[BUG] Azure KeyVault JCA library should use managed identity's client_id instead of object_id

[krishnamraju-pernedi]

Describe the bug
I am using Azure KeyVault JCA sdk code to read certificates and keys (keystore). I could retrieve certificates and private keys using service principle. i.,e client_id and client_secret. But the same functionality not working intermittently when using managed identity.
After debugging SDK code, I figured it out that following code using object_id to fetch access token.

azure-sdk-for-java/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/utils/AccessTokenUtil.java

Line 166 in 90fa9e4

url.append("&object_id=").append(identity);

My observations:
Access token request using client_id and object_id is not same. If client_id is passed in the Identity request, it is returning access token for respective UAMI. But object_id is passed in the request, it is ignoring object_id and generating access token for one of the managed identity assigned. When there are more than one managed identity (UAMI) is assigned to resource, then it is generating access token using random UAMI and not using object_id in the query param at all. it is working fine if client_id is being used.

Exception or Stack Trace
No errors printed. Access token being generated is not what has been requested.

To Reproduce
Steps to reproduce the behavior:
1.Resource should have more than one UAMI assigned.
2. Make identity request http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01 with object_id as query param to get token
3. Read JWT token using jwt.io and you can find different UAMI name each time in token details.

Code Snippet
Add the code snippet that causes the issue.

Expected Behavior
client_id should be used for managed identity instead of object_id

[github-actions]

@billwert @g2vinay

[github-actions]

Thank you for your feedback. Tagging and routing to the team member best able to assist.