Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ManagedIdentityClientAssertion gets the wrong MSI token on non public clouds #2749

Closed
bgavrilMS opened this issue Apr 8, 2024 · 3 comments · Fixed by #2767
Closed

ManagedIdentityClientAssertion gets the wrong MSI token on non public clouds #2749

bgavrilMS opened this issue Apr 8, 2024 · 3 comments · Fixed by #2767
Assignees
@kllysng
Labels
1P bug Something isn't working managed identity
Milestone
2.18

Comments

@bgavrilMS
Copy link
Member

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

2.17.4

Web app

Sign-in users

Web API

Protected web APIs (validating tokens)

Token cache serialization

In-memory caches

Description

The MSI FIC token is normally requested for the resource api://AzureADTokenExchange. It turns out that for other clouds, this magic string is different:

Fairfax: api://AzureADTokenExchangeUSGov
Mooncake: api://AzureADTokenExchangeChina

Sadly for some air-gapped clouds it's also different and that cannot be hardcoded in MSAL / Id.Web; Even for sovereign clouds we should not hardcode cloud aliases, as these change over time.

Reproduction steps

Try FIC in Mooncake.

Error message

No response

Id Web logs

No response

Relevant code snippets

https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web.Certificateless/ManagedIdentityClientAssertion.cs

Regression

No response

Expected behavior

We need to provide a devex where app developers can configure this magic string. MSAL should hide this in public cloud.
@bgavrilMS
Copy link
Member Author

CC @jmprieur @jennyf19

@jmprieur
Copy link
Collaborator

jmprieur commented Apr 9, 2024
edited
Loading

We can add a new property TokenExchangeUrl in the CredentialDescription. When not present we'd use api://AzureADTokenExchange.

Shouldn't be a P1, @bgavrilMS ?

@jmprieur jmprieur added 1P and removed P2 labels Apr 16, 2024
@jennyf19 jennyf19 added this to the 2.17.6 milestone Apr 16, 2024
@kllysng kllysng mentioned this issue Apr 16, 2024
Merged
@jmprieur
Copy link
Collaborator

@kellyyangsong:
We need:

  • A new property string ? TokenExchangeUrl for instance here. This property can be null (will be null by default).
  • We'd use it here if it's not null, and otherwise api://AzureADTokenExchange

Of course you'd need to add a parameter to the constructor, and use it in the CredentialLoader

@kllysng kllysng mentioned this issue Apr 16, 2024
Merged
@kllysng kllysng closed this as completed Apr 24, 2024
@jcantosz jcantosz mentioned this issue Jun 3, 2024
Closed
@kllysng kllysng modified the milestones: 2.17.6, 2.18 Jun 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kllysng kllysng

Labels
1P bug Something isn't working managed identity
Projects
None yet
Milestone
2.18
Development

Successfully merging a pull request may close this issue.

Allow token exchange URL configuration AzureAD/microsoft-identity-web
4 participants
@bgavrilMS @jmprieur @jennyf19 @kllysng