[Feature Request] Federated Identity Credential with Kubernetes on Azure Arc

[bgavrilMS]

Context

There are 2 types of Federated Identity Credential (FIC) - with external provider or with internal provider (MSI). This is about external provider, where the provider is Kubernetes.

The FIC scenario is:

LEG1: app asks for a token from external identity provider LEG2: app uses client_credentials OAuth flow to get token from

All MSALs can perform LEG2.

Request

The request is for MSAL to help perform LEG1 in a very specific case - Azure Arc enabled K8. The K8 team will provision a local http service that acts like an OAuth compliant Identity Provider. MSAL can request tokens from this provider just like it would from eSTS, with some minor changes:

• support for a custom authority?
• no instance discovery
• custom TLS certificate verification (i.e. the endpoint will have a self signed cert, and the thumbprint of that can be found in a well-known location)
• anything else?

Protocol details

TBD

Open questions

• how will MSAL know about being hosted on this environment?
• what will the authority look like?
• where will the TLS cert be picked up?
• will MSAL have enough information for token caching? For app tokens it's pretty simple - it's just clientID
• how does the request to this endpoint look like exactly? what params do we put on the wire? I assume it's only client_credentials flow. Will there be a secret or a cert?
• how will the end to end look like?

Alternative

Have you thought about using the "AppTokenProvider" - an extensibility point which allows the app developer to hook to any tokebn provider and leverage MSAL's cache. It is used by Azure SKD today to place tokens in MSAL

[bgavrilMS]

Will not be evolving MSAL GO past MSAL.NET