Add support for token exchange managed identity (Azure#23775)

* Add support for token exchange managed identity

* adding MI token exchange test

* fix pipeline bug

Author: schaabs

sdk/identity/Azure.Identity/src/ClientAssertionCredential.cs

@@ -0,0 +1,71 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using System.Text;
+using System.Threading;
+using System.Threading.Tasks;
+using Azure.Core;
+using Azure.Core.Pipeline;
+using Microsoft.Identity.Client;
+
+namespace Azure.Identity
+{
+    internal class ClientAssertionCredential : TokenCredential
+    {
+        internal string TenantId { get; }
+        internal string ClientId { get; }
+        internal MsalConfidentialClient Client { get; }
+        internal bool AllowMultiTenantAuthentication { get; }
+
+        public ClientAssertionCredential(string tenantId, string clientId, Func<Task<string>> getAssertionCallback, ClientAssertionCredentialOptions options = default) :
+            this(tenantId, clientId, () => getAssertionCallback().GetAwaiter().GetResult(), options)
+        {
+        }
+
+        public ClientAssertionCredential(string tenantId, string clientId, Func<string> getAssertionCallback, ClientAssertionCredentialOptions options = default)
+        {
+            TenantId = tenantId;
+            ClientId = clientId;
+            AllowMultiTenantAuthentication = options?.AllowMultiTenantAuthentication ?? false;
+            Client = options?.MsalClient ?? new MsalConfidentialClient(options?.Pipeline ?? CredentialPipeline.GetInstance(options), tenantId, clientId, getAssertionCallback, null, null, options?.IsLoggingPIIEnabled ?? false);
+        }
+
+        public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
+        {
+            using CredentialDiagnosticScope scope = Client.Pipeline.StartGetTokenScope("ClientAssertionCredential.GetToken", requestContext);
+
+            try
+            {
+                var tenantId = TenantIdResolver.Resolve(TenantId, requestContext, AllowMultiTenantAuthentication);
+
+                AuthenticationResult result = Client.AcquireTokenForClientAsync(requestContext.Scopes, tenantId, false, cancellationToken).EnsureCompleted();
+
+                return scope.Succeeded(new AccessToken(result.AccessToken, result.ExpiresOn));
+            }
+            catch (Exception e)
+            {
+                throw scope.FailWrapAndThrow(e);
+            }
+        }
+
+        public async override ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
+        {
+            using CredentialDiagnosticScope scope = Client.Pipeline.StartGetTokenScope("ClientAssertionCredential.GetToken", requestContext);
+
+            try
+            {
+                var tenantId = TenantIdResolver.Resolve(TenantId, requestContext, AllowMultiTenantAuthentication);
+
+                AuthenticationResult result = await Client.AcquireTokenForClientAsync(requestContext.Scopes, tenantId, true, cancellationToken).ConfigureAwait(false);
+
+                return scope.Succeeded(new AccessToken(result.AccessToken, result.ExpiresOn));
+            }
+            catch (Exception e)
+            {
+                throw scope.FailWrapAndThrow(e);
+            }
+        }
+    }
+}

sdk/identity/Azure.Identity/src/ClientAssertionCredentialOptions.cs

@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Azure.Identity
+{
+    internal class ClientAssertionCredentialOptions : TokenCredentialOptions
+    {
+        internal CredentialPipeline Pipeline { get; set; }
+
+        internal MsalConfidentialClient MsalClient { get; set; }
+    }
+}

sdk/identity/Azure.Identity/src/EnvironmentVariables.cs

@@ -29,5 +29,7 @@ internal class EnvironmentVariables
         public static string AuthorityHost => Environment.GetEnvironmentVariable("AZURE_AUTHORITY_HOST");
 
         public static string AzureRegionalAuthorityName => Environment.GetEnvironmentVariable("AZURE_REGIONAL_AUTHORITY_NAME");
+
+        public static string AzureFederatedTokenFile => Environment.GetEnvironmentVariable("AZURE_FEDERATED_TOKEN_FILE");
     }
 }

