[Feature Request] Is MSAL.Net compatible with workload identity federation credential? #4368
Comments
SCOMnewbie
added
needs attention
|
What is the other federation provider that you intend to use there? Is it external (e.g. GitHub) or internal (i.e. AAD - for multi-tenantcy scenarios)? I expect that can use I would think you'd want to do something like this: public async Task<string> FetchGitHubTokenAsync()
{
// logic to get token from cache or from GitHub
return token;
}
var cca = ConfidentialClientApplicationBuilder
.Create(client_id)
// easy token caching,
// for high scale see
// https://learn.microsoft.com/en-us/entra/msal/dotnet/how-to/token-cache-serialization?tabs=aspnet
.WithCacheOptions(CacheOptions.WithCacheOptions)
.WithClientAssertion((options) => FetchGitHubTokenAsync() )
.Build();
var result = await cca.AcquireTokenForClient(new[] { "resource/.default "}).ExecuteAsync();It's important to think about the lifetime of objects:
|
bgavrilMS
added
bug
documentation
P3
and removed
untriaged
|
We should update the We should also have a code snippet on https://learn.microsoft.com/en-us/azure/active-directory/workload-identities/workload-identity-federation that showcases this. |
|
There is also a specialization for managed identity federation with MSI (private preview) and managed identity federation for AKS. See https://github.com/AzureAD/microsoft-identity-web/wiki/v2.0#credentials-are-generalizing-certificates |
|
Thank you for the quick answer. WithClientAssertion was my choice, but every time, I've received the error message like "your JWT is malformed", this is where I've started to think that it was not implemented. When you read https://learn.microsoft.com/en-us/entra/msal/dotnet/acquiring-tokens/web-apps-apis/confidential-client-assertions, the only example Microsoft provides is when you forge your token yourself, sign it and use it with WithClientAssertion which is not the same scenario. Here what I try to do: https://azure.github.io/azure-workload-identity/docs/installation.html Long story short, workload identities on a K8s cluster. I look forward for the example you can provide. I will take a look at |
|
Hi @SCOMnewbie Am I right in understanding that you are trying to setup a From an SDK perspective, this should be possible with both MSAL and Azure Identity (they mostly use MSAL underneath and provide higher level APIs). As you can see in the examples, the code just uses MSAL via The docs do say It is not clear from the docs, but you have to create an application in your AAD tenant and establish trust between it and your Kubernetes token issuer. Was this done? 
then... 
I think our friends from Azure SDK are in a better position to help, as they have documented this scenario end to end https://github.com/Azure/azure-workload-identity/tree/main |
|
Hi @bgavrilMS, |
github-project-automation
bot
moved this from Committed High Priority
to Done
in MSAL Customer Trust / QM
|
@bgavrilMS Can we reopen? I was thinking about adding a doc on MS Learn - this question have been asked a few times. |
github-project-automation
bot
moved this from Done
to Committed High Priority
in MSAL Customer Trust / QM
|
I also created a PR to update the Workload Identity sample docs: |
github-project-automation
bot
moved this from Committed High Priority
to Done
in MSAL Customer Trust / QM
MSAL client type
Confidential
Problem Statement
Hi MSAL team,
After several hours in the docs, it seems MSAL.Net does not provide a way to interact with the workload identity federated credentials:
Is it me that missed the implementation? Or is it something you plan to provide later?
Cheers!
Proposed solution
No response
Alternatives
No response
The text was updated successfully, but these errors were encountered: