From de71d75180fca278e0c316aa0b053fa03947213f Mon Sep 17 00:00:00 2001
From: Prasad Nikumbh <prnikumb@microsoft.com>
Date: Tue, 27 May 2025 14:49:22 +0530
Subject: [PATCH 1/3] Security Code Bug: DefaultAzureCredential use in
 Production

---
 .../Authentication/AadAuthenticator.cs        |  9 ++--
 ...fiedPlatform.Service.Authentication.csproj |  4 +-
 .../Secrets/KeyVaultProvider.cs               | 21 ++++++--
 ...oft.UnifiedPlatform.Service.Secrets.csproj |  2 +-
 .../Library/AzureRegion/AzureRegionUtility.cs | 21 +++++---
 .../AzureRegion/Microsoft.AzureRegion.csproj  |  5 +-
 .../Helpers/DefaultAzureCredentialProvider.cs | 10 ++--
 .../IDefaultAzureCredentialProvider.cs        |  5 +-
 .../UserAssignedIdentityCredentialProvider.cs | 16 ++++++
 ...soft.UnifiedPlatform.Service.Common.csproj |  2 +-
 .../Web/API/Startup.cs                        |  6 ++-
 .../Web/API/appsettings.json                  |  3 +-
 .../Dependencies/CommonDependencyModule.cs    | 50 +++++++++++++++----
 13 files changed, 117 insertions(+), 37 deletions(-)
 create mode 100644 src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Helpers/UserAssignedIdentityCredentialProvider.cs

diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Authentication/AadAuthenticator.cs b/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Authentication/AadAuthenticator.cs
index 26a7414..70eab4a 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Authentication/AadAuthenticator.cs
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Authentication/AadAuthenticator.cs
@@ -19,11 +19,13 @@ public class AadAuthenticator : IAuthenticator
         private readonly string _clientId;
         private readonly ConcurrentDictionary<string, IConfidentialClientApplication> confidentialApps = new ConcurrentDictionary<string, IConfidentialClientApplication>();
         private readonly string _certificateThumprint;
-        public AadAuthenticator(string authority, string clientId, string certificateThumbprint)
+        private readonly string _userAssignedClientId;
+        public AadAuthenticator(string authority, string clientId, string certificateThumbprint,string userAssignedClientId)
         {
             _authority = authority;
             _clientId = clientId;
             _certificateThumprint = certificateThumbprint;
+            _userAssignedClientId= userAssignedClientId;
         }
 
         public async Task<string> GenerateToken(string resourceId, Dictionary<string, string> additionalClaims)
@@ -51,11 +53,12 @@ private IConfidentialClientApplication GetOrCreateConfidentialApp(string authori
             confidentialApps.TryAdd(confidentialAppCacheKey, confidentialClientApplication);
             return confidentialClientApplication;
 #else
-
+            var managedIdentityId = ManagedIdentityId.FromUserAssignedClientId(_userAssignedClientId);
+            var credential = new ManagedIdentityCredential(managedIdentityId);
             IConfidentialClientApplication clientApplicationWithMI = ConfidentialClientApplicationBuilder.Create(clientId).WithAuthority(new Uri(authority))
               .WithClientAssertion((AssertionRequestOptions options) =>
               {
-                  var accessToken = new DefaultAzureCredential().GetToken(new TokenRequestContext(new string[] { $"api://AzureADTokenExchange/.default" }), CancellationToken.None);
+                  var accessToken = credential.GetToken(new TokenRequestContext(new string[] { $"api://AzureADTokenExchange/.default" }), CancellationToken.None);
                   return Task.FromResult(accessToken.Token);
               }).Build();
             confidentialApps.TryAdd(confidentialAppCacheKey, clientApplicationWithMI);
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Authentication/Microsoft.UnifiedPlatform.Service.Authentication.csproj b/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Authentication/Microsoft.UnifiedPlatform.Service.Authentication.csproj
index 181775e..61ffe07 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Authentication/Microsoft.UnifiedPlatform.Service.Authentication.csproj
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Authentication/Microsoft.UnifiedPlatform.Service.Authentication.csproj
@@ -6,8 +6,8 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Http" Version="2.2.2" />
-    <PackageReference Include="Azure.Identity" Version="1.11.3" />
-    <PackageReference Include="Microsoft.Identity.Client" Version="4.60.3" />
+    <PackageReference Include="Azure.Identity" Version="1.13.2" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.67.2" />
     <PackageReference Include="Microsoft.Identity.Web" Version="2.18.1" />
     <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="6.35.0" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="6.35.0" />  
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Secrets/KeyVaultProvider.cs b/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Secrets/KeyVaultProvider.cs
index d6777f5..562a622 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Secrets/KeyVaultProvider.cs
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Secrets/KeyVaultProvider.cs
@@ -1,4 +1,5 @@
 using Azure;
+using Azure.Core;
 using Azure.Identity;
 using Azure.Security.KeyVault.Secrets;
 using Microsoft.UnifiedPlatform.Service.Common.AppExceptions;
@@ -8,11 +9,12 @@
 using System;
 using System.Net;
 using System.Threading.Tasks;
+using ManagedIdentityId = Azure.Identity.ManagedIdentityId;
 