sdk/identity/Azure.Identity/src/ManagedIdentityClient.cs

@@ -46,6 +46,7 @@ private static ManagedIdentitySource SelectManagedIdentitySource(ManagedIdentity
                     CloudShellManagedIdentitySource.TryCreate(options) ??
                     AzureArcManagedIdentitySource.TryCreate(options) ??
                     ServiceFabricManagedIdentitySource.TryCreate(options) ??
+					TokenExchangeManagedIdentitySource.TryCreate(options) ??
                     new ImdsManagedIdentitySource(options.Pipeline, options.ClientId);
         }
     }

sdk/identity/Azure.Identity/src/MsalClientBase.cs

@@ -43,7 +43,7 @@ protected MsalClientBase(CredentialPipeline pipeline, string tenantId, string cl
 
         internal TokenCache TokenCache { get; }
 
-        protected CredentialPipeline Pipeline { get; }
+        protected internal CredentialPipeline Pipeline { get; }
 
         protected abstract ValueTask<TClient> CreateClientAsync(bool async, CancellationToken cancellationToken);
 

sdk/identity/Azure.Identity/src/MsalConfidentialClient.cs

@@ -1,6 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using System;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
@@ -13,6 +14,7 @@ internal class MsalConfidentialClient : MsalClientBase<IConfidentialClientApplic
         internal readonly string _clientSecret;
         internal readonly bool _includeX5CClaimHeader;
         internal readonly IX509Certificate2Provider _certificateProvider;
+        private readonly Func<string> _assertionCallback;
 
         /// <summary>
         /// For mocking purposes only.
@@ -35,6 +37,13 @@ public MsalConfidentialClient(CredentialPipeline pipeline, string tenantId, stri
             RegionalAuthority = regionalAuthority;
         }
 
+        public MsalConfidentialClient(CredentialPipeline pipeline, string tenantId, string clientId, Func<string> assertionCallback, ITokenCacheOptions cacheOptions, RegionalAuthority? regionalAuthority, bool isPiiLoggingEnabled)
+            : base(pipeline, tenantId, clientId, isPiiLoggingEnabled, cacheOptions)
+        {
+            _assertionCallback = assertionCallback;
+            RegionalAuthority = regionalAuthority;
+        }
+
         internal RegionalAuthority? RegionalAuthority { get; }
 
         protected override async ValueTask<IConfidentialClientApplication> CreateClientAsync(bool async, CancellationToken cancellationToken)
@@ -49,6 +58,11 @@ protected override async ValueTask<IConfidentialClientApplication> CreateClientA
                 confClientBuilder.WithClientSecret(_clientSecret);
             }
 
+            if (_assertionCallback != null)
+            {
+                confClientBuilder.WithClientAssertion(_assertionCallback);
+            }
+
             if (_certificateProvider != null)
             {
                 X509Certificate2 clientCertificate = await _certificateProvider.GetCertificateAsync(async, cancellationToken).ConfigureAwait(false);

