Add workload identity as a MSAL option (#228)

danielkoek · MattB-msft · web-flow · commit 3025a8405d0c · 2025-06-20T11:25:39.000-07:00
* Add workload identity options

* Bit clearer!

* Add Federation token file

* Update ConnectionSettings.cs

* Add file exists check

---------

Co-authored-by: MattB &lt;mattb-msft@hotmail.com&gt;
diff --git a/src/libraries/Authentication/Authentication.Msal/Model/AuthTypes.cs b/src/libraries/Authentication/Authentication.Msal/Model/AuthTypes.cs
@@ -10,6 +10,7 @@ public enum AuthTypes
         ClientSecret,
         UserManagedIdentity,
         SystemManagedIdentity,
-        FederatedCredentials
+        FederatedCredentials,
+        WorkloadIdentity
     }
 }
diff --git a/src/libraries/Authentication/Authentication.Msal/Model/ConnectionSettings.cs b/src/libraries/Authentication/Authentication.Msal/Model/ConnectionSettings.cs
@@ -5,6 +5,7 @@
 using Microsoft.Agents.Core;
 using Microsoft.Extensions.Configuration;
 using System;
+using System.IO;
 
 namespace Microsoft.Agents.Authentication.Msal.Model
 {
@@ -69,6 +70,11 @@ public ConnectionSettings(IConfigurationSection msalConfigurationSection) : base
         /// </summary>
         public bool SendX5C { get; set; } = false;
 
+        /// <summary>
+        /// Token path used for the workload identity, like the MSAL example for AKS, equal to AZURE_FEDERATED_TOKEN_FILE 
+        /// </summary>
+        public string FederatedTokenFile { get; set; }
+        
         /// <summary>
         /// ClientId of the ManagedIdentity used with FederatedCredentials
         /// </summary>
@@ -147,6 +153,25 @@ public void ValidateConfiguration()
                         throw new ArgumentNullException(nameof(Authority), "TenantId or Authority is required");
                     }
                     break;
+                case AuthTypes.WorkloadIdentity:
+                    if (string.IsNullOrEmpty(ClientId))
+                    {
+                        throw new ArgumentNullException(nameof(ClientId), "ClientId is required");
+                    }
+                    if (string.IsNullOrEmpty(Authority) && string.IsNullOrEmpty(TenantId))
+                    {
+                        throw new ArgumentNullException(nameof(Authority), "TenantId or Authority is required");
+                    }
+                    if (string.IsNullOrEmpty(FederatedTokenFile))
+                    {
+                        throw new ArgumentNullException(nameof(FederatedTokenFile), "FederatedTokenFile option is required");
+                       
+                    }
+                    if (!File.Exists(FederatedTokenFile))
+                    {
+                        throw new ArgumentNullException(nameof(FederatedTokenFile), "FederatedToken file is not present");
+                    }
+                    break;
                 default:
                     break;
             }
diff --git a/src/libraries/Authentication/Authentication.Msal/MsalAuth.cs b/src/libraries/Authentication/Authentication.Msal/MsalAuth.cs
@@ -16,6 +16,7 @@
 using System;
 using System.Collections.Concurrent;
 using System.Collections.Generic;
+using System.IO;
 using System.Linq;
 using System.Threading.Tasks;
 
@@ -37,6 +38,8 @@ public class MsalAuth : IAccessTokenProvider, IOBOExchange, IMSALProvider
         private readonly ConnectionSettings _connectionSettings;
         private readonly ILogger _logger;
         private readonly ICertificateProvider _certificateProvider;
+        private DateTimeOffset _lastReadWorkloadIdentity;
+        private string _lastJwtWorkLoadIdentity = null;
 
         /// <summary>
         /// Creates a MSAL Authentication Instance. 
@@ -236,6 +239,18 @@ async Task<String> FetchExternalTokenAsync()
                     }
                     cAppBuilder.WithClientAssertion((AssertionRequestOptions options) => FetchExternalTokenAsync());
                 }
+                else if (_connectionSettings.AuthType == AuthTypes.WorkloadIdentity)
+                {
+                    cAppBuilder.WithClientAssertion(() =>
+                    {
+                        // read only once every 5 minutes, less heavy for I/O
+                        if (_lastJwtWorkLoadIdentity != null && DateTimeOffset.UtcNow.Subtract(_lastReadWorkloadIdentity) <= TimeSpan.FromMinutes(5)) 
+                            return _lastJwtWorkLoadIdentity;
+                        _lastReadWorkloadIdentity = DateTimeOffset.UtcNow;
+                        _lastJwtWorkLoadIdentity = File.ReadAllText(_connectionSettings.FederatedTokenFile);
+                        return _lastJwtWorkLoadIdentity;
+                    });
+                }
                 else
                 {
                     throw new System.NotImplementedException();

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@ public enum AuthTypes`
`10`	`10`	`ClientSecret,`
`11`	`11`	`UserManagedIdentity,`
`12`	`12`	`SystemManagedIdentity,`
`13`		`- FederatedCredentials`
	`13`	`+ FederatedCredentials,`
	`14`	`+ WorkloadIdentity`
`14`	`15`	`}`
`15`	`16`	`}`