Remove federated token auth (#3819)

src/Maestro/Client/src/MaestroApiFactory.cs

@@ -13,42 +13,36 @@ public static class MaestroApiFactory
         /// </summary>
         /// <param name="baseUri">URI of the build asset registry service to use.</param>
         /// <param name="accessToken">Optional BAR token. When provided, will be used as the primary auth method.</param>
-        /// <param name="federatedToken">Optional federated credentials token.</param>
         /// <param name="managedIdentityId">Managed Identity to use for the auth</param>
         /// <param name="disableInteractiveAuth">Whether to include interactive login flows</param>
         public static IMaestroApi GetAuthenticated(
             string baseUri,
             string? accessToken,
-            string? federatedToken,
             string? managedIdentityId,
             bool disableInteractiveAuth)
         {
             return new MaestroApi(new MaestroApiOptions(
                 baseUri,
                 accessToken,
                 managedIdentityId,
-                federatedToken,
                 disableInteractiveAuth));
         }
 
         /// <summary>
         /// Obtains API client for authenticated access to Maestro.
         /// </summary>
         /// <param name="accessToken">Optional BAR token. When provided, will be used as the primary auth method.</param>
-        /// <param name="federatedToken">Optional federated token. When provided, will be used as the primary auth method.</param>
         /// <param name="managedIdentityId">Managed Identity to use for the auth</param>
         /// <param name="disableInteractiveAuth">Whether to include interactive login flows</param>
         public static IMaestroApi GetAuthenticated(
             string? accessToken,
-            string? federatedToken,
             string? managedIdentityId,
             bool disableInteractiveAuth)
         {
             return new MaestroApi(new MaestroApiOptions(
                 MaestroApiOptions.StagingBuildAssetRegistryBaseUri,
                 accessToken,
                 managedIdentityId,
-                federatedToken,
                 disableInteractiveAuth));
         }
 

src/Maestro/Client/src/MaestroApiOptions.cs

@@ -39,17 +39,15 @@ public partial class MaestroApiOptions
         /// <param name="baseUri">API base URI</param>
         /// <param name="accessToken">Optional BAR token. When provided, will be used as the primary auth method.</param>
         /// <param name="managedIdentityId">Managed Identity to use for the auth</param>
-        /// <param name="federatedToken">Optional federated token. When provided, will be used as the primary auth method.</param>
         /// <param name="disableInteractiveAuth">Whether to include interactive login flows</param>
-        public MaestroApiOptions(string baseUri, string accessToken, string managedIdentityId, string federatedToken, bool disableInteractiveAuth)
+        public MaestroApiOptions(string baseUri, string accessToken, string managedIdentityId, bool disableInteractiveAuth)
             : this(
                   new Uri(baseUri),
                   AppCredentialResolver.CreateCredential(
                       new AppCredentialResolverOptions(EntraAppIds[(baseUri ?? ProductionBuildAssetRegistryBaseUri).TrimEnd('/')])
                       {
                           DisableInteractiveAuth = disableInteractiveAuth,
                           Token = accessToken,
-                          FederatedToken = federatedToken,
                           ManagedIdentityId = managedIdentityId,
                           UserScope = APP_USER_SCOPE,
                       }))

src/Maestro/Maestro.Common/AppCredentials/AppCredential.cs

@@ -116,20 +116,6 @@ private static InteractiveBrowserCredential GetInteractiveCredential(
         return credential;
     }
 
-    /// <summary>
-    /// Use this for invocations from pipelines with a federated token
-    /// </summary>
-    public static AppCredential CreateFederatedCredential(string appId, string federatedToken)
-    {
-        var credential = new ClientAssertionCredential(
-            TENANT_ID,
-            appId,
-            token => Task.FromResult(federatedToken));
-
-        var requestContext = new TokenRequestContext([$"api://{appId}/.default"]);
-        return new AppCredential(credential, requestContext);
-    }
-
     /// <summary>
     /// Use this for invocations from services using an MI.
     /// ID can be "system" for system-assigned identity or GUID for a user assigned one.

src/Maestro/Maestro.Common/AppCredentials/AppCredentialResolver.cs

@@ -18,25 +18,19 @@ public static TokenCredential CreateCredential(AppCredentialResolverOptions opti
             return new ResolvedCredential(options.Token!);
         }
 