sdk/identity/Azure.Identity/src/TokenExchangeManagedIdentitySource.cs

@@ -0,0 +1,85 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Text;
+using System.Threading;
+using System.Threading.Tasks;
+using Azure.Core;
+
+namespace Azure.Identity
+{
+    internal class TokenExchangeManagedIdentitySource : ManagedIdentitySource
+    {
+        private TokenFileCache _tokenFileCache;
+        private ClientAssertionCredential _clientAssertionCredential;
+
+        private TokenExchangeManagedIdentitySource(CredentialPipeline pipeline, string tenantId, string clientId, string tokenFilePath)
+            : base(pipeline)
+        {
+            _tokenFileCache = new TokenFileCache(tokenFilePath);
+            _clientAssertionCredential = new ClientAssertionCredential(tenantId, clientId, _tokenFileCache.GetTokenFileContents, new ClientAssertionCredentialOptions { Pipeline = pipeline });
+        }
+
+        public static ManagedIdentitySource TryCreate(ManagedIdentityClientOptions options)
+        {
+            string tokenFilePath = EnvironmentVariables.AzureFederatedTokenFile;
+            string tenantId = EnvironmentVariables.TenantId;
+            string clientId = options.ClientId ?? EnvironmentVariables.ClientId;
+
+            if (string.IsNullOrEmpty(tokenFilePath) || string.IsNullOrEmpty(tenantId) || string.IsNullOrEmpty(clientId))
+            {
+                return default;
+            }
+
+            return new TokenExchangeManagedIdentitySource(options.Pipeline, tenantId, clientId, tokenFilePath);
+        }
+
+        public async override ValueTask<AccessToken> AuthenticateAsync(bool async, TokenRequestContext context, CancellationToken cancellationToken)
+        {
+            return async ? await _clientAssertionCredential.GetTokenAsync(context, cancellationToken).ConfigureAwait(false) : _clientAssertionCredential.GetToken(context, cancellationToken);
+        }
+
+        protected override Request CreateRequest(string[] scopes)
+        {
+            throw new NotImplementedException();
+        }
+
+        // Ideally this class should handle I/O asynchronously, and have a design similar to AccessTokenCache in BearerTokenAuthenticationPolicy.
+        // However, MSAL currently only accepts sync callbacks for client assertions so this has been radically simplified in light of this. If MSAL
+        // were to add support for an async callback we should update this accordingly.
+        // See, https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/2863
+        private class TokenFileCache
+        {
+            private readonly object _lock = new object();
+            private readonly string _tokenFilePath;
+            private string _tokenFileContents;
+            private DateTimeOffset _refreshOn = DateTimeOffset.MinValue;
+
+            public TokenFileCache(string tokenFilePath)
+            {
+                _tokenFilePath = tokenFilePath;
+            }
+
+            public string GetTokenFileContents()
+            {
+                if (_refreshOn <= DateTimeOffset.UtcNow)
+                {
+                    lock (_lock)
+                    {
+                        if (_refreshOn <= DateTimeOffset.UtcNow)
+                        {
+                            _tokenFileContents = File.ReadAllText(_tokenFilePath);
+
+                            _refreshOn = DateTimeOffset.UtcNow.AddMinutes(5);
+                        }
+                    }
+                }
+
+                return _tokenFileContents;
+            }
+        }
+    }
+}

sdk/identity/Azure.Identity/tests/ManagedIdentityCredentialFederatedTokenLiveTests.cs

