Bringing token exchange url commit into rel/v2 (#2774)

* Allow token exchange URL configuration (#2767)

* initial commit adding configurable token exchange url

* Apply suggestions from code review

Co-authored-by: Jean-Marc Prieur <[email protected]>

* use abstractions 5.2.0

* separate ctor overload

* add msi fic support to changelog

---------

Co-authored-by: Jean-Marc Prieur <[email protected]>

* bring back abstractions 5.2.0!

---------

Co-authored-by: Jean-Marc Prieur <[email protected]>

Author: kllysng

Directory.Build.props

@@ -86,7 +86,7 @@
     <MicrosoftGraphVersion>4.36.0</MicrosoftGraphVersion>
     <MicrosoftGraphBetaVersion>4.57.0-preview</MicrosoftGraphBetaVersion>
     <MicrosoftExtensionsHttpVersion>3.1.3</MicrosoftExtensionsHttpVersion>
-    <MicrosoftIdentityAbstractions>5.1.0</MicrosoftIdentityAbstractions>    
+    <MicrosoftIdentityAbstractions>5.2.0</MicrosoftIdentityAbstractions>    
   </PropertyGroup>
 
   <PropertyGroup Condition="'$(TargetFramework)' == 'net8.0'">

changelog.md

@@ -1,3 +1,10 @@
+Pending Next Release
+=========
+- Update to Microsoft.Identity.Abstractions 5.2.0
+
+### New features
+- Added support for Managed Identity Federated Identity Credential. See issue [2749](https://github.com/AzureAD/microsoft-identity-web/issues/2749) for details.
+
 2.17.5
 =========
 - Updated to MSAL 4.59.1.
@@ -12,7 +19,7 @@
 2.17.3
 =========
 - Updated to Microsoft.IdentityModel.* 7.5.0
-  
+
 2.17.2
 =========
 

src/Microsoft.Identity.Web.Certificate/SignedAssertionFromManagedIdentityCredentialLoader.cs

@@ -1,14 +1,10 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-using System;
-using System.Collections.Generic;
-using System.Net;
-using System.Text;
-using Azure.Identity;
 using System.Threading;
-using Microsoft.Identity.Abstractions;
 using System.Threading.Tasks;
+using Azure.Identity;
+using Microsoft.Identity.Abstractions;
 
 namespace Microsoft.Identity.Web
 {
@@ -23,7 +19,7 @@ public async Task LoadIfNeededAsync(CredentialDescription credentialDescription,
                 ManagedIdentityClientAssertion? managedIdentityClientAssertion = credentialDescription.CachedValue as ManagedIdentityClientAssertion;
                 if (credentialDescription.CachedValue == null)
                 {
-                    managedIdentityClientAssertion = new ManagedIdentityClientAssertion(credentialDescription.ManagedIdentityClientId);
+                    managedIdentityClientAssertion = new ManagedIdentityClientAssertion(credentialDescription.ManagedIdentityClientId, credentialDescription.TokenExchangeUrl);
                 }
                 try
                 {

src/Microsoft.Identity.Web.Certificateless/CertificatelessConstants.cs

@@ -0,0 +1,11 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Microsoft.Identity.Web.Certificateless
+{
+    internal class CertificatelessConstants
+    {
+        // Managed Identity Federated Identity Credential
+        internal const string DefaultTokenExchangeUrl = "api://AzureADTokenExchange";
+    }
+}

src/Microsoft.Identity.Web.Certificateless/ManagedIdentityClientAssertion.cs

@@ -5,6 +5,7 @@
 using System.Threading.Tasks;
 using Azure.Core;
 using Azure.Identity;
+using Microsoft.Identity.Web.Certificateless;
 
 namespace Microsoft.Identity.Web
 {
@@ -14,6 +15,7 @@ namespace Microsoft.Identity.Web
     public class ManagedIdentityClientAssertion : ClientAssertionProviderBase
     {
         private readonly TokenCredential _credential;
+        private readonly string _tokenExchangeUrl;
 
         /// <summary>
         /// See https://aka.ms/ms-id-web/certificateless.
@@ -34,6 +36,17 @@ public ManagedIdentityClientAssertion(string? managedIdentityClientId)
                     ExcludeVisualStudioCodeCredential = true,
                     ExcludeVisualStudioCredential = true
                 });
+            _tokenExchangeUrl = CertificatelessConstants.DefaultTokenExchangeUrl;
+        }
+
+        /// <summary>
+        /// See https://aka.ms/ms-id-web/certificateless.
+        /// </summary>
+        /// <param name="managedIdentityClientId">Optional ClientId of the Managed Identity or Workload Identity</param>
+        /// <param name="tokenExchangeUrl">Optional token exchange resource url. Default value is "api://AzureADTokenExchange/.default".</param>
+        public ManagedIdentityClientAssertion(string? managedIdentityClientId, string? tokenExchangeUrl) : this (managedIdentityClientId)
+        {
+            _tokenExchangeUrl = tokenExchangeUrl ?? CertificatelessConstants.DefaultTokenExchangeUrl;
         }
 
         /// <summary>
@@ -44,7 +57,7 @@ public ManagedIdentityClientAssertion(string? managedIdentityClientId)
         protected override async Task<ClientAssertion> GetClientAssertion(CancellationToken cancellationToken)
         {
             var result = await _credential.GetTokenAsync(
-                new TokenRequestContext(["api://AzureADTokenExchange/.default"], null),
+                new TokenRequestContext([_tokenExchangeUrl+"./default"], null),
                 cancellationToken).ConfigureAwait(false);
             return new ClientAssertion(result.Token, result.ExpiresOn);
         }