-
Notifications
You must be signed in to change notification settings - Fork 337
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] Add a new WithClientAssertion API that exposes the token endpoint #3352
Comments
Thanks @bgavrilMS : how was this discovered? |
@jmprieur - via ICM, it looks like ESTS errors out if the authority from the assertion (the aud claim) != token endpoint where we ask the token. The service impacted is creating their own client assertion, I think they are trying to use managed identity. |
@bgavrilMS : I think that there is an app registration issue in this case. This is the certless scenario. |
To create a client assertion in the Key Vault as described in #3355 we need to know the value for the My guess is that the specific information needed is already available in the used method, though not sure on the exact details. Can I some how contribute code to fix this issue and 3355? |
@svrooij - I am discussing with the server side folks to fix this on their end, as it should be possible to provide an aud claim with that has an alias of the environment (i.e. Until this discussion is finalized, you can use one of MSAL's extensiblity APIs for your scenario - |
There is already a Using the extension OnBeforeToken... Would mean that you have to do it everywhere where you're using the cofidential client. Instead of adding it to the builder. |
Yes, but |
WithClientAssertion did not have access to client id or token endpoint Which can be very useful Fixed AzureAD#3352 Related to AzureAD#3355
WithClientAssertion did not have access to client id or token endpoint Which can be very useful Fixed AzureAD#3352 Related to AzureAD#3355
Applications that create their own client assertion typically do it as:
However, MSAL may decide to change the input_authority, because ESTS wants the SDK to use the "preferred_network". For example, for the public cloud, if the app developer configures "sts.windows.net/12345", MSAL will use "login.microsoftonline.com/12345". And it looks like ESTS does not support sending client_assertion with
aud: sts.windows.net/12345/
overlogin.microsoftonline.com/12345
. These 2 must match.Proposal:
CC @jmprieur
The text was updated successfully, but these errors were encountered: