Structure Step Up
- App service A, with app service plan A(Free Tier), with System Assigned Identity On
- App service B, with app service plan B(Free Tier), with AAD authentication and authorization, with service principle B
That's it, no more further setups, no app roles, no token audience.
Then I made a very simple console app using .Net 5.
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var token = azureServiceTokenProvider.GetAccessTokenAsync("SPN B's client Id", "Tenant Id").GetAwaiter().GetResult();
Console.WriteLine(token);
using (var hc = new HttpClient())
{
hc.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token);
var res = hc.GetAsync("App service A url").GetAwaiter().GetResult();
var body = res.Content.ReadAsStringAsync().GetAwaiter().GetResult();
Console.WriteLine(body);
}
Then I dropped this console app to App service A's Kudu console and run it. Surprisingly it was able to use the managed identity token to access app service B.
I am very confused, the managed identity should not have any accesses. The returned JWT token:
{ "aud": "SPN B's client id", "iss": "issuer", "iat": 1614463676, "nbf": 1614463676, "exp": 1614550376, "aio": "E2ZgYHAIulMkupMv5ku6dYrERh0LAA==", "appid": "Managed identity client id", "appidacr": "2", "idp": "issuer", "oid": "Managed identity object id", "rh": "0.ASgA43WCTWxU70i_QFayzgGduttb1iTw-FBIn9cvBo6st-IoAAA.", "sub": "Managed identity object id", "tid": "tenant id", "uti": "--aa0ubSrEqW4yeOzeYBAA", "ver": "1.0" }
Could someone please help me to understand this situation. Is it because of the free tier app service plan or other default setups?
Thank you a lot in advance!