When using AddMicrosoftIdentityWebApi with a delegate, the following EnableTokenAcquisitionToCallDownstreamApi should have the option of beeing parameter-less

[plamber]

Hello, we are using the latest version of the library and are trying to register authentication and a call to downstream API using a certificate instead of a client secret.

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddMicrosoftIdentityWebApi(
                    configureJwtBearerOptions => builder.Configuration.Bind(key, configureJwtBearerOptions),
                    microsoftIdentityOptions =>
                    {
                        builder.Configuration.Bind(key, microsoftIdentityOptions);
                        microsoftIdentityOptions.ClientCertificates = new CertificateDescription[] {
                            CertificateDescription.FromBase64Encoded(settings.ClientCertificate)
                        };
                    })
                .EnableTokenAcquisitionToCallDownstreamApi(
                    confidentialClientApplicationOptions => builder.Configuration.Bind(key, confidentialClientApplicationOptions)
                ).AddInMemoryTokenCaches();

I was able to configure a certificate for the authentication, but I am failing to configure it for "EnableTokenAcquisitionToCallDownstreamApi." Apparently, the options only accept a client secret and no certificate.

https://github.com/AzureAD/microsoft-identity-web/blob/bba91c4298411e780c9f082e8e3843eacd8e543c/src/Microsoft.Identity.Web/WebAppExtensions/MicrosoftIdentityWebAppAuthenticationBuilderWithConfiguration.cs#L43-L59

Do you have some suggestions on how to solve this issue? I would avoid registering a client secret and certificate to cover this use case.

Thank you for your help, Patrick

[jmprieur]

@plamber What you did in .AddMicrosoftIdentityWebApi is enough.. No need to do anything in EnableTokenAcquisitionToCallDownstreamApi.

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddMicrosoftIdentityWebApi(
                    configureJwtBearerOptions => builder.Configuration.Bind(key, configureJwtBearerOptions),
                    microsoftIdentityOptions =>
                    {
                        builder.Configuration.Bind(key, microsoftIdentityOptions);
                        microsoftIdentityOptions.ClientCertificates = new CertificateDescription[] {
                            CertificateDescription.FromBase64Encoded(settings.ClientCertificate)
                        };
                    })
                .EnableTokenAcquisitionToCallDownstreamApi()
                .AddInMemoryTokenCaches();

See also Using certificates with Microsoft.Identity.Web

[plamber]

Hi @jmprieur, I thought the same first, but I am getting a compilation error when trying to use EnableTokenAcquisitionToCallDownstreamApi without parameters in this specific format.

There is no argument given that corresponds to the required formal parameter 'configureConfidentialClientOptions'....

Cheers

[jmprieur]

@plamber : did you try

.EnableTokenAcquisitionToCallDownstreamApi(options => {} )

[plamber]

Thank you, @jmprieur, Works without compilation errors with options passed as you suggested. It might be misleading, though. Being not required to pass parameters feels more natural.

Thank you for your help, Patrick

[jmprieur]

Thanks for the feedback, @plamber. We'll see what we can do to avoid the parameter.

[jmprieur]

@plamber renamed the title to have it as an enhancement.

[refex]

Hi @jmprieur I second this request, EnableTokenAcquisitionToCallDownstreamApi should have a parameterless version.

[DaleyKD]

+1