Credential. See issue [2749](https://github.com/AzureAD/microsoft-identity-web/issues/2749) for details. + 2.17.5 ========= - Updated to MSAL 4.59.1. @@ -12,7 +19,7 @@ 2.17.3 ========= - Updated to Microsoft.IdentityModel.* 7.5.0 - + 2.17.2 ========= diff --git a/src/Microsoft.Identity.Web.Certificate/SignedAssertionFromManagedIdentityCredentialLoader.cs b/src/Microsoft.Identity.Web.Certificate/SignedAssertionFromManagedIdentityCredentialLoader.cs index 1067e1af4..84dad53af 100644 --- a/src/Microsoft.Identity.Web.Certificate/SignedAssertionFromManagedIdentityCredentialLoader.cs +++ b/src/Microsoft.Identity.Web.Certificate/SignedAssertionFromManagedIdentityCredentialLoader.cs @@ -1,14 +1,10 @@ // Copyright (c) Microsoft Corporation. All rights reserved. // Licensed under the MIT License. -using System; -using System.Collections.Generic; -using System.Net; -using System.Text; -using Azure.Identity; using System.Threading; -using Microsoft.Identity.Abstractions; using System.Threading.Tasks; +using Azure.Identity; +using Microsoft.Identity.Abstractions; namespace Microsoft.Identity.Web { @@ -23,7 +19,7 @@ public async Task LoadIfNeededAsync(CredentialDescription credentialDescription, ManagedIdentityClientAssertion? managedIdentityClientAssertion = credentialDescription.CachedValue as ManagedIdentityClientAssertion; if (credentialDescription.CachedValue == null) { - managedIdentityClientAssertion = new ManagedIdentityClientAssertion(credentialDescription.ManagedIdentityClientId); + managedIdentityClientAssertion = new ManagedIdentityClientAssertion(credentialDescription.ManagedIdentityClientId, credentialDescription.TokenExchangeUrl); } try { diff --git a/src/Microsoft.Identity.Web.Certificateless/CertificatelessConstants.cs b/src/Microsoft.Identity.Web.Certificateless/CertificatelessConstants.cs new file mode 100644 index 000000000..15b0e749b --- /dev/null +++ b/src/Microsoft.Identity.Web.Certificateless/CertificatelessConstants.cs @@ -0,0 +1,11 @@ +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. + +namespace Microsoft.Identity.Web.Certificateless +{ + internal class CertificatelessConstants + { + // Managed Identity Federated Identity Credential + internal const string DefaultTokenExchangeUrl = "api://AzureADTokenExchange"; + } +} diff --git a/src/Microsoft.Identity.Web.Certificateless/ManagedIdentityClientAssertion.cs b/src/Microsoft.Identity.Web.Certificateless/ManagedIdentityClientAssertion.cs index 80fea702b..2aad3fa0a 100644 --- a/src/Microsoft.Identity.Web.Certificateless/ManagedIdentityClientAssertion.cs +++ b/src/Microsoft.Identity.Web.Certificateless/ManagedIdentityClientAssertion.cs @@ -5,6 +5,7 @@ using System.Threading.Tasks; using Azure.Core; using Azure.Identity; +using Microsoft.Identity.Web.Certificateless; namespace Microsoft.Identity.Web { @@ -14,6 +15,7 @@ namespace Microsoft.Identity.Web public class ManagedIdentityClientAssertion : ClientAssertionProviderBase { private readonly TokenCredential _credential; + private readonly string _tokenExchangeUrl; /// /// See https://aka.ms/ms-id-web/certificateless. @@ -34,6 +36,17 @@ public ManagedIdentityClientAssertion(string? managedIdentityClientId) ExcludeVisualStudioCodeCredential = true, ExcludeVisualStudioCredential = true }); + _tokenExchangeUrl = CertificatelessConstants.DefaultTokenExchangeUrl; + } + + /// + /// See https://aka.ms/ms-id-web/certificateless. + /// + /// Optional ClientId of the Managed Identity or Workload Identity + /// Optional token exchange resource url. Default value is "api://AzureADTokenExchange/.default". + public ManagedIdentityClientAssertion(string? managedIdentityClientId, string? tokenExchangeUrl) : this (managedIdentityClientId) + { + _tokenExchangeUrl = tokenExchangeUrl ?? CertificatelessConstants.DefaultTokenExchangeUrl; } /// @@ -44,7 +57,7 @@ public ManagedIdentityClientAssertion(string? managedIdentityClientId) protected override async Task GetClientAssertion(CancellationToken cancellationToken) { var result = await _credential.GetTokenAsync( - new TokenRequestContext(["api://AzureADTokenExchange/.default"], null), + new TokenRequestContext([_tokenExchangeUrl+"./default"], null), cancellationToken).ConfigureAwait(false); return new ClientAssertion(result.Token, result.ExpiresOn); }