Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Microsoft Authentication Library 4.54.0 Supports Managed Identities

Microsoft Authentication Library 4.54.0 Supports Managed Identities

Version 4.54.0 of Microsoft Authentication Library (MSAL) for .NET brings official support for using managed identities when authenticating services that run in Azure. Furthermore, it features better error information for UWP applications and several bug fixes.

The most important feature added in this version is the general availability of support for managed identities in Azure. Managed identities are Azure Active Directory identities that are automatically provisioned by Azure and can be used from workloads running in Azure without explicit authentication with application secrets and keys.

Using managed identities instead of standalone application identities can significantly lower the developer time needed to authenticate services in Azure when accessing other resources. As Jimmy Bogard, creator of MediatR and AutoMapper libraries, mentions in his tweet from July last year, using managed identities in the same MSAL library fixes the problem of using two libraries for the same task.

In the following code sample, developers can specify that the application uses a system-assigned managed identity that Azure creates automatically for each resource and then retrieve the authentication token by calling the AcquireTokenForManagedIdentity method.

IManagedIdentityApplication mi = ManagedIdentityApplicationBuilder.Create(ManagedIdentityId.SystemAssigned)

AuthenticationResult result = await mi.AcquireTokenForManagedIdentity(resource)

Users can also create user-assigned managed identities as resources in Azure and assign them to the services that should use them, allowing multiple resources to have the same managed identity.

The support for managed identities in MSAL was added in December 2022 for version 4.49.0. It was an experimental feature without support for using it in production environments. Half a year later, version 4.54.0 is generally available and can be used in production workloads.

Another added feature in this version is the automatic refresh of the authentication tokens for confidential clients that use an app token provider extension called WithAppTokenProvider. From the documentation comments, it seems that this enhancement was required for wrapping the Azure SDK usage of the library to allow for managed identity authentication.

The MsalException class has a new property called AdditionalExceptionData, which holds any extra error information coming from the underlying providers. Currently, the property is only filled for exceptions from the Windows 10/11 Web account manager (WAM) broker mechanism. The WAM broker is only used in Universal Windows Platform (UWP) applications. Windows applications that use MAUI don’t use the WAM broker, as the integration happens on the NET 6 runtime level.

For telemetry purposes, there is a new enum value for long-running requests that use OBO (on-behalf-of) authentication flows. It helps with the correct assessment of authentication failures.

Among the bug fixes in this release, two are related to iOS-specific errors. When using ahead-of-time compilation (AOT), JSON deserialisation with overflow properties would break. This behaviour was added in version 4.52.0, and now it’s fixed. The other iOS bug that is fixed is the incorrect referencing of the Microsoft.iOS library due to using several package repositories internally for MAUI applications.

Finally, a small bug in the interactive token retrieval (using the AcquireTokenInteractive method) was fixed. It failed if the user chose another account from the Microsoft login dialogue account chooser if the code calls the WithAccount method to preselect the user in the UI. Now the code checks for the returned user account and succeeds even if another account is selected in the UI.

Two weeks after the release of version 4.54.0, the team released an updated build with a few bug fixes and a minor feature that exposes the cache details in the telemetry logged automatically by MSAL. This build has version number 4.54.1.

The MSAL GitHub project has 170 open issues and 2048 closed issues at the moment. The updated MSAL library is distributed as a NuGet package called Microsoft.Identity.Client.

About the Author

Rate this Article