I'm in a situation where I'm not sure how to proceed. In our application landscape, we're implementing Managed Identities for our microservices. Currently, I'm working on an API (API-1) where I grant access to the database and other resources based on a System Assigned Managed Identity. However, this API also needs to retrieve some of its data from another API (API-2) with delegated user_impersonation permissions.
I can retrieve a token on behalf of the user in API-1 using the following code:
var builder = ConfidentialClientApplicationBuilder
.Create(clientInformation.ClientId)
.WithAuthority($"https://login.microsoftonline.com/{clientInformation.TenantId}")
.WithClientSecret(clientSecret);
var userAssertion = new UserAssertion(currentAccessToken, "urn:ietf:params:oauth:grant-type:jwt-bearer");
var application = builder.Build();
var onBehalfOfBuilder = application.AcquireTokenOnBehalfOf(scopes, userAssertion);
var authenticationResult = await onBehalfOfBuilder.ExecuteAsync(cancellationToken).ConfigureAwait(false);
return authenticationResult.AccessToken;
However, this code uses an AppRegistration (ClientId/ClientSecret), and minimizing the use of ClientSecrets is precisely what we aim for with the implementation of Managed Identities. Is there a piece of code or configuration where we can retrieve a token on behalf of the Managed Identity for the user, utilizing the delegated user_imperonate permission? The only thing I can find is setting Application permissions on the Managed Identity using a PowerShell script.
Question 1: Is it possible to assign delegated permissions to a Managed Identity?
Question 2: Am I making a conceptual mistake by attempting to retrieve a token from a backend API using delegated permissions?
Question 1: Is it possible to assign delegated permissions to a Managed Identity?
No.
Question 2: Am I making a conceptual mistake by attempting to retrieve a token from a backend API using delegated permissions?
Not necessarily, on-behalf-of flow is meant for this scenario. Managed Identities do not support on-behalf-of. You can only request a token for a certain resource from the Managed Identity endpoint, it's not possible to specify the token you received.