-        // 2. Federated token that can be used to fetch an app token (for CI scenarios)
-        if (!string.IsNullOrEmpty(options.FederatedToken))
-        {
-            return AppCredential.CreateFederatedCredential(options.AppId, options.FederatedToken!);
-        }
-
-        // 3. Managed identity (for server-to-server scenarios - e.g. PCS->Maestro)
+        // 2. Managed identity (for server-to-server scenarios - e.g. PCS->Maestro)
         if (!string.IsNullOrEmpty(options.ManagedIdentityId))
         {
             return AppCredential.CreateManagedIdentityCredential(options.AppId, options.ManagedIdentityId!);
         }
 
-        // 4. Azure CLI authentication setup by the caller (for CI scenarios)
+        // 3. Azure CLI authentication setup by the caller (for CI scenarios)
         if (options.DisableInteractiveAuth)
         {
             return AppCredential.CreateNonUserCredential(options.AppId);
         }
 
-        // 5. Interactive login (user-based scenario)
+        // 4. Interactive login (user-based scenario)
         return AppCredential.CreateUserCredential(options.AppId, options.UserScope);
     }
 }

src/Maestro/Maestro.Common/AppCredentials/CredentialResolverOptions.cs

@@ -15,11 +15,6 @@ public class CredentialResolverOptions
     /// </summary>
     public string? Token { get; set; }
 
-    /// <summary>
-    /// Federated token to use for fetching the token. If none supplied, will try other flows.
-    /// </summary>
-    public string? FederatedToken { get; set; }
-
     /// <summary>
     /// Managed Identity to use for the auth
     /// </summary>

src/Maestro/Maestro.Common/AzureDevOpsTokens/AzureDevOpsTokenProvider.cs

@@ -126,14 +126,7 @@ private static Dictionary<string, TokenCredential> GetCredentials(
                 continue;
             }
 
-            // 2. Federated token that can be used to fetch an app token (for CI scenarios)
-            if (!string.IsNullOrEmpty(option.FederatedToken))
-            {
-                credentials[account] = AppCredential.CreateFederatedCredential(option.AppId, option.FederatedToken!);
-                continue;
-            }
-
-            // 3. Managed identity (for server-to-AzDO scenarios)
+            // 2. Managed identity (for server-to-AzDO scenarios)
             if (!string.IsNullOrEmpty(option.ManagedIdentityId))
             {
                 credentials[account] = option.ManagedIdentityId == "system"
@@ -142,14 +135,14 @@ private static Dictionary<string, TokenCredential> GetCredentials(
                 continue;
             }
 
-            // 4. Azure CLI authentication setup by the caller (for CI scenarios)
+            // 3. Azure CLI authentication setup by the caller (for CI scenarios)
             if (option.DisableInteractiveAuth)
             {
                 credentials[account] = AppCredential.CreateNonUserCredential(option.AppId);
                 continue;
             }
 
-            // 5. Interactive login (user-based scenario)
+            // 4. Interactive login (user-based scenario)
             credentials[account] = new DefaultAzureCredential(includeInteractiveCredentials: true);
         }
 

src/Maestro/Maestro.Web/Startup.cs

@@ -263,7 +263,6 @@ public override void ConfigureServices(IServiceCollection services)
                 targetUri,
                 accessToken: token,
                 managedIdentityId: managedIdentityId,
-                federatedToken: null,
                 disableInteractiveAuth: !IsLocalKestrelDevMode));
         }
 

src/Maestro/Microsoft.DotNet.Maestro.Tasks/src/PushMetadataToBuildAssetRegistry.cs

@@ -145,7 +145,6 @@ public async Task<bool> PushMetadataAsync(CancellationToken cancellationToken)
                     IMaestroApi client = MaestroApiFactory.GetAuthenticated(
                         MaestroApiEndpoint,
                         BuildAssetRegistryToken,
-                        federatedToken: null,
                         managedIdentityId: null,
                         !AllowInteractive);
 

src/Microsoft.DotNet.Darc/Darc/Helpers/RemoteFactory.cs

@@ -28,7 +28,6 @@ public static IRemote GetRemote(ICommandLineOptions options, string repoUrl, ILo
     public static IBarApiClient GetBarClient(ICommandLineOptions options, ILogger logger)
         => new BarApiClient(
             options.BuildAssetRegistryToken,
-            options.FederatedToken,
             managedIdentityId: null,
             options.IsCi,
             options.BuildAssetRegistryBaseUri);

src/Microsoft.DotNet.Darc/Darc/Options/CommandLineOptions.cs

@@ -33,11 +33,6 @@ public abstract class CommandLineOptions : ICommandLineOptions
     [RedactFromLogging]
     public string BuildAssetRegistryToken { get; set; }
 
