microsoft · tracyboehrer · Jun 4, 2025 · Jun 4, 2025 · Jun 4, 2025
@@ -9,16 +9,44 @@ public interface IMSALConnectionSettings : IConnectionSettings
     {
         public string ClientSecret { get; set; }
 
+        /// <summary>
+        /// Auth Type to use for the connection
+        /// </summary>
         AuthTypes AuthType { get; set; }
 
+        /// <summary>
+        /// Certificate thumbprint to use for the connection when using a certificate that is resident on the machine
+        /// </summary>
         string CertificateThumbPrint { get; set; }
 
+        /// <summary>
+        /// Subject name to search a cert for. 
+        /// </summary>
         string CertificateSubjectName { get; set; }
 
+        /// <summary>
+        /// Cert store name to use. 
+        /// </summary>
         string CertificateStoreName { get; set; }
 
+        /// <summary>
+        /// Only use valid certs.  Defaults to true.
+        /// </summary>
         public bool ValidCertificateOnly { get; set; }
 
+        /// <summary>
+        /// Use x5c for certs.  Defaults to false.
+        /// </summary>
         public bool SendX5C { get; set; }
+
+        /// <summary>
+        /// ClientId of the ManagedIdentity used with FederatedCredentials
+        /// </summary>
+        public string FederatedClientId { get; set; }
+
+        /// <summary>
+        /// Token path used for the workload identity, like the MSAL example for AKS, equal to AZURE_FEDERATED_TOKEN_FILE. 
+        /// </summary>
+        public string FederatedTokenFile { get; set; }
     }
 }
@@ -10,6 +10,7 @@ public enum AuthTypes
         ClientSecret,
         UserManagedIdentity,
         SystemManagedIdentity,
-        FederatedCredentials
+        FederatedCredentials,
+        WorkloadIdentity
     }
 }
@@ -4,6 +4,7 @@
 using Microsoft.Agents.Authentication.Msal.Interfaces;
 using Microsoft.Agents.Core;
 using Microsoft.Extensions.Configuration;
+using Microsoft.Identity.Client;
 using System;
 
 namespace Microsoft.Agents.Authentication.Msal.Model
@@ -29,51 +30,42 @@ public ConnectionSettings(IConfigurationSection msalConfigurationSection) : base
                 ClientSecret = msalConfigurationSection.GetValue<string>("ClientSecret", string.Empty);
                 AuthType = msalConfigurationSection.GetValue<AuthTypes>("AuthType", AuthTypes.ClientSecret);
                 FederatedClientId = msalConfigurationSection.GetValue<string>("FederatedClientId", string.Empty);
+                FederatedTokenFile = msalConfigurationSection.GetValue<string>("FederatedTokenFile", string.Empty);
+                AssertionRequestOptions = msalConfigurationSection.GetSection("AssertionRequestOptions").Get<AssertionRequestOptions>();
             }
 
             ValidateConfiguration();
         }
 
-        /// <summary>
-        /// Auth Type to use for the connection
-        /// </summary>
+        /// <inheritdoc/>
         public AuthTypes AuthType { get; set; } = AuthTypes.ClientSecret;
 
-        /// <summary>
-        /// Certificate thumbprint to use for the connection when using a certificate that is resident on the machine
-        /// </summary>
+        /// <inheritdoc/>
         public string CertificateThumbPrint { get; set; }
 
-        /// <summary>
-        /// Client Secret to use for the connection when using a client secret
-        /// </summary>
+        /// <inheritdoc/>
         public string ClientSecret { get; set; }
 
-        /// <summary>
-        /// Subject name to search a cert for. 
-        /// </summary>
+        /// <inheritdoc/>
         public string CertificateSubjectName { get; set; }
 
-        /// <summary>
-        /// Cert store name to use. 
-        /// </summary>
+        /// <inheritdoc/>
         public string CertificateStoreName { get; set; }
 
-        /// <summary>
-        /// Only use valid certs.  Defaults to true.
-        /// </summary>
+        /// <inheritdoc/>
         public bool ValidCertificateOnly { get; set; } = true;
 
-        /// <summary>
-        /// Use x5c for certs.  Defaults to false.
-        /// </summary>
+        /// <inheritdoc/>
         public bool SendX5C { get; set; } = false;
 
-        /// <summary>
-        /// ClientId of the ManagedIdentity used with FederatedCredentials
-        /// </summary>
+        /// <inheritdoc/>
         public string FederatedClientId { get; set; }
 
