Reputation: 14018
How can I configure Microsoft.Identity.Web ASP.NET Core package to use a managed identity assertion credential instead of a client secret?
I want to call a protected API using Microsoft.Identity.Web ASP.NET Core package. It provides instructions on how to configure it in the case of client secrets and certificates:
It also briefly mentions that secret-less alternatives exist, like workload identity federation for Azure Kubernetes:
You can propose a collection of client credentials, including a credential-less solution like workload identity federation for Azure Kubernetes. Previous versions of Microsoft.Identity.Web expressed the client secret in a single property "ClientSecret" instead of "ClientCredentials". This is still supported for backwards compatibility but you cannot use both the "ClientSecret" property, and the "ClientCredentials" collection.
How can I configure the package to use secrets-less solutions? In my case, I want to use ClientAssertionCredential based on ManagedIdentityCredential(managedIdentityClientId), but I can't find it in the docs.
Any ideas?
Upvotes: 1
Views: 38
Answers (1)
Reputation: 22082
The ClientAssertionCredential is part of the Azure.Identity library and is suitable for achieving secret-less authentication when running on Azure resources with managed identities.
1. Packages
Azure.Identity;
Microsoft.Identity.Client;
2. Sample Code from MS official sample.
var managedIdentityClientId = "<Your-Managed-Identity-Client-Id>";
string audience = "api://test";
var miCredential = new ManagedIdentityCredential(managedIdentityClientId);
ClientAssertionCredential clientAssertionCredential = new(
"tenantId",
"appClientId",
async (token) =>
{
// fetch Managed Identity token for the specified audience
var tokenRequestContext = new Azure.Core.TokenRequestContext(new[] { $"{audience}/.default" });
var accessToken = await miCredential.GetTokenAsync(tokenRequestContext).ConfigureAwait(false);
return accessToken.Token;
});
Related link : Leveraging Microsoft.Identity.Web for Secret-less API Authentication in ASP.NET Core
Upvotes: 0
Related Questions
- How do I get client IP address in ASP.NET Core?
- Local development with DefaultAzureCredential() with API Scope & App Roles
- How to get access token without using clientId and clientSecret in .Net 4.5 application?
- How to login via Service Principal having Federated Credentials rather than Client Secrets
- Azure web app: Remove client secrets from app registration and use Managed Identity?
- Azure App Registration using Managed Identities instead of Client Secrets
- Azure Web App use certificate from app registration to authenticate users
- Call Graph from Azure App Service using Managed Identity
- Easiest way to share development secrets in aspnetcore application