We have an app registration which is connected to an external API. We have to use this API in our Azure Data factory. For this purpose, till now we were generating client secrets and generating tokens (in Azure Data Factory) from this URL - login.microsoftonline.com/{tenant}/oauth2/v2.0/token. Now to eliminate the use of secrets, we have created a managed identity and linked to our App registration using federated credentials. Now we have to generate tokens using this user assigned managed identity. However, in the data factory when we are trying to generate the tokens using the Method "POST", the body requires us to add grant_type even on using User Assigned Managed identity for authentication. This requires us to add a client_assertion in the body as well but we are not sure how to proceed with that?
We cannot generate certificates for the managed identity as we have to remove dependency on keys, secrets and certificates. We were able to write an azure function that generates the token by the following code -
const jwt = require('jsonwebtoken');
const { DefaultAzureCredential, ManagedIdentityCredential } = require('@azure/identity');
module.exports = async function (context, req) {
context.log('JavaScript HTTP trigger function processed a request.');
const clientId = req.query.clientId;
const resource = req.query.resource;
if (!clientId || !resource) {
context.res = {
status: 400,
body: "Please pass clientId and resource on the query string"
};
return;
}
try {
const credential = new ManagedIdentityCredential(clientId);
const tokenResponse = await credential.getToken(resource);
context.res = {
status: 200,
body: tokenResponse.token
};
} catch (error) {
context.res = {
status: 500,
body: `Error acquiring token: ${error.message}`
};
}
};
And used the token generated in the following POST call -
@concat('grant_type=client_credentials
&scope=<Survey-Scope-Here>/.default&client_id=', activity('Get Client ID').output['value'],'&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<Token-here>')
But on passing this code into the body of the POST request in assertion, an error is generated -
"error":"invalid_client","error_description":"AADSTS700211: No matching federated identity record found for presented assertion issuer 'https://sts.windows.net/<ID-HERE>/'. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion.
We cannot generate private keys for signing of a JWT token. How can I resolve this error?
Thank you!