A user impersonating as an Azure app registration without client secret
I have a C# application that needs to impersonate as an Azure app registration to access some resources.
I have set up federated credential to allow a managed identity to impersonate as the app. Therefore, I can use the code like below on a VM to impersonate as an app registration using managed identity credential:
var clientAssertionCredential = new ClientAssertionCredential(
tenantId, clientId, new ManagedIdentityClientAssertion(miClientId).GetSignedAssertion);
However, during development, I want to run the code locally.
Although I can create a client secret, store it in a KeyVault, and use it to authenticate as the app, I don't want to use this approach for security concerns.
Is it possible to impersonate as the app using a credential for a user account such as AzureCliCredential or VisualStudioCredential?
Although I can create a client secret, store it in KeyVault, and use it to authenticate as the app, I don't want to use this approach for security concerns. Is it possible to impersonate as the app using a credential for a user account, such as
AzureCliCredentialorVisualStudioCredential?
Based on scenario, You can use the ROPC flow to authenticate with a user account and with an app to call an API.
Note:
- Microsoft does not recommend this ROPC flow for such scenarios and security.
- Accounts with MFA enabled and personal Microsoft accounts are not supported in this method.
- You have to use other interactive flows, like the Authorization Code Flow, which directs the user to the browser for login.
Request:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id: ClientID
scope: https://graph.microsoft.com/.default offline_access openid
username: User@XXX.onmicrosoft.com
password: UserPassword
grant_type: password
client_secret: Clientsecret
From the above, you will get the token, and using the token, you can call the Microsoft Graph API.
Request:
GET https://graph.microsoft.com/v1.0/me
Authorization:
Bearer <token>
To avoid passing the client_secret, enable public client flows as shown below.
Portal:
Reference:
- How memory address for pointer to arrays is same as an element in 2D array?
- How to use ellipsis in c's case statement?
- Fast & accurate atan/arctan approximation algorithm
- How can I exclude non-numeric keys? CS50 Caesar Pset2
- Fast ceiling of an integer division in C / C++
- Is there an invalid pthread_t id?
- How does SIMD (avx) processing work? for example, if I want 10 32 bit floats how do i fit in a 256 bit avx vector?
- FDCAN problems on STM32G4
- How does the call macro enable mutual recursion between functions f and g in this Hanoi Tower implementation?
- Running test on Rocket core CPU - global variable initialized to 0 is unsuccessful, output wrong value instead
- Interacting with C arrays without knowing the size
- Combination of two strings
- Avoiding strcpy overflow destination warning
- carriage return by fgets
- How to use special characters in C?
- Why does 1.0/100.0 == 0.1/10.0 give True?
- Is it correct to compare pointers in C?
- Force free() to return malloc memory back to OS
- How can I print to standard error in C with 'printf'?
- What is the standard behavior of fread in C on Windows?
- How is strtok removing lines it shouldn't have access to?
- Using array as smart point in C
- Assigning string to malloced 2d char array not working as intended
- How to refactor repetition inside a Makefile?
- Why does an empty preprocessor command still evaluate to something?
- How to implement variable sized array within C struct
- Character array typecasting to integer
- Handling HTTP Headers in a Minimal C HTTP Server
- How to get the sign, mantissa and exponent of a floating point number
- Why do MCU libraries use logic operations instead of bitfield structs?