Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

2.17.4

Web app

Sign-in users

Web API

Protected web APIs (validating tokens)

Token cache serialization

In-memory caches

Description

The MSI FIC token is normally requested for the resource api://AzureADTokenExchange. It turns out that for other clouds, this magic string is different:

Fairfax: api://AzureADTokenExchangeUSGov
Mooncake: api://AzureADTokenExchangeChina

Sadly for some air-gapped clouds it's also different and that cannot be hardcoded in MSAL / Id.Web; Even for sovereign clouds we should not hardcode cloud aliases, as these change over time.

Reproduction steps

Try FIC in Mooncake.

Error message

No response

Id Web logs

No response

Relevant code snippets

https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web.Certificateless/ManagedIdentityClientAssertion.cs

Regression

No response

Expected behavior

We need to provide a devex where app developers can configure this magic string. MSAL should hide this in public cloud.

CC @jmprieur @jennyf19

We can add a new property TokenExchangeUrl in the CredentialDescription. When not present we'd use api://AzureADTokenExchange.

Shouldn't be a P1, @bgavrilMS ?

@kellyyangsong:
We need:

• A new property string ? TokenExchangeUrl for instance here. This property can be null (will be null by default).
• We'd use it here if it's not null, and otherwise api://AzureADTokenExchange

Of course you'd need to add a parameter to the constructor, and use it in the CredentialLoader