Az cli v 2.74 support

Author: gaurav137

Program.cs

@@ -47,6 +47,21 @@
     return Results.Ok(result);
 });
 
+// az cli v2.74+: Can be consumed by "az login --identity" by specifying AZURE_POD_IDENTITY_AUTHORITY_HOST environment variable to this action URL
+// https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/d49296c1b2a929a6ab11380e237daa89a5298512/msal/managed_identity.py#L473
+app.MapGet("/metadata/identity/oauth2/token", async (HttpContext context, string resource, CancellationToken cancellationToken) =>
+{
+    var token = await tokenCredential.GetTokenAsync(new TokenRequestContext([resource]), cancellationToken);
+    var result = new JsonObject()
+    {
+        ["access_token"] = token.Token,
+        ["expires_in"] = (token.ExpiresOn - DateTimeOffset.UtcNow).TotalSeconds,
+        ["token_type"] = "Bearer",
+        ["resource"] = resource,
+    };
+    return Results.Ok(result);
+});
+
 app.Run();
 
 [JsonSourceGenerationOptions]

README.md

@@ -70,7 +70,9 @@ Then, we must add two environment variables to each service:
 With these two environment variables, any service that uses `DefaultAzureCredential` or `ManagedIdentityCredential` will now call the proxy when Azure credentials are needed. This is because one of `ManagedIdentityCredential`'s [source implementations](https://github.com/Azure/azure-sdk-for-net/blob/Azure.Identity_1.6.0/sdk/identity/Azure.Identity/src/AzureArcManagedIdentitySource.cs) explicitly looks for both of these environment variables if they are specified.
 
 > [!NOTE]
-> If you are using using `az cli` in your service and your service wants to do `az login --identity` then specify `MSI_ENDPOINT`: the URL of the proxy endpoint (e.g., `http://azclicredsproxy:8080/token`) environment variable instead. `IDENTITY_ENDPOINT` and `IMDS_ENDPOINT` are not required for `az login --identity`.
+> If you are using `az cli` in your service and your service wants to do `az login --identity` then specify `MSI_ENDPOINT`: the URL of the proxy endpoint (e.g., `http://azclicredsproxy:8080/token`) environment variable instead. `IDENTITY_ENDPOINT` and `IMDS_ENDPOINT` are not required for `az login --identity`.
+> For `az cli` v2.74 and above: 
+> Specify `AZURE_POD_IDENTITY_AUTHORITY_HOST`: the URL of the proxy endpoint (e.g., `http://azclicredsproxy:8080` with no trailing path like `/token`) environment variable instead.
 
 With this proxy, Dockerfiles can remain untouched and production-ready. The proxy can easily be added to an existing `docker-compose.yml`, and the environment variables are also easy to add. Now, the containerized environment looks like this: