Developer support with Managed Identity for Custom API in Azure AD

0
votes

I have created a proposal to implement managed identity between Azure web app hosted APIs. All APIs share one app identity. This app has defined a role. This role is assigned to all the services so every api can call every other api without configuring any passwords. Every app validates the Audience, the issuer and the authority.

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(o =>
                {...

Every caller acquires the access token using

azureServiceTokenProvider.GetAccessTokenAsync().

Having done that, now the challenge is how to make this work for developers. When Both the calling as well as called API or one of these is in my visual studio, there is no system defined identity for the caller and no "IDENTITY_ENDPOINT" header to get the token from.

1
azure-active-directoryazure-managed-identity

1 Answers

1
votes

Since you said all apis share one app identity, that would imply you are using a user-assigned managed identity and not a system one. Either way, managed identities are basically a special type of Service principal locked to azure services, meaning only azure services can use them. so for developers you basically need an azure service, in this case a web app / app service to deploy things to in order to test with the managed identity. There is no way around that if you are using managed identities.

However, as per https://docs.microsoft.com/en-us/azure/key-vault/general/service-to-service-authentication#authenticating-to-azure-services using appauthentication library, uses your dev credentials to run in your local development environment. so if you gave the role / access to all your dev's identities testing locally would work.

Other option include creating your own app registrations / service principals, and configuring your apis / apps etc to use them. in theory you can do the same, eg create a single app registration , and expose/give permissions to all apis, then create a client secret, and make all your apis use that single app registration. then using the secret/cert whatever method as the connection string of the azureservicetokenprovider. https://docs.microsoft.com/en-us/azure/key-vault/general/service-to-service-authentication#connection-string-support