-
Notifications
You must be signed in to change notification settings - Fork 373
SLC
Bogdan Gavril edited this page Oct 25, 2023
·
13 revisions
| SDK | MSI CAE support | MSI TB support | FIC CAE | FIC TB | Ease of use |
|---|---|---|---|---|---|
| MSAL | Y | N | Y | N | Hard |
| ID.Web | N | N | Y | N | Easy |
| Azure.Identity | N | N | N | N | ? |
We recommend using higher level SDKs like Microsoft.Identity.Web and Azure.Identity; Applications needing full control (e.g. other SDKs) can use MSAL directly.
## MSI CAE + TB
```csharp
public async AuthenticationResult GetMsiTokenAsync(string resource, string claims )
{
ManagedIdentityApplication mia = ManagedIdentityApplication
.Create(ManagedIdentityType.SystemAssigned)
.WithClientCapabilities(new[] {"cp1"} );
// if claims are not null, cache is bypassed and a new token is acquired.
var authResult = await mia.AcquireToken(resource)
.WithClaims(claims)
.TryMtlsProofOfPosession() // if resource doesn't support it, we'll still get a Bearer
.ExecuteAsync();
return authResult;
}
public async HttpResponse CallProtectedApiAsync(AuthenticationResult ar, HttpRequest request)
{
request.Headers.Authorization.Add(ar.GetAuthorizationHeader());
var httpClient = GetHttpClient(ar.MtlsCertificate);
HttpResponse response = await s_httpClient.SendAsync(request);
if (response.StatusCode == 401)
{
string claims = ParseClaimsChallenge(response);
if (claims != null)
{
AuthenticationResult arWithClaims = GetMsiTokenAsync(claims);
return CallProtectedApi(arWithClaims); // TODO: break the recursion loop after 1-2 attempts
}
}
return response;
}
string ParseClaimsChallenge(HttpResponse response)
{
var params = WWWAuthenticeHeaders.Parse(response);
return params.Claims;
}
private static ConcurrentDictionary<string, HttpClient> s_httpClients =
new ConcurrentDictionary<string, HttpClient>();
public static HttpClient GetHttpClient(X509Certificate2 certificate)
{
if (certificate=null) {
return s_httpClients.GetOrAdd("non_mtls", (cert) => return new HttpClient());
}
return s_httpClients.GetOrAdd(cert.Thumbprint, (cert) => return new HttpClient() { ClientCertificate = cert);
}
// ORCHESTRATION LOGIC
var ar = await GetMsiTokenAsync("https://arm.management.com/.default", claims: null);
HttpRequest request = new HttpRequest("https://arm.management.com/list_stuff");
HttpResponse response = await CallProtectedApiAsync(ar, request);
// Leg1 - get MSI token var ar = await GetMsiTokenAsync("https://arm.management.com/.default");
- Home
- Why use MSAL.NET
- Is MSAL.NET right for me
- Scenarios
- Register your app with AAD
- Client applications
- Acquiring tokens
- MSAL samples
- Known Issues
- Acquiring a token for the app
- Acquiring a token on behalf of a user in Web APIs
- Acquiring a token by authorization code in Web Apps
- AcquireTokenInteractive
- WAM - the Windows broker
- .NET Core
- Maui Docs
- Custom Browser
- Applying an AAD B2C policy
- Integrated Windows Authentication for domain or AAD joined machines
- Username / Password
- Device Code Flow for devices without a Web browser
- ADFS support
- High Availability
- Regional
- Token cache serialization
- Logging
- Exceptions in MSAL
- Provide your own Httpclient and proxy
- Extensibility Points
- Clearing the cache
- Client Credentials Multi-Tenant guidance
- Performance perspectives
- Differences between ADAL.NET and MSAL.NET Apps
- PowerShell support
- Testing apps that use MSAL
- Experimental Features
- Proof of Possession (PoP) tokens
- Using in Azure functions
- Extract info from WWW-Authenticate headers
- SPA Authorization Code