AzureAD · kellyyangsong · Apr 18, 2024 · Apr 16, 2024 · Apr 17, 2024 · Apr 18, 2024
@@ -87,7 +87,7 @@
     <MicrosoftGraphVersion>4.36.0</MicrosoftGraphVersion>
     <MicrosoftGraphBetaVersion>4.57.0-preview</MicrosoftGraphBetaVersion>
     <MicrosoftExtensionsHttpVersion>3.1.3</MicrosoftExtensionsHttpVersion>
-    <MicrosoftIdentityAbstractions>5.1.0</MicrosoftIdentityAbstractions>
+    <MicrosoftIdentityAbstractions>5.2.0</MicrosoftIdentityAbstractions>
     <NetNineRuntimeVersion> 9.0.0-preview.2.24128.5</NetNineRuntimeVersion>
     <AspNetCoreNineRuntimeVersion> 9.0.0-preview.2.24128.4</AspNetCoreNineRuntimeVersion>
   </PropertyGroup>

@@ -1,3 +1,10 @@
+Pending Next Release
+=========
+- Update to Microsoft.Identity.Abstractions 5.2.0
+
+### New features
+- Added support for Managed Identity Federated Identity Credential. See issue [2749](https://github.com/AzureAD/microsoft-identity-web/issues/2749) for details.
+
 2.17.2
 =========
 

@@ -1,14 +1,10 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-using System;
-using System.Collections.Generic;
-using System.Net;
-using System.Text;
-using Azure.Identity;
 using System.Threading;
-using Microsoft.Identity.Abstractions;
 using System.Threading.Tasks;
+using Azure.Identity;
+using Microsoft.Identity.Abstractions;
 
 namespace Microsoft.Identity.Web
 {
@@ -23,7 +19,7 @@ public async Task LoadIfNeededAsync(CredentialDescription credentialDescription,
                 ManagedIdentityClientAssertion? managedIdentityClientAssertion = credentialDescription.CachedValue as ManagedIdentityClientAssertion;
                 if (credentialDescription.CachedValue == null)
                 {
-                    managedIdentityClientAssertion = new ManagedIdentityClientAssertion(credentialDescription.ManagedIdentityClientId);
+                    managedIdentityClientAssertion = new ManagedIdentityClientAssertion(credentialDescription.ManagedIdentityClientId, credentialDescription.TokenExchangeUrl);
                 }
                 try
                 {

@@ -0,0 +1,11 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Microsoft.Identity.Web.Certificateless
+{
+    internal class CertificatelessConstants
+    {
+        // Managed Identity Federated Identity Credential
+        internal const string DefaultTokenExchangeUrl = "api://AzureADTokenExchange";
+    }
+}
@@ -5,6 +5,7 @@
 using System.Threading.Tasks;
 using Azure.Core;
 using Azure.Identity;
+using Microsoft.Identity.Web.Certificateless;
 
 namespace Microsoft.Identity.Web
 {
@@ -14,6 +15,7 @@ namespace Microsoft.Identity.Web
     public class ManagedIdentityClientAssertion : ClientAssertionProviderBase
     {
         private readonly TokenCredential _credential;
+        private readonly string _tokenExchangeUrl;
 
         /// <summary>
         /// See https://aka.ms/ms-id-web/certificateless.
@@ -34,6 +36,17 @@ public ManagedIdentityClientAssertion(string? managedIdentityClientId)
                     ExcludeVisualStudioCodeCredential = true,
                     ExcludeVisualStudioCredential = true
                 });
+            _tokenExchangeUrl = CertificatelessConstants.DefaultTokenExchangeUrl;
+        }
+
+        /// <summary>
+        /// See https://aka.ms/ms-id-web/certificateless.
+        /// </summary>
+        /// <param name="managedIdentityClientId">Optional ClientId of the Managed Identity or Workload Identity</param>
+        /// <param name="tokenExchangeUrl">Optional token exchange resource url. Default value is "api://AzureADTokenExchange/.default".</param>
+        public ManagedIdentityClientAssertion(string? managedIdentityClientId, string? tokenExchangeUrl) : this (managedIdentityClientId)
+        {
+            _tokenExchangeUrl = tokenExchangeUrl ?? CertificatelessConstants.DefaultTokenExchangeUrl;
         }
 
         /// <summary>
@@ -44,7 +57,7 @@ public ManagedIdentityClientAssertion(string? managedIdentityClientId)
         protected override async Task<ClientAssertion> GetClientAssertion(CancellationToken cancellationToken)
         {
             var result = await _credential.GetTokenAsync(
-                new TokenRequestContext(["api://AzureADTokenExchange/.default"], null),
+                new TokenRequestContext([_tokenExchangeUrl+"./default"], null),
                 cancellationToken).ConfigureAwait(false);
             return new ClientAssertion(result.Token, result.ExpiresOn);
         }