-    [Option('t', "federated-token",
-        HelpText = "Federated credentials token used to authenticate to BAR. If it or the generic token are omitted, auth falls back to Azure CLI or an interactive browser login flow.")]
-    [RedactFromLogging]
-    public string FederatedToken { get; set; }
-
     [Option("github-pat", HelpText = "Token used to authenticate GitHub.")]
     [RedactFromLogging]
     public string GitHubPat { get; set; }
@@ -158,7 +153,6 @@ public virtual IServiceCollection RegisterServices(IServiceCollection services)
             o["default"] = new AzureDevOpsCredentialResolverOptions
             {
                 Token = AzureDevOpsPat,
-                FederatedToken = FederatedToken,
                 DisableInteractiveAuth = IsCi,
             };
         });

src/Microsoft.DotNet.Darc/Darc/Options/ICommandLineOptions.cs

@@ -13,7 +13,6 @@ public interface ICommandLineOptions
 {
     string AzureDevOpsPat { get; set; }
     string BuildAssetRegistryBaseUri { get; set; }
-    string FederatedToken { get; set; }
     string BuildAssetRegistryToken { get; set; }
     string GitHubPat { get; set; }
     string GitLocation { get; set; }

src/Microsoft.DotNet.Darc/DarcLib/BarApiClient.cs

@@ -20,11 +20,11 @@ public class BarApiClient : IBarApiClient
 {
     private readonly IMaestroApi _barClient;
 
-    public BarApiClient(string? buildAssetRegistryPat, string? federatedToken, string? managedIdentityId, bool disableInteractiveAuth, string? buildAssetRegistryBaseUri = null)
+    public BarApiClient(string? buildAssetRegistryPat, string? managedIdentityId, bool disableInteractiveAuth, string? buildAssetRegistryBaseUri = null)
     {
         _barClient = !string.IsNullOrEmpty(buildAssetRegistryBaseUri)
-            ? MaestroApiFactory.GetAuthenticated(buildAssetRegistryBaseUri, buildAssetRegistryPat, federatedToken, managedIdentityId, disableInteractiveAuth)
-            : MaestroApiFactory.GetAuthenticated(buildAssetRegistryPat, managedIdentityId, federatedToken, disableInteractiveAuth);
+            ? MaestroApiFactory.GetAuthenticated(buildAssetRegistryBaseUri, buildAssetRegistryPat, managedIdentityId, disableInteractiveAuth)
+            : MaestroApiFactory.GetAuthenticated(buildAssetRegistryPat, managedIdentityId, disableInteractiveAuth);
     }
 
     #region Channel Operations

src/ProductConstructionService/ProductConstructionService.Api/Configuration/PcsConfiguration.cs

@@ -91,7 +91,6 @@ public static void ConfigurePcs(
                 uri,
                 accessToken: null,
                 managedIdentityId: managedIdentityId,
-                federatedToken: null,
                 disableInteractiveAuth: true);
         });
 

src/ProductConstructionService/ProductConstructionService.Client/ProductConstructionServiceApiOptions.cs

@@ -30,7 +30,6 @@ public ProductConstructionServiceApiOptions(string baseUri, string accessToken,
                       {
                           DisableInteractiveAuth = true, // the client is only used in Maestro for now
                           Token = accessToken,
-                          FederatedToken = null,
                           ManagedIdentityId = managedIdentityId,
                       }))
         {

test/Maestro.ScenarioTests/TestParameters.cs

@@ -66,7 +66,6 @@ public static async Task<TestParameters> GetAsync(bool useNonPrimaryEndpoint = f
             maestroBaseUri,
             maestroToken,
             managedIdentityId: null,
-            federatedToken: null,
             disableInteractiveAuth: isCI);
 
         string? darcRootDir = darcDir;

test/Microsoft.DotNet.Darc.VirtualMonoRepo.E2E.Tests/VmrTestsBase.cs

@@ -84,7 +84,6 @@ public void DeleteCurrentTestDirectory()
         .AddVmrManagers("git", VmrPath, TmpPath, null, null)
         .AddSingleton<IBasicBarClient>(new BarApiClient(
             buildAssetRegistryPat: null,
-            federatedToken: null,
             managedIdentityId: null,
             disableInteractiveAuth: true,
             buildAssetRegistryBaseUri: MaestroApiOptions.StagingBuildAssetRegistryBaseUri));