Structure Step Up
App service A, with app service plan A(Free Tier), with System Assigned Identity On
App service B, with app service plan B(Free Tier), with AAD authentication and authorization, with service principle B
That's it, no more further setups, no app roles, no token audience.
Then I made a very simple console app using .Net 5.
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var token = azureServiceTokenProvider.GetAccessTokenAsync("SPN B's client Id", "Tenant Id").GetAwaiter().GetResult();
Console.WriteLine(token);
using (var hc = new HttpClient())
{
hc.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token);
var res = hc.GetAsync("App service A url").GetAwaiter().GetResult();
var body = res.Content.ReadAsStringAsync().GetAwaiter().GetResult();
Console.WriteLine(body);
}
Then I dropped this console app to App service A's Kudu console and run it. Surprisingly it was able to use the managed identity token to access app service B.
I am very confused, the managed identity should not have any accesses. The returned JWT token:
{ "aud": "SPN B's client id", "iss": "issuer", "iat": 1614463676, "nbf": 1614463676, "exp": 1614550376, "aio": "E2ZgYHAIulMkupMv5ku6dYrERh0LAA==", "appid": "Managed identity client id", "appidacr": "2", "idp": "issuer", "oid": "Managed identity object id", "rh": "0.ASgA43WCTWxU70i_QFayzgGduttb1iTw-FBIn9cvBo6st-IoAAA.", "sub": "Managed identity object id", "tid": "tenant id", "uti": "--aa0ubSrEqW4yeOzeYBAA", "ver": "1.0" }
Could someone please help me to understand this situation. Is it because of the free tier app service plan or other default setups?
Thank you a lot in advance!