 /// <summary>
 /// Provides application secrets from Azure Key Vault
 /// </summary>
-public class KeyVaultProvider: ISecretsProvider
+public class KeyVaultProvider : ISecretsProvider
 {
     public const string KEY_VAULT_URI_FORMAT = "https://{0}.vault.azure.net";
 
@@ -24,11 +26,24 @@ public class KeyVaultProvider: ISecretsProvider
     /// </summary>
     /// <param name="configuration" cref="KeyvaultConfiguration">Configuration for connecting to Azure Key Vault</param>
     /// <param name="cacheService" cref="ICacheService">Service for caching data</param>
-    public KeyVaultProvider(string keyVaultName, ICacheService cacheService)
+    public KeyVaultProvider(string keyVaultName, string userAssignedClientId, string environment, ICacheService cacheService)
     {
         var keyVaultUri = string.Format(KEY_VAULT_URI_FORMAT, keyVaultName);
         _cacheService = cacheService;
-        var credential = new DefaultAzureCredential();
+      
+        TokenCredential credential;
+        if (environment == "Production"|| environment=="Staging")
+        {
+            var managedIdentityId = ManagedIdentityId.FromUserAssignedClientId(userAssignedClientId);
+            credential = new ManagedIdentityCredential(managedIdentityId);
+        }
+        else
+        {
+            credential = new ChainedTokenCredential(
+            new VisualStudioCredential(),
+            new AzureCliCredential(),
+            new AzurePowerShellCredential());
+        }            
         var secretClient = new SecretClient(new Uri(keyVaultUri), credential);
 
         _keyVaultClientWrapper = new KeyVaultClientWrapper(keyVaultUri, secretClient);
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Secrets/Microsoft.UnifiedPlatform.Service.Secrets.csproj b/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Secrets/Microsoft.UnifiedPlatform.Service.Secrets.csproj
index 7d81dc7..54af514 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Secrets/Microsoft.UnifiedPlatform.Service.Secrets.csproj
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Secrets/Microsoft.UnifiedPlatform.Service.Secrets.csproj
@@ -5,7 +5,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Azure.Identity" Version="1.11.3" />
+    <PackageReference Include="Azure.Identity" Version="1.13.2" />
     <PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.6.0" />
     <PackageReference Include="Microsoft.Azure.Services.AppAuthentication" Version="1.6.0" />
   </ItemGroup>
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/Library/AzureRegion/AzureRegionUtility.cs b/src/service/Microsoft.UnifiedRedisPlatform.Service/Library/AzureRegion/AzureRegionUtility.cs
index fbc21ea..127a5a0 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/Library/AzureRegion/AzureRegionUtility.cs
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/Library/AzureRegion/AzureRegionUtility.cs
@@ -3,7 +3,6 @@
 using GeoCoordinatePortable;
 using Microsoft.AzureRegion.Models;
 using Microsoft.Identity.Client;
-using Microsoft.Identity.Web;
 using Newtonsoft.Json;
 using System;
 using System.Collections.Concurrent;
@@ -31,6 +30,7 @@ public class AzureRegionUtility : IAzureRegionUtility
         private static DateTime _cachedUntil = DateTime.UtcNow;
         private readonly ConcurrentDictionary<string, IConfidentialClientApplication> confidentialApps = new ConcurrentDictionary<string, IConfidentialClientApplication>();
         private readonly string CertificateThumbprint;
+        private readonly string UserAssignedClientId;
 
         public AzureRegionUtility(string certificateThumbprint)
             : this(azureSubscriptionId: "05a315f7-744f-4692-b9dd-1aed7c6cee64",
@@ -39,16 +39,17 @@ public AzureRegionUtility(string certificateThumbprint)
                  aadAuthority: "https://login.microsoftonline.com/microsoft.onmicrosoft.com",
                  aadClientId: "1601a33e-356e-4570-8325-eefe6116eadb",
                  cacheDurationInMins: 43200,
-                 certificateThumbprint: certificateThumbprint
+                 certificateThumbprint: certificateThumbprint,
+                 userAssignedClientId: "ddcbb4aa-01a9-46aa-8c11-03e1b789d9cd"
                  )
         { }
 
