Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Add JWT credential support from Entra #3250

Open
bgavrilMS opened this issue Feb 20, 2025 · 0 comments
Open

[Feature Request] Add JWT credential support from Entra #3250

bgavrilMS opened this issue Feb 20, 2025 · 0 comments
Labels
enhancement New feature or request feature request

Comments

@bgavrilMS
Copy link
Member

bgavrilMS commented Feb 20, 2025
edited
Loading

Is your feature request related to a problem? Please describe.

Federated Identity Credentials can come from:

  • an external Identity Provider like Kubernetes or GitHub (Id.Web supports this via SignedAssertionFilePath)
  • Entra itself, via MSI (Id.Web supports this via SignedAssertionFromManagedIdentity)
  • Entra itself, where the credential is a token from a different tenant or from a different cloud.

Describe the solution you'd like

A new credential named SignedAssertionFromIdentityProvider that supports getting an assertion from Entra.

  "AzureAd": {
      "Instance": "https://login.microsoftonline.com/",
      "TenantId": "T1",
      "ClientId": "c1",
      "ClientCredentials": [
          {
+              "SourceType": "SignedAssertionFromIdentityProvider",
+             "ConfigSectionName": "AzureAdCredentialSource"  // with the help of AcquireTokenOptions.AuthenticationOptionsName 
+              "TokenExchangeUrl": "api://AzureADTokenExchange/"  // audience
          }
      ]
  },
+ "AzureAdCredentialSource" : {    
     "Instance": "https://login.microsoftonline.com/", // could be different cloud
      "TenantId": "T2",
      "ClientId": "c2", 
      "ClientCredentials": [ // the "bottom turtle" needs to have a credential 
          {
              "SourceType": "KeyVault",
              "KeyVaultUrl": "https://webappsapistests.vault.azure.net",
              "KeyVaultCertificateName": "Self-Signed-5-5-22"
          },
       "SendX5C": True
       "AzureRegion": "westus"
}

Note: bottom turtle reference

Multiple credential chaining

The experience above shows 1 hop chaining, but there are scenarios where there could be several hops, i.e. "AzureAd" uses a credential from "AzureAdCredentialSource1" which in turn uses a credential from "AzureAdCredentialSource2", which in turn uses a certificate.

Audience

The audience (TokenExchangeUrl) is mandatory, to prevent app developers from using the api://AzureADTokenExchange/ in other clouds. This url is for the public cloud only.

The SDK shall take care of adding /.default when making the token request.

Implementation Details

Internally, this should reuse the TokenAcquisition classes that use MSAL.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bgavrilMS