Skip to content

connector/microsoft: Add client assertion support for federated identity#4521

Open
dronenb wants to merge 2 commits intodexidp:masterfrom
dronenb:microsoft_client_assertion
Open

connector/microsoft: Add client assertion support for federated identity#4521
dronenb wants to merge 2 commits intodexidp:masterfrom
dronenb:microsoft_client_assertion

Conversation

@dronenb
Copy link
Copy Markdown

@dronenb dronenb commented Feb 11, 2026
edited
Loading

Description

Adds support for client assertion-based authentication to the Microsoft connector, enabling secretless authentication with Azure AD/Entra ID using federated identity credentials (e.g., Kubernetes Workload Identity, GitHub Actions OIDC).

Changes

  • Added `clientAssertion` config field to Microsoft connector
  • Implemented custom `assertionTransport` RoundTripper to inject client assertions into token requests
  • When `clientAssertion` is configured, the connector:
    • Reads JWT assertion from the specified file path
    • Removes `client_secret` from token exchange requests
    • Adds `client_assertion` and `client_assertion_type` parameters per OAuth2 RFC 7521/7523
  • Works with both initial token exchange (HandleCallback) and token refresh (Refresh)
  • Leverages standard oauth2 library flow via context-based HTTP client injection

Testing

  • Added unit test `TestClientAssertionTokenExchange` that validates:
    • `client_assertion` is sent in token requests
    • `client_secret` is NOT sent when assertion is configured
    • Assertion content matches the file content
  • All existing tests continue to pass

Configuration Example

connectors:
  - type: microsoft
    id: azure
    name: Azure AD
    config:
      clientID: <client-id>
      clientAssertion: /var/run/secrets/azure/tokens/azure-identity-token
      tenant: <tenant-id>
      redirectURI: <redirect-uri>

Use Cases

  • Kubernetes Workload Identity
  • GitHub Actions OIDC tokens
  • Any environment using Azure AD Federated Identity Credentials

Implementation Notes

  • Reads assertion file on each request to support token rotation
  • Only standard library imports added (`net/url`, `os`)
  • Follows OAuth2 client credentials assertion spec (RFC 7521)

Closes #3874
Fixes #3852
Fixes #3692

@dronenb
feat(microsoft): support using client_assertion
3e11ec4 
Signed-off-by: Ben Dronen <dronenb@users.noreply.github.com>
@nabokihms nabokihms self-requested a review February 16, 2026 14:51
@dronenb
docs: add TESTING.md with instructions for testing the Microsoft conn…
f285d02 
…ector

Signed-off-by: Ben Dronen <dronenb@users.noreply.github.com>
@aditya1906
Copy link
Copy Markdown

aditya1906 commented Feb 28, 2026

Hi
Is there any ETA when this feature would be available? Since I'm also in the favour to not use client secret, ArgoCD has an Azure integration so you can use Federated Credentials out of the box.
However Argo Workflows doesnt have that, so if Dex supports it at least we can configure it to avoid using client secret.

@erikgb erikgb mentioned this pull request Apr 29, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nabokihms nabokihms Awaiting requested review from nabokihms

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

kind/enhancement

Projects

None yet

Milestone

No milestone

3 participants

@dronenb @aditya1906 @nabokihms