-        public AzureRegionUtility(string azureSubscriptionId, string azureManagementEndpoint, string azureAadResourceId, string aadAuthority, string aadClientId, int cacheDurationInMins, string certificateThumbprint)
-            : this(azureSubscriptionId, azureManagementEndpoint, azureAadResourceId, aadAuthority, aadClientId, cacheDurationInMins, certificateThumbprint, new HttpClientFactory())
+        public AzureRegionUtility(string azureSubscriptionId, string azureManagementEndpoint, string azureAadResourceId, string aadAuthority, string aadClientId, int cacheDurationInMins, string certificateThumbprint, string userAssignedClientId)
+            : this(azureSubscriptionId, azureManagementEndpoint, azureAadResourceId, aadAuthority, aadClientId, cacheDurationInMins, certificateThumbprint, userAssignedClientId, new HttpClientFactory())
         {
         }
 
-        internal AzureRegionUtility(string azureSubscriptionId, string azureManagementEndpoint, string azureAadResourceId, string aadAuthority, string aadClientId, int cacheDurationInMins, string certificateThumbprint, IHttpClientFactory clientFactory)
+        internal AzureRegionUtility(string azureSubscriptionId, string azureManagementEndpoint, string azureAadResourceId, string aadAuthority, string aadClientId, int cacheDurationInMins, string certificateThumbprint, string userAssignedClientId, IHttpClientFactory clientFactory)
         {
             AzureSubscriptionId = azureSubscriptionId;
             AzureManagementEndpoint = azureManagementEndpoint;
@@ -57,6 +58,7 @@ internal AzureRegionUtility(string azureSubscriptionId, string azureManagementEn
             AadClientId = aadClientId;
             CacheDurationInMins = cacheDurationInMins;
             CertificateThumbprint = certificateThumbprint;
+            UserAssignedClientId = userAssignedClientId;
             _httpClientFactory = clientFactory;
         }
 
@@ -138,7 +140,7 @@ private async Task<string> GenerateAuthToken()
         {
             try
             {
-                IConfidentialClientApplication app = GetOrCreateConfidentialApp(AadAuthority, AadClientId);
+                IConfidentialClientApplication app = GetOrCreateConfidentialApp(AadAuthority, AadClientId, UserAssignedClientId);
 
                 var authResult = await app.AcquireTokenForClient(new[] { $"{AzureManagementAadResourceId}/.default" }).ExecuteAsync();
                 return authResult.AccessToken;
@@ -149,7 +151,7 @@ private async Task<string> GenerateAuthToken()
             }
         }
 
-        private IConfidentialClientApplication GetOrCreateConfidentialApp(string authority, string clientId)
+        private IConfidentialClientApplication GetOrCreateConfidentialApp(string authority, string clientId, string userAssignedClientId)
         {
             try
             {
@@ -169,10 +171,13 @@ private IConfidentialClientApplication GetOrCreateConfidentialApp(string authori
                 return confidentialClientApplication;
 #else
 
+                var managedIdentityId = ManagedIdentityId.FromUserAssignedClientId(userAssignedClientId);
+                var credential = new ManagedIdentityCredential(managedIdentityId);
+
                 IConfidentialClientApplication clientApplicationWithMI = ConfidentialClientApplicationBuilder.Create(clientId).WithAuthority(new Uri(authority))
                 .WithClientAssertion((AssertionRequestOptions options) =>
                 {
-                    var accessToken = new DefaultAzureCredential().GetToken(new TokenRequestContext(new string[] { $"api://AzureADTokenExchange/.default" }), CancellationToken.None);
+                    var accessToken = credential.GetToken(new TokenRequestContext(new string[] { $"api://AzureADTokenExchange/.default" }), CancellationToken.None);
                     return Task.FromResult(accessToken.Token);
                 }).Build();
                 confidentialApps.TryAdd(confidentialAppCacheKey, clientApplicationWithMI);
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/Library/AzureRegion/Microsoft.AzureRegion.csproj b/src/service/Microsoft.UnifiedRedisPlatform.Service/Library/AzureRegion/Microsoft.AzureRegion.csproj
index 0dc9d54..55caaa4 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/Library/AzureRegion/Microsoft.AzureRegion.csproj
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/Library/AzureRegion/Microsoft.AzureRegion.csproj
@@ -5,10 +5,13 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Azure.Identity" Version="1.13.2" />
     <PackageReference Include="GeoCoordinate.NetCore" Version="1.0.0.1" />
-    <PackageReference Include="Microsoft.Identity.Client" Version="4.60.3" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.67.2" />
     <PackageReference Include="Microsoft.Identity.Web" Version="2.18.1" />
+    <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="8.9.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.9.0" />
   </ItemGroup>
 
 </Project>
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Helpers/DefaultAzureCredentialProvider.cs b/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Helpers/DefaultAzureCredentialProvider.cs
index 47a7f77..380b9b9 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Helpers/DefaultAzureCredentialProvider.cs
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Helpers/DefaultAzureCredentialProvider.cs
@@ -1,4 +1,5 @@
-using Azure.Identity;
+using Azure.Core;
+using Azure.Identity;
 using System.Diagnostics.CodeAnalysis;
 
 namespace Microsoft.UnifiedPlatform.Service.Common.Helpers
@@ -6,9 +7,12 @@ namespace Microsoft.UnifiedPlatform.Service.Common.Helpers
     [ExcludeFromCodeCoverage]
     public class DefaultAzureCredentialProvider : IDefaultAzureCredentialProvider
     {
-        public DefaultAzureCredential GetDefaultAzureCredential()
+        public TokenCredential GetDefaultAzureCredential(string userManagedIdentity)
         {
-            return new DefaultAzureCredential();
+            return new ChainedTokenCredential(
+            new VisualStudioCredential(),
+            new AzureCliCredential(),
+            new AzurePowerShellCredential());
         }
     }
 }
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Helpers/IDefaultAzureCredentialProvider.cs b/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Helpers/IDefaultAzureCredentialProvider.cs
index 9df80b2..6d68cda 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Helpers/IDefaultAzureCredentialProvider.cs
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Helpers/IDefaultAzureCredentialProvider.cs
@@ -1,9 +1,10 @@
-using Azure.Identity;
+using Azure.Core;
+using Azure.Identity;
 
 namespace Microsoft.UnifiedPlatform.Service.Common.Helpers
 {
     public interface IDefaultAzureCredentialProvider
     {
-        DefaultAzureCredential GetDefaultAzureCredential();
+        TokenCredential GetDefaultAzureCredential(string userAssignedClientId="");
     }
 }
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Helpers/UserAssignedIdentityCredentialProvider.cs b/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Helpers/UserAssignedIdentityCredentialProvider.cs
new file mode 100644
index 0000000..cfccaf4
--- /dev/null
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Helpers/UserAssignedIdentityCredentialProvider.cs
@@ -0,0 +1,16 @@
+using Azure.Core;
+using Azure.Identity;
+using System.Diagnostics.CodeAnalysis;
+
+namespace Microsoft.UnifiedPlatform.Service.Common.Helpers
+{
+    [ExcludeFromCodeCoverage]
+    public class UserAssignedIdentityCredentialProvider : IDefaultAzureCredentialProvider
+    {
+        public TokenCredential GetDefaultAzureCredential(string userAssignedClientId)
+        {
+            return new ManagedIdentityCredential(
+            ManagedIdentityId.FromUserAssignedClientId(userAssignedClientId));
+        }
+    }
+}
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Microsoft.UnifiedPlatform.Service.Common.csproj b/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Microsoft.UnifiedPlatform.Service.Common.csproj
index f0b68bb..1698f20 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Microsoft.UnifiedPlatform.Service.Common.csproj
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Microsoft.UnifiedPlatform.Service.Common.csproj
@@ -7,7 +7,7 @@
   <ItemGroup>
     <PackageReference Include="AppInsights.EnterpriseTelemetry" Version="1.0.2" />
     <PackageReference Include="AppInsights.EnterpriseTelemetry.AspNetCore.Extension" Version="1.0.3" />
-    <PackageReference Include="Azure.Identity" Version="1.11.3" />
+    <PackageReference Include="Azure.Identity" Version="1.13.2" />
     <PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="3.1.30" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageReference Include="StackExchange.Redis" Version="2.0.601" />
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/Web/API/Startup.cs b/src/service/Microsoft.UnifiedRedisPlatform.Service/Web/API/Startup.cs
index 2192f9c..422d59f 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/Web/API/Startup.cs
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/Web/API/Startup.cs
@@ -45,7 +45,9 @@ public IServiceProvider ConfigureServices(IServiceCollection services)
                 {
                     var secretProvider = new KeyVaultProvider(
                         Configuration["KeyVault:Name"],
-                        new InMemoryCache(new MemoryCache(new MemoryCacheOptions())));
+                        Configuration["Authentication:UserAssignedClientId"],
+                        Configuration["ASPNETCORE_ENVIRONMENT"],
+                new InMemoryCache(new MemoryCache(new MemoryCacheOptions())));
                     var signingKey = secretProvider.GetSecret("Authentication-RedisCluster-Secret").Result;
                    
