search

AzureAD / microsoft-identity-web

Helps creating protected web apps and web APIs with Microsoft identity platform and Azure AD B2C
MIT License
682 stars 213 forks source link

`ManagedIdentityClientAssertion` moved to `Azure.Identity` or other nuget? #2821

Closed nschuessler closed 1 month ago

nschuessler commented 5 months ago

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

2.11.1

Web app

Sign-in users

Web API

Protected web APIs (validating tokens)

Token cache serialization

In-memory caches

Description

For the following code:

   this.credential = new ClientAssertionCredential(
                resourceTenantId,
                aadClientId,
                new ManagedIdentityClientAssertion(msiClientId).GetSignedAssertion);

It requires the nuget Microsoft.Identity.Web which pulls in lots of ASP.Net libraries. If you need this authentication in a console app (to for example authenticate to an azure queue) then it exposes you to a lot of unnecessary dependencies which cause deployment and security issues keeping all those packages up to date.

Shouldn't ManagedIdentityClientAssertion be moved to the main Azure.Identity library?

Reproduction steps

  1. Add the above clip of code to a console application
  2. Add Microsoft.Identity.Web to the solution.
  3. Observe all the unused dependencies that come with it.

Error message

N/A

Id Web logs

N/A

Relevant code snippets

this.credential = new ClientAssertionCredential(
                resourceTenantId,
                aadClientId,
                new ManagedIdentityClientAssertion(msiClientId).GetSignedAssertion);

Regression

No response

Expected behavior

We shouldn't have to have web specific libraries when doing general authentication tasks.

jmprieur commented 5 months ago

It's being moved to MSAL.NET cc: @bgavrilMS

nschuessler commented 3 months ago

@bhavrilMS It appears the GetSignedAssertion method has been moved in 3.0+. Is there an example of how code should be converted that used this method?

ClientAssertionCredential credential = new ClientAssertionCredential( resourceTenantId, aadClientId, new ManagedIdentityClientAssertion(msiClientId).GetSignedAssertion);

nschuessler commented 3 months ago

Appears this may be the solution:

        ClientAssertionCredential credential = new ClientAssertionCredential(
            resourceTenantId,
            aadClientId,
            async cancellationToken =>
            {
                    var assertion = new ManagedIdentityClientAssertion(msiClientId);
                    AssertionRequestOptions options = new AssertionRequestOptions()
                    {
                         CancellationToken = cancellationToken,
                    };
                    return await assertion.GetSignedAssertionAsync(options);
            });
bgavrilMS commented 1 month ago

It is done in 3.10