search

AzureAD / microsoft-identity-web

Helps creating protected web apps and web APIs with Microsoft identity platform and Azure AD B2C
MIT License
663 stars 204 forks source link

Possible regression with using `ManagedIdentityClientAssertion` and AKS Workload Identity #2844

Open sebader opened 1 month ago

sebader commented 1 month ago

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

2.18.1

Web app

Not Applicable

Web API

Protected web APIs call downstream web APIs

Token cache serialization

In-memory caches

Description

I might have found a regression from https://github.com/AzureAD/microsoft-identity-web/pull/2797

I'm using Microsoft.Identity.ServiceEssentials.AspNetCore and just updated that to version 1.25.0 (prior I was using 1.24.0). This under the hood references Microsoft.Identity.Web 2.18.1

Tagging @jennyf19

Reproduction steps

Running on AKS with Workload Identity

 var app = ConfidentialClientApplicationBuilder.Create(_ClientId)
                .WithClientAssertion(new ManagedIdentityClientAssertion(_msiClientId).GetSignedAssertion)
                .WithAuthority(_cloudInstance, requestContext.TenantId)
                .WithAzureRegion(_azureRegion)
                .Build();

var result = await app.AcquireTokenForClient(requestContext.Scopes).ExecuteAsync(cancellationToken);

Error message

---> Azure.Identity.AuthenticationFailedException: ClientAssertionCredential authentication failed: AADSTS1002012: The provided value for scope api://AzureADTokenExchange is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI). Trace ID: e62816e2-682e-471d-9697-ebc0357a0d00 Correlation ID: aaf4caa6-ed82-46e4-8fe7-ad8fe97dd0f1 Timestamp: 2024-05-16 09:20:43Z
        ---> MSAL.NetCore.4.60.3.0.MsalServiceException:                                                                                                                                                       
           ErrorCode: invalid_scope                                                                                                                                                                            
       Microsoft.Identity.Client.MsalServiceException: AADSTS1002012: The provided value for scope api://AzureADTokenExchange is not valid. Client credential flows must have a scope value with /.default suf 
          at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse response, RequestContext requestContext)                                                                          
          at Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponse[T](HttpResponse response, RequestContext requestContext)                                                                             
          at Microsoft.Identity.Client.OAuth2.OAuth2Client.ExecuteRequestAsync[T](Uri endPoint, HttpMethod method, RequestContext requestContext, Boolean expectErrorsOn200OK, Boolean addCommonHeaders, Func` 
          at Microsoft.Identity.Client.OAuth2.TokenClient.SendHttpAndClearTelemetryAsync(String tokenEndpoint, ILoggerAdapter logger)                                                                          
          at Microsoft.Identity.Client.OAuth2.TokenClient.SendHttpAndClearTelemetryAsync(String tokenEndpoint, ILoggerAdapter logger)                                                                          
          at Microsoft.Identity.Client.OAuth2.TokenClient.SendTokenRequestAsync(IDictionary`2 additionalBodyParameters, String scopeOverride, String tokenEndpointOverride, CancellationToken cancellationToke 
          at Microsoft.Identity.Client.Internal.Requests.RequestBase.SendTokenRequestAsync(IDictionary`2 additionalBodyParameters, CancellationToken cancellationToken)                                        
          at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)                                               
          at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken cancellationToken)                                                                             
          at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()

Id Web logs

No response

Relevant code snippets

See above

Regression

Microsoft.Identity.Web 2.17.5

Expected behavior

Working token flow

jennyf19 commented 1 month ago

@bgavrilMS looks like MSAL is not doing the same as Azure SDK...can you take a look? Thanks.

sebader commented 2 weeks ago

@bgavrilMS @jennyf19 any update on this? We are started to getting flagged for not updating to the latest available version of the SDK... Thanks!

bgavrilMS commented 2 weeks ago

@bgavrilMS looks like MSAL is not doing the same as Azure SDK...can you take a look? Thanks.

@jennyf19 - ID.Web certificateless is not (yet) using MSAL. The failure on STEP 2 is not controllable by MSAL.

bgavrilMS commented 2 weeks ago

@sebader - federation through AKS is not the same as through Managed Identity. Can you try to use "SourceType": "SignedAssertionFilePath" ?

https://github.com/AzureAD/microsoft-identity-web/wiki/v2.0#common-configuration

bgavrilMS commented 2 weeks ago

Duplicate of https://github.com/AzureAD/microsoft-identity-web/issues/2893

sebader commented 2 weeks ago

@sebader - federation through AKS is not the same as through Managed Identity. Can you try to use "SourceType": "SignedAssertionFilePath" ?

https://github.com/AzureAD/microsoft-identity-web/wiki/v2.0#common-configuration

I can give that a try. Why was this working in previous versions, though, without any additional configuration?

bgavrilMS commented 2 weeks ago

Please also review the revised documentation on FICs @sebader https://review.learn.microsoft.com/en-us/identity/microsoft-identity-platform/federated-identity-credentials?branch=main&tabs=dotnet

bgavrilMS commented 2 weeks ago

I think the way you use the API ... you need to refer to https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web.Certificateless/AzureIdentityForKubernetesClientAssertion.cs instead of ManagedIdentityClientAssertion

sebader commented 2 weeks ago

Using AzureIdentityForKubernetesClientAssertion sounds like the right path. What I'm missing there: How can I set the clientId when using that? We have multiple MSIs federated with one Workload Identity, so we need to specify the clientId. On ManagedIdentityClientAssertion you could set that in the ctor.