[Feature Request] Managed Identity support in IDownstreamWebApi / IDownstreamApi

[Rookian]

Can I also use Managed Identity (System or user-assigned) for IDownstreamWebApi?
Shouldn't Managed Identity the first option that should be mentioned in the documentation for the users? My proposed order would be Managed Identity, client certificate, client secret.

Why do I first need to call AddMicrosoftIdentityWebApiAuthentication(IConfiguration) then EnableTokenAcquisitionToCallDownstreamApi and then AddDownstreamWebApi in order to enable IDownStreamWebApi usage? In my case a web api (not protected) calls another web api (protected) and I would like to use Managed Identity, so there should be no further configuration needed. My expectation would be something like

// For a system-assigned Managed Identity client id does not need to be passed
builder.Services.AddDownstreamWebApi(string managedIdentityClientId = null);

See also: https://github.com/MicrosoftDocs/azure-docs/issues/94620

[jmprieur]

@Rookian
Managed identity is only usable for daemon scenarios (which might be your case), that is using the Client credential flow (AcquireTokenForApp).

Microsoft.Identity.Web provides all the confidential client application flows (Auth code flow and refresh token in web apps, On behalf of user / app in web APIs, and client credentials for daemon scenarios), and it does use managed identity either to fetch certificates from KeyVault, and work using workload identity.

What is your scenario?

[Rookian]

@jmprieur
I have one deamon app that calls a web API.

What is the advantage of using Microsoft.Identity.Web over Azure.Identity (ManagedIdentityToken)?

[jmprieur]

@Rookian : if your daemon app is only hosted in Azure and you don't need to debug it locally (with the app permission), you can use Azure.Identity.
Id.Web enables you to be deployed anywhere, and debugged locally.

[Rookian]

@jmprieur The same is true for Azure.Identity, as you can use AzureCliCredential (for local usage) and ManagedIdentityCredential (for Azure environment) within a ChainedTokenCredential.

The question from my site is, if I need to cache the retrieved bearer token?

[jmprieur]

@Rookian, yes. but the chained token credentials don't use the same credentials (once is a Client Cred, the other is you as a user, who was granted access to the resources).

For the moment, you need to cache the token. In the near future the Azure SDK will do it for you (leveraging MSAL)

[Rookian]

@Rookian, yes. but the chained token credentials don't use the same credentials (once is a Client Cred, the other is you as a user, who was granted access to the resources).

Sure, but I don't have any user just machines.

For the moment, you need to cache the token. In the near future the Azure SDK will do it for you (leveraging MSAL)

That is an interesting information. Thanks.

Coming back again to my scenario.

I would like to use Managed Identity to call a protected Web API.
For this I have created a small example solution where I have a client WebApp (deamon, unprotected) and a server Web App (protected). I always want to be able to run my code from my local machine and from Azure.
For now I have used Azure.Identity to acquire the token. Everything is working fine.

Now I would like to test Microsoft.Identity.Web (to maybe replace Azure.Identity) and I already stumbled over AddMicrosoftIdentityWebApiAuthentication where I need to pass in IConfiguration. I guess this is used for the WebAPI itself where it acts as a server, but I have a daemon app.

builder.Services.AddMicrosoftIdentityWebApiAuthentication(builder.Configuration)
    .EnableTokenAcquisitionToCallDownstreamApi()
    .AddInMemoryTokenCaches()
    .AddDownstreamWebApi("ServerWebApp", x =>
    {
        x.Scopes = "api://{appId}/.default";
        x.BaseUrl = "https://localhost:7214/"
    });

...

var response = await api.CallWebApiForAppAsync("ServerWebApp", options =>
{
    options.HttpMethod = HttpMethod.Get;
    options.RelativePath = "/test";
});

CallWebApiForAppAsync throws an exception "IDW10106: The 'ClientId' option must be provided. " when I run it on my local machine with an authenticated Azure Cli.

@jmprieur
May I recap:

• IDownstreamWebApi has support for Managed Identity (user assigned/system-assigned)
• IDownstreamWebApi has no support for AzureCliCredential

[jmprieur]

Will be solved by the CredentialDescription in v2

[bgavrilMS]

@jmprieur - should we use this issue to track the Managed Identity integration?