Possible regression with using `ManagedIdentityClientAssertion` and AKS Workload Identity
sebader opened this issue · comments
Microsoft.Identity.Web Library
Microsoft.Identity.Web
Microsoft.Identity.Web version
2.18.1
Web app
Not Applicable
Web API
Protected web APIs call downstream web APIs
Token cache serialization
In-memory caches
Description
I might have found a regression from #2797
I'm using Microsoft.Identity.ServiceEssentials.AspNetCore
and just updated that to version 1.25.0
(prior I was using 1.24.0). This under the hood references Microsoft.Identity.Web
2.18.1
Tagging @jennyf19
Reproduction steps
Running on AKS with Workload Identity
var app = ConfidentialClientApplicationBuilder.Create(_ClientId)
.WithClientAssertion(new ManagedIdentityClientAssertion(_msiClientId).GetSignedAssertion)
.WithAuthority(_cloudInstance, requestContext.TenantId)
.WithAzureRegion(_azureRegion)
.Build();
var result = await app.AcquireTokenForClient(requestContext.Scopes).ExecuteAsync(cancellationToken);
Error message
---> Azure.Identity.AuthenticationFailedException: ClientAssertionCredential authentication failed: AADSTS1002012: The provided value for scope api://AzureADTokenExchange is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI). Trace ID: e62816e2-682e-471d-9697-ebc0357a0d00 Correlation ID: aaf4caa6-ed82-46e4-8fe7-ad8fe97dd0f1 Timestamp: 2024-05-16 09:20:43Z
---> MSAL.NetCore.4.60.3.0.MsalServiceException:
ErrorCode: invalid_scope
Microsoft.Identity.Client.MsalServiceException: AADSTS1002012: The provided value for scope api://AzureADTokenExchange is not valid. Client credential flows must have a scope value with /.default suf
at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse response, RequestContext requestContext)
at Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponse[T](HttpResponse response, RequestContext requestContext)
at Microsoft.Identity.Client.OAuth2.OAuth2Client.ExecuteRequestAsync[T](Uri endPoint, HttpMethod method, RequestContext requestContext, Boolean expectErrorsOn200OK, Boolean addCommonHeaders, Func`
at Microsoft.Identity.Client.OAuth2.TokenClient.SendHttpAndClearTelemetryAsync(String tokenEndpoint, ILoggerAdapter logger)
at Microsoft.Identity.Client.OAuth2.TokenClient.SendHttpAndClearTelemetryAsync(String tokenEndpoint, ILoggerAdapter logger)
at Microsoft.Identity.Client.OAuth2.TokenClient.SendTokenRequestAsync(IDictionary`2 additionalBodyParameters, String scopeOverride, String tokenEndpointOverride, CancellationToken cancellationToke
at Microsoft.Identity.Client.Internal.Requests.RequestBase.SendTokenRequestAsync(IDictionary`2 additionalBodyParameters, CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
Id Web logs
No response
Relevant code snippets
See above
Regression
Microsoft.Identity.Web 2.17.5
Expected behavior
Working token flow
@bgavrilMS looks like MSAL is not doing the same as Azure SDK...can you take a look? Thanks.
@bgavrilMS @jennyf19 any update on this? We are started to getting flagged for not updating to the latest available version of the SDK...
Thanks!
@bgavrilMS looks like MSAL is not doing the same as Azure SDK...can you take a look? Thanks.
@jennyf19 - ID.Web certificateless is not (yet) using MSAL. The failure on STEP 2 is not controllable by MSAL.
@sebader - federation through AKS is not the same as through Managed Identity. Can you try to use "SourceType": "SignedAssertionFilePath" ?
https://github.com/AzureAD/microsoft-identity-web/wiki/v2.0#common-configuration
Duplicate of #2893
@sebader - federation through AKS is not the same as through Managed Identity. Can you try to use "SourceType": "SignedAssertionFilePath" ?
https://github.com/AzureAD/microsoft-identity-web/wiki/v2.0#common-configuration
I can give that a try. Why was this working in previous versions, though, without any additional configuration?
Please also review the revised documentation on FICs @sebader https://review.learn.microsoft.com/en-us/identity/microsoft-identity-platform/federated-identity-credentials?branch=main&tabs=dotnet
I think the way you use the API ... you need to refer to https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web.Certificateless/AzureIdentityForKubernetesClientAssertion.cs instead of ManagedIdentityClientAssertion
Using AzureIdentityForKubernetesClientAssertion
sounds like the right path. What I'm missing there: How can I set the clientId
when using that? We have multiple MSIs federated with one Workload Identity, so we need to specify the clientId. On ManagedIdentityClientAssertion
you could set that in the ctor.