Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[QUERY] Should the UserAssertion parameter be used as part of the TokenRequestContext

See original GitHub issue

Library name and version

Azure.Identity

Query/Question

When trying to use the OnBehalfOfCredential it looks like the _userAssertion property is initialized with the instance of the credential class.

https://github.com/Azure/azure-sdk-for-net/blob/9c4203dc877e870145d7e684f0a53bc36808dfed/sdk/identity/Azure.Identity/src/Credentials/OnBehalfOfCredential.cs#L24

In the event that an application with many users, multiple instances of the OnBehalfOfCredential would need to be created to handle the multiple userAssertions. This will in turn create multiple clients for requesting the token when it may be possible to have a single credential and have the userAssertion passed in the request context to avoid the multiple instances.

Is creating of new credential instances on changing userAssertions the desired flow and is it expected for one to keep a collection of the instances if they want to leverage the cache used in an instance?

Environment

When trying to use the OnBehalfOfCredential it looks like the _userAssertion property is initialized with the instance of the credential class.

https://github.com/Azure/azure-sdk-for-net/blob/9c4203dc877e870145d7e684f0a53bc36808dfed/sdk/identity/Azure.Identity/src/Credentials/OnBehalfOfCredential.cs#L24

Is creating of new credential instances on changing userAssertions` the desired flow or should one keep the instances in collection to leverage the cache in an instance?

Issue Analytics

State:
Created 7 months ago
Comments:7 (5 by maintainers)

Top GitHub Comments

1reaction

christothescommented, Feb 24, 2023

Is there a scenario where the library looks into the userAssertion being passable via the TokenRequestContext thus enabling one credential to be used for the authentication of the users?

No we don’t support this today.

If your environment is asp.net, you may want to use the Microsoft.Identity.Web library, which supports the On-Behalf-Of flow https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-web-api-call-api-overview

0reactions

msftbot[bot]commented, Mar 3, 2023

Hi, we’re sending this friendly reminder because we haven’t heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don’t hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

Top Results From Across the Web

[BUG] Scopes Conflicts between ...

We find the logic in Azure.Identity goes into the TokenExchangeManagedIdentity. The Scopes it uses is different from other MSI sources, but ...

Connect-AzAccount -Identity send invalid request when ...

ClientAssertionCredential authentication failed: AADSTS70011: The provided request must include a 'scope' input parameter.

Use managed identities on a virtual machine to acquire ...

A query string parameter, indicating the App ID URI of the target resource. It also appears in the aud (audience) claim of the...

Set query string parameter - API Management

Reference for the set-query-parameter policy available for use in Azure API Management. Provides policy usage, settings, and examples.

Azure API Management policy to get token with query ...

I tried using the set-query-parameter policy but it appears that this is not allowed within the send-request node based on the below validation ......