Allow token exchange URL configuration (#2767)

* initial commit adding configurable token exchange url * Apply suggestions from code review Co-authored-by: Jean-Marc Prieur <[email protected]> * use abstractions 5.2.0 * separate ctor overload * add msi fic support to changelog --------- Co-authored-by: Jean-Marc Prieur <[email protected]>
AzureAD · Apr 18, 2024 · d98bea5 · d98bea5
1 parent fc5d24a
commit d98bea5
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 8 deletions.
diff --git a/changelog.md b/changelog.md
@@ -1,3 +1,10 @@
+Pending Next Release
+=========
+- Update to Microsoft.Identity.Abstractions 5.2.0
+
+### New features
+- Added support for Managed Identity Federated Identity Credential. See issue [2749](https://github.com/AzureAD/microsoft-identity-web/issues/2749) for details.
+
 2.17.2
 =========
 

diff --git a/src/Microsoft.Identity.Web.Certificate/SignedAssertionFromManagedIdentityCredentialLoader.cs b/src/Microsoft.Identity.Web.Certificate/SignedAssertionFromManagedIdentityCredentialLoader.cs
@@ -1,14 +1,10 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-using System;
-using System.Collections.Generic;
-using System.Net;
-using System.Text;
-using Azure.Identity;
 using System.Threading;
-using Microsoft.Identity.Abstractions;
 using System.Threading.Tasks;
+using Azure.Identity;
+using Microsoft.Identity.Abstractions;
 
 namespace Microsoft.Identity.Web
 {
@@ -23,7 +19,7 @@ public async Task LoadIfNeededAsync(CredentialDescription credentialDescription,
                 ManagedIdentityClientAssertion? managedIdentityClientAssertion = credentialDescription.CachedValue as ManagedIdentityClientAssertion;
                 if (credentialDescription.CachedValue == null)
                 {
-                    managedIdentityClientAssertion = new ManagedIdentityClientAssertion(credentialDescription.ManagedIdentityClientId);
+                    managedIdentityClientAssertion = new ManagedIdentityClientAssertion(credentialDescription.ManagedIdentityClientId, credentialDescription.TokenExchangeUrl);
                 }
                 try
                 {

diff --git a/src/Microsoft.Identity.Web.Certificateless/CertificatelessConstants.cs b/src/Microsoft.Identity.Web.Certificateless/CertificatelessConstants.cs
@@ -0,0 +1,11 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Microsoft.Identity.Web.Certificateless
+{
+    internal class CertificatelessConstants
+    {
+        // Managed Identity Federated Identity Credential
+        internal const string DefaultTokenExchangeUrl = "api://AzureADTokenExchange";
+    }
+}
diff --git a/src/Microsoft.Identity.Web.Certificateless/ManagedIdentityClientAssertion.cs b/src/Microsoft.Identity.Web.Certificateless/ManagedIdentityClientAssertion.cs
@@ -5,6 +5,7 @@
 using System.Threading.Tasks;
 using Azure.Core;
 using Azure.Identity;
+using Microsoft.Identity.Web.Certificateless;
 
 namespace Microsoft.Identity.Web
 {
@@ -14,6 +15,7 @@ namespace Microsoft.Identity.Web
     public class ManagedIdentityClientAssertion : ClientAssertionProviderBase
     {
         private readonly TokenCredential _credential;
+        private readonly string _tokenExchangeUrl;
 
         /// <summary>
         /// See https://aka.ms/ms-id-web/certificateless.
@@ -34,6 +36,17 @@ public ManagedIdentityClientAssertion(string? managedIdentityClientId)
                     ExcludeVisualStudioCodeCredential = true,
                     ExcludeVisualStudioCredential = true
                 });
+            _tokenExchangeUrl = CertificatelessConstants.DefaultTokenExchangeUrl;
+        }
+
+        /// <summary>
+        /// See https://aka.ms/ms-id-web/certificateless.
+        /// </summary>
+        /// <param name="managedIdentityClientId">Optional ClientId of the Managed Identity or Workload Identity</param>
+        /// <param name="tokenExchangeUrl">Optional token exchange resource url. Default value is "api://AzureADTokenExchange/.default".</param>
+        public ManagedIdentityClientAssertion(string? managedIdentityClientId, string? tokenExchangeUrl) : this (managedIdentityClientId)
+        {
+            _tokenExchangeUrl = tokenExchangeUrl ?? CertificatelessConstants.DefaultTokenExchangeUrl;
         }
 
         /// <summary>
@@ -44,7 +57,7 @@ public ManagedIdentityClientAssertion(string? managedIdentityClientId)
         protected override async Task<ClientAssertion> GetClientAssertion(CancellationToken cancellationToken)
         {
             var result = await _credential.GetTokenAsync(
-                new TokenRequestContext(["api://AzureADTokenExchange/.default"], null),
+                new TokenRequestContext([_tokenExchangeUrl+"./default"], null),
                 cancellationToken).ConfigureAwait(false);
             return new ClientAssertion(result.Token, result.ExpiresOn);
         }