Supporting the On-Behalf-of flow with managed service identities

4
votes

A very common flow for applications running in Azure and App Services is the on-behalf-of flow where the app can exchange an incoming access token along with its ClientId/ClientSecret to get access to another resource as the user. Looking at the current, limited, docs on the MSI API, I only see getting an access token as the app itself.

How/when will the OBO scenario be supported?

I am aware that you could store the ClientId/ClientSecret in Key Vault and then use the MSI creds to retrieve those, but that seems redundant.

1
azureazure-active-directoryazure-managed-identity
Did you see this document?docs.microsoft.com/en-us/azure/active-directory/develop/…Wayne Yang
Hi Wayne, Yes, I am aware of the flow, but that does require the client id and client secret of the application to perform. The question relates to getting and managing those. It seems redundant, and unnecessary, to have to use Key Vault just to store those so an app can retrieve them and use them when the MSI token endpoint could handle these as well.Claire Novotny
@OrenNovotny IIUC, during Step2, the ClientId & Secret would be retrieved from MSI.JoeBrockhaus
@JoeBrockhaus if those are available via env variable, that would work too.Claire Novotny

1 Answers

2
votes

MSI does not support the On Behalf Of flow yet, or other delegated confidential client OAuth 2.0 flows with Azure AD (like the auth code flow). It is in the design process, no ETA announced yet.