microsoft-identity-web icon indicating copy to clipboard operation
microsoft-identity-web copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

Pod Identity signed assertions are supported by Ms.Id.Web.TokenAcquisition

Open jmprieur opened this issue 1 year ago • 0 comments

Why

When running inside a container, confidential client applications can use Pod Identity to get a signed assertion in lieu of client credentials. In practice, this is a file that is shared with the container, and that is read periodically.

What

By configuration, define the file in which Pod identity will save the signed assertion, so that the application running in the container can access it.

"AzureAd" : {
   "ClientCredentials": [
      {
       "SourceType" : "SignedAssertionFilePath",
       "SignedAssertionFileDiskPath " : "/somePathOnDisk"
      }
    ]
}

How

  • [x] Expose PodIdentityClientAssertion in certificateless, in addition to ManagedIdentityClientAssertion

    • [x] ClientAssertionDescription should become public, and probably renamed BaseClientAssertion?

      • [x] its constructor is no longer needed. The ClientAssertionProvider property should be internal.
      • [x] In GetSignedAssertion, check that ClientAssertionProvider is not null. If it's null, throw an exception that "ClientAssertionProvider must be initialized in the constructor of the derived classes"

    • [x] Have ManagedIdentityClientAssertion inherit from BaseClientAssertion.. Its default constructor should now set ClientAssertionProvider to GetSignedAssertionFromFederatedTokenProvider. No need for ClientAssertionProvider, _clientAssertion, GetSignedAssertion and Expiry any longer (they are already in the base class)=> delete the last four members of the ManagedIdentityClientAssertion class

    • [x] Add a new class PodIdentityClientAssertion inheriting from BaseClientAssertion, and inspired by ManagedIdentityClientAssertion but which gets the signed assertion from a file (and the file can be referenced in the AZURE_FEDERATED_TOKEN_FILE environment variable. Something like the following (no guarantee it builds)

           internal class PodIdentityClientAssertion : BaseAssertionDescription
     {
        /// <summary>
        /// Gets a signed assertion from PodIdentity. The file is provided
        /// by an environment variable ("AZURE_FEDERATED_TOKEN_FILE")
        /// See https://aka.ms/ms-id-web/certificateless.
        /// </summary>
        public PodIdentityClientAssertion()
        {
            _filePath = Environment.GetEnvironmentVariable("AZURE_FEDERATED_TOKEN_FILE");
            ClientAssertionProvider = GetSignedAssertionFromFile;
        }

        /// <summary>
        /// Gets a signed assertion from a file.
        /// See https://aka.ms/ms-id-web/certificateless.
        /// </summary>
        /// <param name="filePath"></param>
        public PodIdentityClientAssertion(string filePath)
        {
            _filePath = filePath;
            ClientAssertionProvider = GetSignedAssertionFromFile;
        }

        private readonly string _filePath;

        /// <summary>
        /// Get the signed assertion from a file.
        /// </summary>
        /// <returns>The signed assertion.</returns>
        private Task<ClientAssertion> GetSignedAssertionFromFile(CancellationToken cancellationToken)
        {
            string signedAssertion = File.ReadAllText(_filePath);
            // Compute the expiry
            JsonWebToken jwt = new JsonWebToken(signedAssertion);
            return Task.FromResult(new ClientAssertion(signedAssertion, jwt.ValidTo));
        }
     }

  • [ ] Add a new class DefaultCredentialsLoader (like DefaultCertificateLoader), for instance in the Certificateless assembly, which would process both the certificates, and the signed assertions (and later the symmetric keys)

jmprieur avatar Aug 10 '22 17:08 jmprieur