                     options.TokenValidationParameters = new TokenValidationParameters()
@@ -63,7 +65,7 @@ public IServiceProvider ConfigureServices(IServiceCollection services)
                 {
                     options.Audience = Configuration["Authentication:AAD:Audience"];
                     options.Authority = Configuration["Authentication:AAD:Authority"];
-
+                
                 });
 
             services.AddAuthorization(options =>
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/Web/API/appsettings.json b/src/service/Microsoft.UnifiedRedisPlatform.Service/Web/API/appsettings.json
index 03a9279..8d5deae 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/Web/API/appsettings.json
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/Web/API/appsettings.json
@@ -81,7 +81,8 @@
     },
     "LocalDebugging": {
       "CertificateThumbprint": "27d6d3122675fcc4fe11e4977a540fc74169e1f1"
-    }
+    },
+    "UserAssignedClientId": "ddcbb4aa-01a9-46aa-8c11-03e1b789d9cd"
   },
   "Storage": {
     "Name": "fxpstorageprodeus",
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/Web/Dependencies/CommonDependencyModule.cs b/src/service/Microsoft.UnifiedRedisPlatform.Service/Web/Dependencies/CommonDependencyModule.cs
index e9fe649..6f6703e 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/Web/Dependencies/CommonDependencyModule.cs
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/Web/Dependencies/CommonDependencyModule.cs
@@ -26,6 +26,7 @@
 using Microsoft.UnifiedPlatform.Service.Application.Commands.Handlers;
 using Microsoft.UnifiedPlatform.Service.Common.Configuration.Resolvers;
 using Microsoft.UnifiedPlatform.Service.Common.Helpers;
+using Microsoft.Extensions.Hosting;
 
 namespace Microsoft.UnifiedRedisPlatform.Service.Dependencies.DependencyResolution
 {
@@ -57,7 +58,7 @@ protected override void Load(ContainerBuilder builder)
             RegisterConfigurationProviders(builder);
             RegisterConfigurations(builder);
             RegisterAzureRegionUtility(builder);
-            RegisterRedisProviders(builder);            
+            RegisterRedisProviders(builder);
             RegisterRequestHandlerResolver(builder);
             RegisterQueries(builder);
             RegisterCommands(builder);
@@ -88,7 +89,7 @@ protected virtual void RegisterMemoryCache(ContainerBuilder builder)
         }
 
         protected virtual void RegisterApplicationInsights(ContainerBuilder builder)
-        { 
+        {
         }
 
         protected virtual void RegisterKeyVault(ContainerBuilder builder)
@@ -98,6 +99,12 @@ protected virtual void RegisterKeyVault(ContainerBuilder builder)
                 .WithParameter(new ResolvedParameter(
                     (pi, ctx) => pi.ParameterType == typeof(string) && pi.Name == "keyVaultName",
                     (pi, ctx) => ctx.ResolveKeyed<BaseConfigurationProvider>(AppSettingsConfigurationProviderKey).GetConfiguration("KeyVault", "Name").Result))
+                .WithParameter(new ResolvedParameter(
+                  (pi, ctx) => pi.Name == "userAssignedClientId",
+                  (pi, ctx) => ctx.ResolveKeyed<BaseConfigurationProvider>(AppSettingsConfigurationProviderKey).GetConfiguration("Authentication", "UserAssignedClientId").Result))
+                 .WithParameter(new ResolvedParameter(
+                  (pi, ctx) => pi.Name == "environment",
+                  (pi, ctx) => ctx.Resolve<IHostingEnvironment>().EnvironmentName))
                 .SingleInstance();
 
             builder.RegisterType<SecretsConfigurationProvider>()
@@ -119,7 +126,10 @@ protected virtual void RegisterAuthenticators(ContainerBuilder builder)
                  .WithParameter(new ResolvedParameter(
                   (pi, ctx) => pi.Name == "certificateThumbprint",
                   (pi, ctx) => ctx.ResolveKeyed<BaseConfigurationProvider>(AppSettingsConfigurationProviderKey).GetConfiguration("Authentication", "LocalDebugging:CertificateThumbprint").Result))
-                .SingleInstance();
+                  .WithParameter(new ResolvedParameter(
+                  (pi, ctx) => pi.Name == "userAssignedClientId",
+                  (pi, ctx) => ctx.ResolveKeyed<BaseConfigurationProvider>(AppSettingsConfigurationProviderKey).GetConfiguration("Authentication", "UserAssignedClientId").Result))
+                 .SingleInstance();
 