@@ -0,0 +1,139 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using System.Text;
+using System.Text.Json;
+using System.Threading.Tasks;
+using Azure.Core;
+using Azure.Core.TestFramework;
+using NUnit.Framework;
+
+namespace Azure.Identity.Tests
+{
+    public class ManagedIdentityCredentialFederatedTokenLiveTests : IdentityRecordedTestBase
+    {
+        public ManagedIdentityCredentialFederatedTokenLiveTests(bool isAsync) : base(isAsync)
+        {
+        }
+
+        [SetUp]
+        public void ClearDiscoveryCache()
+        {
+            StaticCachesUtilities.ClearStaticMetadataProviderCache();
+            StaticCachesUtilities.ClearAuthorityEndpointResolutionManagerCache();
+        }
+
+        [NonParallelizable]
+        [Test]
+        public async Task VerifyViaMockK8TokenExchangeEnvironment()
+        {
+            var tenantId = TestEnvironment.ServicePrincipalTenantId;
+            var clientId = TestEnvironment.ServicePrincipalClientId;
+            var authorityHostUrl = TestEnvironment.AuthorityHostUrl;
+
+            var assertionAudienceBuilder = new RequestUriBuilder();
+            assertionAudienceBuilder.Reset(new Uri(authorityHostUrl));
+            assertionAudienceBuilder.AppendPath(tenantId);
+            assertionAudienceBuilder.AppendPath("/oauth2/v2.0/token", escape: false);
+            var assertionAudience = assertionAudienceBuilder.ToString();
+
+            var assertionCert = new X509Certificate2(TestEnvironment.ServicePrincipalCertificatePfxPath);
+
+            string tokenFilePath = Path.Combine(Path.GetTempPath(), Path.GetTempFileName());
+
+            File.WriteAllText(tokenFilePath, CreateClientAssertionJWT(clientId, assertionAudience, assertionCert));
+
+            try
+            {
+                using (var environment = new TestEnvVar(new()
+                {
+                    { "MSI_ENDPOINT", null },
+                    { "MSI_SECRET", null },
+                    { "IDENTITY_ENDPOINT", null },
+                    { "IDENTITY_HEADER", null },
+                    { "AZURE_POD_IDENTITY_AUTHORITY_HOST", null },
+                    { "AZURE_CLIENT_ID", clientId },
+                    { "AZURE_TENANT_ID", tenantId },
+                    { "AZURE_AUTHORITY_HOST", authorityHostUrl },
+                    { "AZURE_FEDERATED_TOKEN_FILE", tokenFilePath }
+                }))
+                {
+                    var options = InstrumentClientOptions(new TokenCredentialOptions());
+                    var credential = InstrumentClient(new ManagedIdentityCredential(options: options));
+
+                    var tokenRequestContext = new TokenRequestContext(new[] { AzureAuthorityHosts.GetDefaultScope(new Uri(TestEnvironment.AuthorityHostUrl)) });
+
+                    var accessToken = await credential.GetTokenAsync(tokenRequestContext);
+
+                    Assert.IsNotNull(accessToken.Token);
+                }
+            }
+            finally
+            {
+                File.Delete(tokenFilePath);
+            }
+        }
+
+        private static string CreateClientAssertionJWT(string clientId, string audience, X509Certificate2 clientCertificate)
+        {
+            var headerBuff = new ArrayBufferWriter<byte>();
+
+            using (var headerJson = new Utf8JsonWriter(headerBuff))
+            {
+                headerJson.WriteStartObject();
+
+                headerJson.WriteString("typ", "JWT");
+                headerJson.WriteString("alg", "RS256");
+                headerJson.WriteString("x5t", HexToBase64Url(clientCertificate.Thumbprint));
+
+                headerJson.WriteEndObject();
+
+                headerJson.Flush();
+            }
+
+            var payloadBuff = new ArrayBufferWriter<byte>();
+
+            using (var payloadJson = new Utf8JsonWriter(payloadBuff))
+            {
+                payloadJson.WriteStartObject();
+
+                payloadJson.WriteString("jti", Guid.NewGuid());
+                payloadJson.WriteString("aud", audience);
+                payloadJson.WriteString("iss", clientId);
+                payloadJson.WriteString("sub", clientId);
+                payloadJson.WriteNumber("nbf", DateTimeOffset.UtcNow.ToUnixTimeSeconds());
+                payloadJson.WriteNumber("exp", (DateTimeOffset.UtcNow + TimeSpan.FromMinutes(30)).ToUnixTimeSeconds());
+
+                payloadJson.WriteEndObject();
+
+                payloadJson.Flush();
+            }
+
+            string header = Base64Url.Encode(headerBuff.WrittenMemory.ToArray());
+
+            string payload = Base64Url.Encode(payloadBuff.WrittenMemory.ToArray());
+
+            string flattenedJws = header + "." + payload;
+
+            byte[] signature = clientCertificate.GetRSAPrivateKey().SignData(Encoding.ASCII.GetBytes(flattenedJws), HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+
+            return flattenedJws + "." + Base64Url.Encode(signature);
+        }
+
+        private static string HexToBase64Url(string hex)
+        {
+            byte[] bytes = new byte[hex.Length / 2];
+
+            for (int i = 0; i < hex.Length; i += 2)
+                bytes[i / 2] = Convert.ToByte(hex.Substring(i, 2), 16);
+
+            return Base64Url.Encode(bytes);
+        }
+    }
+}