** Breaking change on August 25th**

[vadimazarov]

We are introducing a new trusted application that will generate tokens for workloads.

Today, the client that generates tokens in control plane APIs (CRUD/Jobs) is Fabric client (with appId = "00000009-0000-0000-c000-000000000000").
It is being replaced with this new client - "Fabric client for workloads", with appId "d2450708-699c-41e3-8077-b0c8341509aa".

What you should do to prevent your workload from breaking:

1. Add another preauthorization for the new application for the scopes of control plane APIs (for the scopes that preauthorize the '...009....' app today). In our example - for the scope "FabricWorkloadControl"
   

2. When validating appOnly tokens, validate that the appId is Fabric client (00000009-0000-0000-c000-000000000000) OR the new Fabric client for workloads (d2450708-699c-41e3-8077-b0c8341509aa).

See this PR for reference: Add Fabric Client for Workloads as a trusted application by ramizsha · Pull Request #36 · microsoft/Microsoft-Fabric-workload-development-sample (github.com)

Add Fabric Client for Workloads as a trusted application:

1. Add a preauthorization step to preauthorize Fabric Client for Workloads for control plane scope.
2. Change validation of appId in the appOnly token in authentication service to validate one of 2 apps (Fabric App or Fabric Client for Workloads app).

Please make sure to make those changes before the 25th of August (2024 :) ) to avoid breaking your workload!
Note: In the future, you will not need to preauthorize Fabric app (00000009-0000-0000-c000-000000000000) once we fully migrate to the new application (d2450708-699c-41e3-8077-b0c8341509aa).