diff --git a/Directory.Build.props b/Directory.Build.props index 50b3f87ec..a58ff245c 100644 --- a/Directory.Build.props +++ b/Directory.Build.props @@ -87,7 +87,7 @@ 4.36.0 4.57.0-preview 3.1.3 - 5.1.0 + 5.2.0 9.0.0-preview.2.24128.5 9.0.0-preview.2.24128.4 diff --git a/changelog.md b/changelog.md index 316d8c7d1..8f537ed89 100644 --- a/changelog.md +++ b/changelog.md @@ -1,3 +1,10 @@ +Pending Next Release +========= +- Update to Microsoft.Identity.Abstractions 5.2.0 + +### New features +- Added support for Managed Identity Federated Identity Credential. See issue [2749](https://github.com/AzureAD/microsoft-identity-web/issues/2749) for details. + 2.17.2 ========= diff --git a/src/Microsoft.Identity.Web.Certificate/SignedAssertionFromManagedIdentityCredentialLoader.cs b/src/Microsoft.Identity.Web.Certificate/SignedAssertionFromManagedIdentityCredentialLoader.cs index 1067e1af4..84dad53af 100644 --- a/src/Microsoft.Identity.Web.Certificate/SignedAssertionFromManagedIdentityCredentialLoader.cs +++ b/src/Microsoft.Identity.Web.Certificate/SignedAssertionFromManagedIdentityCredentialLoader.cs @@ -1,14 +1,10 @@ // Copyright (c) Microsoft Corporation. All rights reserved. // Licensed under the MIT License. -using System; -using System.Collections.Generic; -using System.Net; -using System.Text; -using Azure.Identity; using System.Threading; -using Microsoft.Identity.Abstractions; using System.Threading.Tasks; +using Azure.Identity; +using Microsoft.Identity.Abstractions; namespace Microsoft.Identity.Web { @@ -23,7 +19,7 @@ public async Task LoadIfNeededAsync(CredentialDescription credentialDescription, ManagedIdentityClientAssertion? managedIdentityClientAssertion = credentialDescription.CachedValue as ManagedIdentityClientAssertion; if (credentialDescription.CachedValue == null) { - managedIdentityClientAssertion = new ManagedIdentityClientAssertion(credentialDescription.ManagedIdentityClientId); + managedIdentityClientAssertion = new ManagedIdentityClientAssertion(credentialDescription.ManagedIdentityClientId, credentialDescription.TokenExchangeUrl); } try { diff --git a/src/Microsoft.Identity.Web.Certificateless/CertificatelessConstants.cs b/src/Microsoft.Identity.Web.Certificateless/CertificatelessConstants.cs new file mode 100644 index 000000000..15b0e749b --- /dev/null +++ b/src/Microsoft.Identity.Web.Certificateless/CertificatelessConstants.cs @@ -0,0 +1,11 @@ +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. + +namespace Microsoft.Identity.Web.Certificateless +{ + internal class CertificatelessConstants + { + // Managed Identity Federated Identity Credential + internal const string DefaultTokenExchangeUrl = "api://AzureADTokenExchange"; + } +} diff --git a/src/Microsoft.Identity.Web.Certificateless/ManagedIdentityClientAssertion.cs b/src/Microsoft.Identity.Web.Certificateless/ManagedIdentityClientAssertion.cs index 80fea702b..2aad3fa0a 100644 --- a/src/Microsoft.Identity.Web.Certificateless/ManagedIdentityClientAssertion.cs +++ b/src/Microsoft.Identity.Web.Certificateless/ManagedIdentityClientAssertion.cs @@ -5,6 +5,7 @@ using System.Threading.Tasks; using Azure.Core; using Azure.Identity; +using Microsoft.Identity.Web.Certificateless; namespace Microsoft.Identity.Web { @@ -14,6 +15,7 @@ namespace Microsoft.Identity.Web public class ManagedIdentityClientAssertion : ClientAssertionProviderBase { private readonly TokenCredential _credential; + private readonly string _tokenExchangeUrl; /// /// See https://aka.ms/ms-id-web/certificateless. @@ -34,6 +36,17 @@ public ManagedIdentityClientAssertion(string? managedIdentityClientId) ExcludeVisualStudioCodeCredential = true, ExcludeVisualStudioCredential = true }); + _tokenExchangeUrl = CertificatelessConstants.DefaultTokenExchangeUrl; + } + + /// + /// See https://aka.ms/ms-id-web/certificateless. + /// + /// Optional ClientId of the Managed Identity or Workload Identity + /// Optional token exchange resource url. Default value is "api://AzureADTokenExchange/.default". + public ManagedIdentityClientAssertion(string? managedIdentityClientId, string? tokenExchangeUrl) : this (managedIdentityClientId) + { + _tokenExchangeUrl = tokenExchangeUrl ?? CertificatelessConstants.DefaultTokenExchangeUrl; } /// @@ -44,7 +57,7 @@ public ManagedIdentityClientAssertion(string? managedIdentityClientId) protected override async Task GetClientAssertion(CancellationToken cancellationToken) { var result = await _credential.GetTokenAsync( - new TokenRequestContext(["api://AzureADTokenExchange/.default"], null), + new TokenRequestContext([_tokenExchangeUrl+"./default"], null), cancellationToken).ConfigureAwait(false); return new ClientAssertion(result.Token, result.ExpiresOn); }