             builder.RegisterType<RedisClusterAuthenticator>()
                 .Keyed<IAuthenticator>(RedisClusterAuthenticatorKey)
@@ -147,12 +157,16 @@ protected virtual void RegisterStorageConfigurationProvider(ContainerBuilder bui
                 (pi, ctx) => pi.Name.ToLowerInvariant() == "secretConfigurationProvider".ToLowerInvariant(),
                 (pi, ctx) => ctx.ResolveKeyed<BaseConfigurationProvider>(SecretsConfigurationProviderKey)));
 
+            builder.RegisterType<DefaultAzureCredentialProvider>()
+                  .As<IDefaultAzureCredentialProvider>()
+                  .SingleInstance();
+
             builder.Register(ctx =>
             {
                 var storageConfigResolver = ctx.Resolve<IConfigurationResolver<StorageConfiguration>>();
                 return storageConfigResolver.Resolve();
             }).As<StorageConfiguration>()
-            .SingleInstance();            
+            .SingleInstance();
 
             builder.RegisterType<StorageClientManager>()
                 .As<IStorageClientManager>()
@@ -170,7 +184,7 @@ protected virtual void RegisterStorageConfigurationProvider(ContainerBuilder bui
                 .Keyed<BaseConfigurationProvider>(StorageConfigurationProviderKey)
                 .As<BaseConfigurationProvider>()
                 .SingleInstance();
-        }       
+        }
 
         protected virtual void RegisterConfigurationProviders(ContainerBuilder builder)
         {
@@ -190,7 +204,7 @@ protected virtual void RegisterConfigurationProviders(ContainerBuilder builder)
             #endregion App Metadata Configuration
 
             builder.RegisterType<HttpClientFactory>()
-                .As<IHttpClientFactory>();           
+                .As<IHttpClientFactory>();
 
             builder.RegisterType<ConfigurationProviderChainBuilder>()
                 .As<IConfigurationProviderChainBuilder>()
@@ -214,7 +228,7 @@ protected virtual void RegisterConfigurationProviders(ContainerBuilder builder)
         }
 
         protected virtual void RegisterConfigurations(ContainerBuilder builder)
-        {   
+        {
         }
 
         protected virtual void RegisterAzureRegionUtility(ContainerBuilder builder)
@@ -287,9 +301,25 @@ protected virtual void RegisterCommands(ContainerBuilder builder)
 
         protected virtual void RegisterHelpers(ContainerBuilder builder)
         {
-            builder.RegisterType<DefaultAzureCredentialProvider>()
-               .As<IDefaultAzureCredentialProvider>()
-               .SingleInstance();
+            // Resolve IConfiguration from the container
+            builder.RegisterBuildCallback(c =>
+            {
+                var config = c.Resolve<IConfiguration>();
+                var env = config["ASPNETCORE_ENVIRONMENT"] ?? "Development";
+
+                if (env == "Production" || env == "Staging")
+                {
+                    builder.RegisterType<UserAssignedIdentityCredentialProvider>()
+                           .As<IDefaultAzureCredentialProvider>()
+                           .SingleInstance();
+                }
+                else
+                {
+                    builder.RegisterType<DefaultAzureCredentialProvider>()
+                           .As<IDefaultAzureCredentialProvider>()
+                           .SingleInstance();
+                }
+            });
         }
     }
 }

From fca2c8a020e6773ee37859b6f44d535f315bcb98 Mon Sep 17 00:00:00 2001
From: Prasad Nikumbh <prnikumb@microsoft.com>
Date: Wed, 28 May 2025 22:29:40 +0530
Subject: [PATCH 2/3] Update from environment to Modes -Release or debug

---
 .../Secrets/KeyVaultProvider.cs               | 17 ++++------
 .../Helpers/DefaultAzureCredentialProvider.cs |  5 +--
 .../Web/API/Startup.cs                        |  3 +-
 .../Dependencies/CommonDependencyModule.cs    | 33 +++++++------------
 4 files changed, 19 insertions(+), 39 deletions(-)

diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Secrets/KeyVaultProvider.cs b/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Secrets/KeyVaultProvider.cs
index 562a622..998d721 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Secrets/KeyVaultProvider.cs
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Secrets/KeyVaultProvider.cs
@@ -26,24 +26,19 @@ public class KeyVaultProvider : ISecretsProvider
     /// </summary>
     /// <param name="configuration" cref="KeyvaultConfiguration">Configuration for connecting to Azure Key Vault</param>
     /// <param name="cacheService" cref="ICacheService">Service for caching data</param>
-    public KeyVaultProvider(string keyVaultName, string userAssignedClientId, string environment, ICacheService cacheService)
+    public KeyVaultProvider(string keyVaultName, string userAssignedClientId, ICacheService cacheService)
     {
         var keyVaultUri = string.Format(KEY_VAULT_URI_FORMAT, keyVaultName);
         _cacheService = cacheService;
       
