Giters

AzureAD / microsoft-identity-web

Helps creating protected web apps and web APIs with Microsoft identity platform and Azure AD B2C

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Possible regression with using `ManagedIdentityClientAssertion` and AKS Workload Identity

sebader opened this issue · comments

commented

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

2.18.1

Web app

Not Applicable

Web API

Protected web APIs call downstream web APIs

Token cache serialization

In-memory caches

Description

I might have found a regression from #2797

I'm using Microsoft.Identity.ServiceEssentials.AspNetCore and just updated that to version 1.25.0 (prior I was using 1.24.0). This under the hood references Microsoft.Identity.Web 2.18.1

Tagging @jennyf19

Reproduction steps

Running on AKS with Workload Identity

 var app = ConfidentialClientApplicationBuilder.Create(_ClientId)
                .WithClientAssertion(new ManagedIdentityClientAssertion(_msiClientId).GetSignedAssertion)
                .WithAuthority(_cloudInstance, requestContext.TenantId)
                .WithAzureRegion(_azureRegion)
                .Build();

var result = await app.AcquireTokenForClient(requestContext.Scopes).ExecuteAsync(cancellationToken);

Error message

---> Azure.Identity.AuthenticationFailedException: ClientAssertionCredential authentication failed: AADSTS1002012: The provided value for scope api://AzureADTokenExchange is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI). Trace ID: e62816e2-682e-471d-9697-ebc0357a0d00 Correlation ID: aaf4caa6-ed82-46e4-8fe7-ad8fe97dd0f1 Timestamp: 2024-05-16 09:20:43Z
        ---> MSAL.NetCore.4.60.3.0.MsalServiceException:                                                                                                                                                       
           ErrorCode: invalid_scope                                                                                                                                                                            
       Microsoft.Identity.Client.MsalServiceException: AADSTS1002012: The provided value for scope api://AzureADTokenExchange is not valid. Client credential flows must have a scope value with /.default suf 
          at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse response, RequestContext requestContext)                                                                          
          at Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponse[T](HttpResponse response, RequestContext requestContext)                                                                             
          at Microsoft.Identity.Client.OAuth2.OAuth2Client.ExecuteRequestAsync[T](Uri endPoint, HttpMethod method, RequestContext requestContext, Boolean expectErrorsOn200OK, Boolean addCommonHeaders, Func` 
          at Microsoft.Identity.Client.OAuth2.TokenClient.SendHttpAndClearTelemetryAsync(String tokenEndpoint, ILoggerAdapter logger)                                                                          
          at Microsoft.Identity.Client.OAuth2.TokenClient.SendHttpAndClearTelemetryAsync(String tokenEndpoint, ILoggerAdapter logger)                                                                          
          at Microsoft.Identity.Client.OAuth2.TokenClient.SendTokenRequestAsync(IDictionary`2 additionalBodyParameters, String scopeOverride, String tokenEndpointOverride, CancellationToken cancellationToke 
          at Microsoft.Identity.Client.Internal.Requests.RequestBase.SendTokenRequestAsync(IDictionary`2 additionalBodyParameters, CancellationToken cancellationToken)                                        
          at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)                                               
          at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken cancellationToken)                                                                             
          at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()

Id Web logs

No response

Relevant code snippets

See above

Regression

Microsoft.Identity.Web 2.17.5

Expected behavior

Working token flow

commented

@bgavrilMS looks like MSAL is not doing the same as Azure SDK...can you take a look? Thanks.

commented

@bgavrilMS @jennyf19 any update on this? We are started to getting flagged for not updating to the latest available version of the SDK...
Thanks!

commented

@bgavrilMS looks like MSAL is not doing the same as Azure SDK...can you take a look? Thanks.

@jennyf19 - ID.Web certificateless is not (yet) using MSAL. The failure on STEP 2 is not controllable by MSAL.

commented

@sebader - federation through AKS is not the same as through Managed Identity. Can you try to use "SourceType": "SignedAssertionFilePath" ?

https://github.com/AzureAD/microsoft-identity-web/wiki/v2.0#common-configuration

commented

Duplicate of #2893

commented

@sebader - federation through AKS is not the same as through Managed Identity. Can you try to use "SourceType": "SignedAssertionFilePath" ?

https://github.com/AzureAD/microsoft-identity-web/wiki/v2.0#common-configuration

I can give that a try. Why was this working in previous versions, though, without any additional configuration?

commented

Using AzureIdentityForKubernetesClientAssertion sounds like the right path. What I'm missing there: How can I set the clientId when using that? We have multiple MSIs federated with one Workload Identity, so we need to specify the clientId. On ManagedIdentityClientAssertion you could set that in the ctor.