+        /// <inheritdoc/>
+        public string FederatedTokenFile { get; set; }
+
+        public AssertionRequestOptions AssertionRequestOptions { get; set; }
+
         /// <summary>
         /// Validates required properties are present in the configuration for the requested authentication type. 
         /// </summary>
@@ -147,6 +139,20 @@ public void ValidateConfiguration()
                         throw new ArgumentNullException(nameof(Authority), "TenantId or Authority is required");
                     }
                     break;
+                case AuthTypes.WorkloadIdentity:
+                    if (string.IsNullOrEmpty(ClientId))
+                    {
+                        throw new ArgumentNullException(nameof(ClientId), "ClientId is required");
+                    }
+                    if (string.IsNullOrEmpty(Authority) && string.IsNullOrEmpty(TenantId))
+                    {
+                        throw new ArgumentNullException(nameof(Authority), "TenantId or Authority is required");
+                    }
+                    if (AuthType == AuthTypes.WorkloadIdentity && string.IsNullOrEmpty(FederatedTokenFile))
+                    {
+                        throw new ArgumentNullException(nameof(FederatedTokenFile), "FederatedTokenFile is required");
+                    }
+                    break;
                 default:
                     break;
             }

@@ -37,6 +37,7 @@ public class MsalAuth : IAccessTokenProvider, IOBOExchange, IMSALProvider
         private readonly ConnectionSettings _connectionSettings;
         private readonly ILogger _logger;
         private readonly ICertificateProvider _certificateProvider;
+        private ClientAssertionProviderBase _clientAssertion;
 
         /// <summary>
         /// Creates a MSAL Authentication Instance. 
@@ -229,12 +230,17 @@ private object InnerCreateClientApplication()
                 }
                 else if (_connectionSettings.AuthType == AuthTypes.FederatedCredentials)
                 {
-                    async Task<String> FetchExternalTokenAsync()
-                    {
-                        var managedIdentityClientAssertion = new ManagedIdentityClientAssertion(_connectionSettings.FederatedClientId);
-                        return await managedIdentityClientAssertion.GetSignedAssertionAsync(default).ConfigureAwait(false);
-                    }
-                    cAppBuilder.WithClientAssertion((AssertionRequestOptions options) => FetchExternalTokenAsync());
+                    // Reuse this instance so that the assertion is cached and only refreshed once it expires.
+                    _clientAssertion = new ManagedIdentityClientAssertion(_connectionSettings.FederatedClientId, null, _logger);
+
+                    cAppBuilder.WithClientAssertion(async (AssertionRequestOptions options) => await _clientAssertion.GetSignedAssertionAsync(_connectionSettings.AssertionRequestOptions));
+                }
+                else if (_connectionSettings.AuthType == AuthTypes.WorkloadIdentity)
+                {
+                    // Reuse this instance so that the assertion is cached and only refreshed once it expires.
+                    _clientAssertion = new AzureIdentityForKubernetesClientAssertion(_connectionSettings.FederatedTokenFile, _logger);
+
+                    cAppBuilder.WithClientAssertion(async (AssertionRequestOptions options) => await _clientAssertion.GetSignedAssertionAsync(_connectionSettings.AssertionRequestOptions));
                 }
                 else
                 {

@@ -5,6 +5,7 @@
 using Microsoft.Extensions.Configuration;
 using System;
 using System.Collections.Generic;
+using System.Linq;
 using Xunit;
 
 namespace Microsoft.Agents.Authentication.Msal.Tests.Model
@@ -170,5 +171,127 @@ public void ValidateConfiguration_ShouldThrowOnNullClientIdForUserManagedIdentit
 
