Adding support for user assigned managed identity (#1008)

proposed fix for #1007 * Adding support for user assigned managed identity * Update src/Microsoft.Identity.Web/CertificateManagement/DefaultCertificateLoader.cs Co-authored-by: jennyf19 <jeferrie@microsoft.com>
AzureAD · Mar 4, 2021 · 8a3bebc · 8a3bebc
1 parent 93839ab
commit 8a3bebc
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 1 deletion.
diff --git a/src/Microsoft.Identity.Web/CertificateManagement/DefaultCertificateLoader.cs b/src/Microsoft.Identity.Web/CertificateManagement/DefaultCertificateLoader.cs
@@ -30,6 +30,12 @@ namespace Microsoft.Identity.Web
     /// </summary>
     public class DefaultCertificateLoader : ICertificateLoader
     {
+        /// <summary>
+        /// User assigned managed identity client ID (as opposed to system assigned managed identity)
+        /// See https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.
+        /// </summary>
+        public static string? UserAssignedManagedIdentityClientId { get; set; }
+
         /// <summary>
         /// Load the certificate from the description, if needed.
         /// </summary>
@@ -102,7 +108,9 @@ private static X509Certificate2 LoadFromKeyVault(
             X509KeyStorageFlags x509KeyStorageFlags)
         {
             Uri keyVaultUri = new Uri(keyVaultUrl);
-            DefaultAzureCredential credential = new DefaultAzureCredential();
+            DefaultAzureCredentialOptions options = new DefaultAzureCredentialOptions();
+            options.ManagedIdentityClientId = UserAssignedManagedIdentityClientId;
+            DefaultAzureCredential credential = new DefaultAzureCredential(options);
             CertificateClient certificateClient = new CertificateClient(keyVaultUri, credential);
             SecretClient secretClient = new SecretClient(keyVaultUri, credential);
 

diff --git a/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml b/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml
diff --git a/src/Microsoft.Identity.Web/MicrosoftIdentityOptions.cs b/src/Microsoft.Identity.Web/MicrosoftIdentityOptions.cs
@@ -127,5 +127,11 @@ internal bool HasClientCredentials
         /// </summary>
         /// The default is <c>false.</c>
         public bool AllowWebApiToBeAuthorizedByACL { get; set; }
+
+        /// <summary>
+        /// Used, when deployed to Azure, to specify explicitly a user assigned managed identity.
+        /// See https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.
+        /// </summary>
+        public string? UserAssignedManagedIdentityClientId { get; set; }
     }
 }
diff --git a/src/Microsoft.Identity.Web/TokenAcquisition.cs b/src/Microsoft.Identity.Web/TokenAcquisition.cs
@@ -74,6 +74,7 @@ public TokenAcquisition(
             _applicationOptions.ClientSecret ??= _microsoftIdentityOptions.ClientSecret;
             _applicationOptions.TenantId ??= _microsoftIdentityOptions.TenantId;
             _applicationOptions.LegacyCacheCompatibilityEnabled = _microsoftIdentityOptions.LegacyCacheCompatibilityEnabled;
+            DefaultCertificateLoader.UserAssignedManagedIdentityClientId = _microsoftIdentityOptions.UserAssignedManagedIdentityClientId;
         }
 
         /// <summary>