Use ManagedIdentityCredential instead of DefaultAzureCredential for FIC scenario (PR for ID.Web 3.x) (#2813)

* Use ManagedIdentityCredential instead of DefaultAzureCredential for MI scenarios

* Address PR comments

* Drop Azure.Identity and use just MSAL here.

* PR comment

* Fix

---------

Co-authored-by: Bogdan Gavril <[email protected]>
Co-authored-by: jennyf19 <[email protected]>

Author: 3 people

Directory.Build.props

@@ -105,7 +105,7 @@
     <MicrosoftExtensionsConfigurationBinderVersion>9.0.100-preview.4.24267.66</MicrosoftExtensionsConfigurationBinderVersion>
     <MicrosoftExtensionsDependencyInjectionVersion>$(NetNineRuntimeVersion)</MicrosoftExtensionsDependencyInjectionVersion>
   </PropertyGroup>
-  
+
   <PropertyGroup Condition="'$(TargetFramework)' == 'net8.0'">
     <MicrosoftAspNetCoreAuthenticationJwtBearerVersion>8.0.0</MicrosoftAspNetCoreAuthenticationJwtBearerVersion>
     <MicrosoftAspNetCoreAuthenticationOpenIdConnectVersion>8.0.0</MicrosoftAspNetCoreAuthenticationOpenIdConnectVersion>

src/Microsoft.Identity.Web.Certificateless/ManagedIdentityClientAssertion.cs

@@ -3,9 +3,8 @@
 
 using System.Threading;
 using System.Threading.Tasks;
-using Azure.Core;
-using Azure.Identity;
 using Microsoft.Identity.Client;
+using Microsoft.Identity.Client.AppConfig;
 using Microsoft.Identity.Web.Certificateless;
 
 namespace Microsoft.Identity.Web
@@ -15,36 +14,31 @@ namespace Microsoft.Identity.Web
     /// </summary>
     public class ManagedIdentityClientAssertion : ClientAssertionProviderBase
     {
-        private readonly TokenCredential _credential;
+        IManagedIdentityApplication _managedIdentityApplication;
         private readonly string _tokenExchangeUrl;
 
         /// <summary>
         /// See https://aka.ms/ms-id-web/certificateless.
         /// </summary>
-        /// <param name="managedIdentityClientId">Optional ClientId of the Managed Identity or Workload Identity</param>
+        /// <param name="managedIdentityClientId">Optional ClientId of the Managed Identity</param>
         public ManagedIdentityClientAssertion(string? managedIdentityClientId)
         {
-            _credential = new DefaultAzureCredential(
-                new DefaultAzureCredentialOptions
-                {
-                    ManagedIdentityClientId = managedIdentityClientId,
-                    WorkloadIdentityClientId = managedIdentityClientId,
-                    ExcludeAzureCliCredential = true,
-                    ExcludeAzureDeveloperCliCredential = true,
-                    ExcludeAzurePowerShellCredential = true,
-                    ExcludeInteractiveBrowserCredential = true,
-                    ExcludeSharedTokenCacheCredential = true,
-                    ExcludeVisualStudioCodeCredential = true,
-                    ExcludeVisualStudioCredential = true
-                });
+            var id = ManagedIdentityId.SystemAssigned;
+            if (!string.IsNullOrEmpty(managedIdentityClientId))
+            {
+                id = ManagedIdentityId.WithUserAssignedClientId(managedIdentityClientId);
+            }
+
+            _managedIdentityApplication = ManagedIdentityApplicationBuilder.Create(id).Build();           
             _tokenExchangeUrl = CertificatelessConstants.DefaultTokenExchangeUrl;
         }
 
         /// <summary>
         /// See https://aka.ms/ms-id-web/certificateless.
         /// </summary>
-        /// <param name="managedIdentityClientId">Optional ClientId of the Managed Identity or Workload Identity</param>
-        /// <param name="tokenExchangeUrl">Optional token exchange resource url. Default value is "api://AzureADTokenExchange/.default".</param>
+        /// <param name="managedIdentityClientId">Optional ClientId of the Managed Identity</param>
+        /// <param name="tokenExchangeUrl">Optional audience of the token to be requested from Managed Identity. Default value is "api://AzureADTokenExchange". 
+        /// This value is different on clouds other than Azure Public</param>
         public ManagedIdentityClientAssertion(string? managedIdentityClientId, string? tokenExchangeUrl) : this (managedIdentityClientId)
         {
             _tokenExchangeUrl = tokenExchangeUrl ?? CertificatelessConstants.DefaultTokenExchangeUrl;
@@ -57,10 +51,12 @@ public ManagedIdentityClientAssertion(string? managedIdentityClientId, string? t
         /// <returns>The signed assertion.</returns>
         protected override async Task<ClientAssertion> GetClientAssertionAsync(AssertionRequestOptions? assertionRequestOptions)
         {
-            var result = await _credential.GetTokenAsync(
-                new TokenRequestContext([_tokenExchangeUrl], null),
-                assertionRequestOptions?.CancellationToken ?? default).ConfigureAwait(false);
-            return new ClientAssertion(result.Token, result.ExpiresOn);
+            var result = await _managedIdentityApplication
+                .AcquireTokenForManagedIdentity(_tokenExchangeUrl)
+                .ExecuteAsync(assertionRequestOptions?.CancellationToken ?? CancellationToken.None)
+                .ConfigureAwait(false);
+
+            return new ClientAssertion(result.AccessToken, result.ExpiresOn);
         }
     }
 }

src/Microsoft.Identity.Web.Certificateless/Microsoft.Identity.Web.Certificateless.csproj

@@ -11,9 +11,9 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Azure.Identity" Version="$(AzureIdentityVersion)" />
     <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="$(MicrosoftExtensionsLoggingVersion)" />
     <PackageReference Include="System.Text.Encodings.Web" Version="$(SystemTextEncodingsWebVersion)" />
     <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens " Version="$(IdentityModelVersion)" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="$(MicrosoftIdentityClientVersion)" />
   </ItemGroup>
 </Project>