             Assert.Throws<ArgumentNullException>(() => new ConnectionSettings(configuration.GetSection(SettingsSection)));
         }
+
+        [Fact]
+        public void ValidateConfiguration_FederatedCredentials()
+        {
+            // Start with good
+            var configSettings = new Dictionary<string, string> {
+                { "Connections:Settings:AuthType", "FederatedCredentials" },
+                { "Connections:Settings:ClientId", "test-client-id" },
+                { "Connections:Settings:AuthorityEndpoint", "https://botframework/test.com" },
+                { "Connections:Settings:TenantId", "test-tenant-id" },
+                { "Connections:Settings:FederatedClientId", "test-federated-client-id" }
+            };
+
+            IConfiguration configuration = new ConfigurationBuilder()
+                .AddInMemoryCollection(configSettings)
+                .Build();
+
+            var settings = new ConnectionSettings(configuration.GetSection(SettingsSection));
+
+            Assert.Equal(AuthTypes.FederatedCredentials, settings.AuthType);
+            Assert.Equal("test-client-id", settings.ClientId);
+            Assert.Equal("test-tenant-id", settings.TenantId);
+            Assert.Equal("https://botframework/test.com", settings.Authority);
+            Assert.Equal("test-federated-client-id", settings.FederatedClientId);
+        }
+
+        [Fact]
+        public void ValidateConfiguration_ShouldThrowOnNullFederatedClientId()
+        {
+            // Start with good
+            var configSettings = new Dictionary<string, string> {
+                { "Connections:Settings:AuthType", "FederatedCredentials" },
+                { "Connections:Settings:ClientId", "test-client-id" },
+                { "Connections:Settings:AuthorityEndpoint", "https://botframework/test.com" },
+                { "Connections:Settings:TenantId", "test-tenant-id" },
+            };
+
+            IConfiguration configuration = new ConfigurationBuilder()
+                .AddInMemoryCollection(configSettings)
+                .Build();
+
+            Assert.Throws<ArgumentNullException>(() => new ConnectionSettings(configuration.GetSection(SettingsSection)));
+        }
+
+        [Fact]
+        public void ValidateConfiguration_WorkloadIdentity()
+        {
+            // Start with good
+            var configSettings = new Dictionary<string, string> {
+                { "Connections:Settings:AuthType", "WorkloadIdentity" },
+                { "Connections:Settings:ClientId", "test-client-id" },
+                { "Connections:Settings:AuthorityEndpoint", "https://botframework/test.com" },
+                { "Connections:Settings:TenantId", "test-tenant-id" },
+                { "Connections:Settings:FederatedTokenFile", "test-token-file" }
+            };
+
+            IConfiguration configuration = new ConfigurationBuilder()
+                .AddInMemoryCollection(configSettings)
+                .Build();
+
+            var settings = new ConnectionSettings(configuration.GetSection(SettingsSection));
+
+            Assert.Equal(AuthTypes.WorkloadIdentity, settings.AuthType);
+            Assert.Equal("test-client-id", settings.ClientId);
+            Assert.Equal("test-tenant-id", settings.TenantId);
+            Assert.Equal("https://botframework/test.com", settings.Authority);
+            Assert.Equal("test-token-file", settings.FederatedTokenFile);
+            Assert.Null(settings.AssertionRequestOptions);
+        }
+
+        [Fact]
+        public void ValidateConfiguration_ShouldThrowOnNullFederatedTokenFile()
+        {
+            // Start with good
+            var configSettings = new Dictionary<string, string> {
+                { "Connections:Settings:AuthType", "WorkloadIdentity" },
+                { "Connections:Settings:ClientId", "test-client-id" },
+                { "Connections:Settings:AuthorityEndpoint", "https://botframework/test.com" },
+                { "Connections:Settings:TenantId", "test-tenant-id" },
+            };
+
+            IConfiguration configuration = new ConfigurationBuilder()
+                .AddInMemoryCollection(configSettings)
+                .Build();
+
+            Assert.Throws<ArgumentNullException>(() => new ConnectionSettings(configuration.GetSection(SettingsSection)));
+        }
+
+        [Fact]
+        public void ValidateConfiguration_AssertionRequestOptions()
+        {
+            // Start with good
+            var configSettings = new Dictionary<string, string> {
+                { "Connections:Settings:AuthType", "WorkloadIdentity" },
+                { "Connections:Settings:ClientId", "test-client-id" },
+                { "Connections:Settings:AuthorityEndpoint", "https://botframework/test.com" },
+                { "Connections:Settings:TenantId", "test-tenant-id" },
+                { "Connections:Settings:FederatedTokenFile", "test-token-file" },
+                { "Connections:Settings:AssertionRequestOptions:ClientId", "option-client-id" },
+                { "Connections:Settings:AssertionRequestOptions:TokenEndpoint", "option-token-endpoint" },
+                { "Connections:Settings:AssertionRequestOptions:Claims", "option-claims" },
+                { "Connections:Settings:AssertionRequestOptions:ClientCapabilities:0", "option-cap1" },
+                { "Connections:Settings:AssertionRequestOptions:ClientCapabilities:1", "option-cap2" },
+            };
+
+            IConfiguration configuration = new ConfigurationBuilder()
+                .AddInMemoryCollection(configSettings)
+                .Build();
+
+            var settings = new ConnectionSettings(configuration.GetSection(SettingsSection));
+
+            Assert.Equal(AuthTypes.WorkloadIdentity, settings.AuthType);
+            Assert.Equal("test-client-id", settings.ClientId);
+            Assert.Equal("test-tenant-id", settings.TenantId);
+            Assert.Equal("https://botframework/test.com", settings.Authority);
+            Assert.Equal("test-token-file", settings.FederatedTokenFile);
+            Assert.NotNull(settings.AssertionRequestOptions);
+            Assert.Equal("option-client-id", settings.AssertionRequestOptions.ClientID);
+            Assert.Equal("option-token-endpoint", settings.AssertionRequestOptions.TokenEndpoint);
+            Assert.Equal("option-claims", settings.AssertionRequestOptions.Claims);
+            Assert.Equal(2, settings.AssertionRequestOptions.ClientCapabilities.Count());
+        }
     }
 }