Skip to content

Proof-of-Concept: MI via CCA #560

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Proof-of-Concept: MI via CCA #560

wants to merge 2 commits into from

Conversation

rayluo
Copy link
Collaborator

@rayluo rayluo commented May 9, 2023
edited
Loading

If this PR will be merged in, the subsequent "how to use Managed Identity" docs would look like this.

Managed Identity is a kind of confidential client that you do not need to manage its credential.

  • How to use Managed Identity?
  1. In MSAL Python, you can declare a system-assigned managed identity by
mi = msal.SystemAssignedManagedIdentity()

or

mi = msal.UserAssignedManagedIdentity(client_id="my_id")

or

mi = msal.UserAssignedManagedIdentity(resource_id="my_id")

Those managed identity objects are all data objects. They do not give you tokens on their own.

  1. Now you need to feed this mi object into a ManagedIdentityClient object and then use it:
app = msal.ManagedIdentityClientApplication(mi, ...)
app.acquire_token_for_client(...)
  1. (EXPERIMENTAL) When we said earlier that "managed identity is a kind of confidential client that you do not need to manage its credential", we meant it. MSAL Python's good old ConfidentialClientApplication object also accepts the managed identity object mi as an input. So you can do:
app = msal.ConfidentialClientApplication(mi)
app.acquire_token_for_client(...)

You can choose to do either 1+2 or 1+3.

  • Recipe: Can I still use the familiar dev pattern of write code once, test locally, and then deploy the same app to remote server?

Yes but with a caveat. Because the managed identity is only available on a certain Azure environments (such as Azure VMs, Azure App Service, etc.), and not on your local dev machine, you would have to use normal confidential client during your local testing, and switch to real managed identity on remote server.

MSAL Python makes the transition easy for you. In MSAL Python, all Managed Identity objects have their equivalent JSON representation, for example, UserAssignedManagedIdentity(client_id="my_id") is equivalent to {"ManagedIdentityIdType": "ClientId", "Id": "foo"}. Combining this characteristic and the 1+3 above, you could write your app in this universal way.

import os, json, msal
client_id_or_managed_identity = json.loads(os.getenv("MY_APP")
credential = json.loads(os.getenv("MY_CREDENTIAL")
app = msal.ConfidentialClientApplication(client_id_or_managed_identity, client_credential=credential)
app.acquire_token_for_client(...)

Now you can set these two environment variables on your local dev machine:

MY_APP=my_normal_client_id
MY_CREDENTIAL=my_apps_client_secret

and set them differently on your remote server:

MY_APP='{"ManagedIdentityIdType": "ClientId", "Id": "foo"}'
MY_CREDENTIAL=null

Your same app will consume those two sets of settings and behave accordingly.

@rayluo rayluo force-pushed the mi branch 2 times, most recently from b5c8af3 to f1676d2 Compare May 12, 2023 01:36
@rayluo rayluo force-pushed the mi branch 2 times, most recently from fc9ad88 to fd0c94b Compare June 14, 2023 22:19
@rayluo rayluo closed this Jun 20, 2023
@jiasli
Copy link
Contributor

jiasli commented Jun 10, 2025
edited
Loading

Moved this comment to #687 (comment)

@jiasli jiasli mentioned this pull request Jun 10, 2025
Open
@rayluo
Copy link
Collaborator Author

rayluo commented Jun 11, 2025
edited
Loading

There is an internal work item of migrating to managed identity + multitenant application (MI+CCA). Below is some sample code:

This PR may need to be resurrected.

The PR here is not the droid you are looking for. :-)

To clarify, the PR 560 here was for a usage like this:

mi = msal.SystemAssignedManagedIdentity()
app = msal.ConfidentialClientApplication(mi)  # It does NOT contain client id
app.acquire_token_for_client(...)

Note that its usage is "using a managed identity instance as if it is a client id", therefore it does NOT even allow specifying a normal client_id parameter. So, it was NOT about a confidential client (a.k.a. service principle) federated by a managed identity. It was about providing pure Managed Identity functionality via the existing ConfidentialClientApplication API. I was experimenting this approach to avoid adding a dedicated ManagedIdentityClient class. We did not choose this approach.

But the good news is we have another PR that is for the federation scenario. That PR's usage is "using a managed identity instance as if it is a client credential", together with a normal client id, therefore it is the federation pattern. Please subscribe that PR and subsequent conversation can happen there.

@jiasli
Copy link
Contributor

jiasli commented Jun 13, 2025

Ah, I indeed mean #687. My memory is "corrupted".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rayluo @jiasli