         TokenCredential credential;
-        if (environment == "Production"|| environment=="Staging")
-        {
+        #if DEBUG
+            credential = new VisualStudioCredential();
+        #else
             var managedIdentityId = ManagedIdentityId.FromUserAssignedClientId(userAssignedClientId);
             credential = new ManagedIdentityCredential(managedIdentityId);
-        }
-        else
-        {
-            credential = new ChainedTokenCredential(
-            new VisualStudioCredential(),
-            new AzureCliCredential(),
-            new AzurePowerShellCredential());
-        }            
+        #endif
+                
         var secretClient = new SecretClient(new Uri(keyVaultUri), credential);
 
         _keyVaultClientWrapper = new KeyVaultClientWrapper(keyVaultUri, secretClient);
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Helpers/DefaultAzureCredentialProvider.cs b/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Helpers/DefaultAzureCredentialProvider.cs
index 380b9b9..9686a6a 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Helpers/DefaultAzureCredentialProvider.cs
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Helpers/DefaultAzureCredentialProvider.cs
@@ -9,10 +9,7 @@ public class DefaultAzureCredentialProvider : IDefaultAzureCredentialProvider
     {
         public TokenCredential GetDefaultAzureCredential(string userManagedIdentity)
         {
-            return new ChainedTokenCredential(
-            new VisualStudioCredential(),
-            new AzureCliCredential(),
-            new AzurePowerShellCredential());
+            return new VisualStudioCredential();
         }
     }
 }
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/Web/API/Startup.cs b/src/service/Microsoft.UnifiedRedisPlatform.Service/Web/API/Startup.cs
index 422d59f..764fc5b 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/Web/API/Startup.cs
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/Web/API/Startup.cs
@@ -45,8 +45,7 @@ public IServiceProvider ConfigureServices(IServiceCollection services)
                 {
                     var secretProvider = new KeyVaultProvider(
                         Configuration["KeyVault:Name"],
-                        Configuration["Authentication:UserAssignedClientId"],
-                        Configuration["ASPNETCORE_ENVIRONMENT"],
+                        Configuration["Authentication:UserAssignedClientId"],                      
                 new InMemoryCache(new MemoryCache(new MemoryCacheOptions())));
                     var signingKey = secretProvider.GetSecret("Authentication-RedisCluster-Secret").Result;
                    
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/Web/Dependencies/CommonDependencyModule.cs b/src/service/Microsoft.UnifiedRedisPlatform.Service/Web/Dependencies/CommonDependencyModule.cs
index 6f6703e..38214c9 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/Web/Dependencies/CommonDependencyModule.cs
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/Web/Dependencies/CommonDependencyModule.cs
@@ -27,6 +27,8 @@
 using Microsoft.UnifiedPlatform.Service.Common.Configuration.Resolvers;
 using Microsoft.UnifiedPlatform.Service.Common.Helpers;
 using Microsoft.Extensions.Hosting;
+using Azure.Identity;
+using Microsoft.Identity.Client.Platforms.Features.DesktopOs.Kerberos;
 
 namespace Microsoft.UnifiedRedisPlatform.Service.Dependencies.DependencyResolution
 {
@@ -102,9 +104,6 @@ protected virtual void RegisterKeyVault(ContainerBuilder builder)
                 .WithParameter(new ResolvedParameter(
                   (pi, ctx) => pi.Name == "userAssignedClientId",
                   (pi, ctx) => ctx.ResolveKeyed<BaseConfigurationProvider>(AppSettingsConfigurationProviderKey).GetConfiguration("Authentication", "UserAssignedClientId").Result))
-                 .WithParameter(new ResolvedParameter(
-                  (pi, ctx) => pi.Name == "environment",
-                  (pi, ctx) => ctx.Resolve<IHostingEnvironment>().EnvironmentName))
                 .SingleInstance();
 
             builder.RegisterType<SecretsConfigurationProvider>()
@@ -301,25 +300,15 @@ protected virtual void RegisterCommands(ContainerBuilder builder)
 
