2. Programming Q&A
  3. Use managed identity on Azure VM for .Net application to talk to Azure Web App API through MSAL - Stack Overflow

Use managed identity on Azure VM for .Net application to talk to Azure Web App API through MSAL - Stack Overflow

admin2025-04-26  3

Sorry, if any of my terminology is wrong in this question, I'm not an expert in MSAL as well as not an expert in Managed Identities.

I currently have a setup that includes 1) an Azure VM with a .Net based application running on it, and 2) a .Net based Azure Web App API, and 3) this application on the VM needs to make securely authenticated HTTP requests to the API.

The API code makes use of the [Authorize] attribute in all of the Controllers and is configured with an App Registration (say it's call ApiAppReg).

I have another app registration (say it's called VmAppReg), and this app registration is granted permission (in the API Permissions blade) to the ApiAppReg through an App Role. I then have a client secret to the VmAppReg that is used in the calling application to get an access token.

Here's a code snippet from the calling application showing how I currently use the MSAL sdk to acquire an Access Token which is then later used in HTTP requests to the API.

string msalClientId = "VmAppReg-Client-Id";
string msalClientSecret = "VmAppReg-Client-Secret";

IConfidentialClientApplication msalClientApp = ConfidentialClientApplicationBuilder
    .Create(msalClientId)
    .WithClientSecret(msalClientSecret) // would like to move away from using a secret here
    .Build();

string msalTenentId = "Tenent-Id";
string msalScope = "Scope";

AuthenticationResult authResult = await msalClientApp
    .AcquireTokenForClient(scopes: new[] { msalScope })
    .WithAuthority(AzureCloudInstance.AzurePublic, msalTenentId)
    .ExecuteAsync();

string accessToken = authResult.AccessToken;

The problem with this is I'd like to move away from using the Client Secret (which expires every 6 months) and instead somehow use Managed Identities (if possible) to allow the application on the VM to have access to the API without having to store secrets.

Typically, where ever I use managed identities I'm able to use the new DefaultAzureCredential() when I create a client (e.g. CosmosClient, QueueClient, BlobClient, etc...) but I can't seem to figure it out with the MSAL sdk (if it's even possible).

Any help is greatly appreciated.

转载请注明原文地址:http://anycun.com/QandA/1745637424a91045.html

Use managed identity on Azure VM for Net application to talk to Azure Web App API through MSALStack Overflow