         protected virtual void RegisterHelpers(ContainerBuilder builder)
         {
-            // Resolve IConfiguration from the container
-            builder.RegisterBuildCallback(c =>
-            {
-                var config = c.Resolve<IConfiguration>();
-                var env = config["ASPNETCORE_ENVIRONMENT"] ?? "Development";
-
-                if (env == "Production" || env == "Staging")
-                {
-                    builder.RegisterType<UserAssignedIdentityCredentialProvider>()
-                           .As<IDefaultAzureCredentialProvider>()
-                           .SingleInstance();
-                }
-                else
-                {
-                    builder.RegisterType<DefaultAzureCredentialProvider>()
-                           .As<IDefaultAzureCredentialProvider>()
-                           .SingleInstance();
-                }
-            });
+            #if DEBUG
+            builder.RegisterType<DefaultAzureCredentialProvider>()
+                 .As<IDefaultAzureCredentialProvider>()
+                 .SingleInstance();
+            #else
+             builder.RegisterType<UserAssignedIdentityCredentialProvider>()
+                 .As<IDefaultAzureCredentialProvider>()
+                 .SingleInstance();
+            #endif
         }
     }
 }

From 1ee0b63833a92ea732a615ee75ad61ddda49213f Mon Sep 17 00:00:00 2001
From: Prasad Nikumbh <prnikumb@microsoft.com>
Date: Wed, 28 May 2025 22:44:22 +0530
Subject: [PATCH 3/3] Updated the package

---
 .../Microsoft.UnifiedPlatform.Service.Application.csproj      | 2 ++
 .../Microsoft.UnifiedPlatform.Service.Authentication.csproj   | 4 ++--
 .../Microsoft.UnifiedPlatform.Service.Configuration.csproj    | 2 ++
 .../Redis/Microsoft.UnifiedPlatform.Service.Redis.csproj      | 2 ++
 .../Secrets/Microsoft.UnifiedPlatform.Service.Secrets.csproj  | 3 ++-
 .../Storage/Microsoft.UnifiedPlatform.Storage.csproj          | 2 ++
 .../Library/AzureRegion/Microsoft.AzureRegion.csproj          | 4 ++--
 .../Common/Microsoft.UnifiedPlatform.Service.Common.csproj    | 3 ++-
 8 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/Core/Application/Microsoft.UnifiedPlatform.Service.Application.csproj b/src/service/Microsoft.UnifiedRedisPlatform.Service/Core/Application/Microsoft.UnifiedPlatform.Service.Application.csproj
index 7c0d3e5..17f47d6 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/Core/Application/Microsoft.UnifiedPlatform.Service.Application.csproj
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/Core/Application/Microsoft.UnifiedPlatform.Service.Application.csproj
@@ -5,7 +5,9 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Azure.Identity" Version="1.14.0" />
     <PackageReference Include="CQRS.Mediatr.Lite" Version="1.0.0" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.72.1" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
   </ItemGroup>
 
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Authentication/Microsoft.UnifiedPlatform.Service.Authentication.csproj b/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Authentication/Microsoft.UnifiedPlatform.Service.Authentication.csproj
index 61ffe07..b680396 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Authentication/Microsoft.UnifiedPlatform.Service.Authentication.csproj
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Authentication/Microsoft.UnifiedPlatform.Service.Authentication.csproj
@@ -6,8 +6,8 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Http" Version="2.2.2" />
-    <PackageReference Include="Azure.Identity" Version="1.13.2" />
-    <PackageReference Include="Microsoft.Identity.Client" Version="4.67.2" />
+    <PackageReference Include="Azure.Identity" Version="1.14.0" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.72.1" />
     <PackageReference Include="Microsoft.Identity.Web" Version="2.18.1" />
     <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="6.35.0" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="6.35.0" />  
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Configuration/Microsoft.UnifiedPlatform.Service.Configuration.csproj b/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Configuration/Microsoft.UnifiedPlatform.Service.Configuration.csproj
index 3c2467a..e8a56aa 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Configuration/Microsoft.UnifiedPlatform.Service.Configuration.csproj
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Configuration/Microsoft.UnifiedPlatform.Service.Configuration.csproj
@@ -5,7 +5,9 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Azure.Identity" Version="1.14.0" />
     <PackageReference Include="Microsoft.Extensions.Configuration" Version="3.1.8" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.72.1" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
   </ItemGroup>
 
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Redis/Microsoft.UnifiedPlatform.Service.Redis.csproj b/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Redis/Microsoft.UnifiedPlatform.Service.Redis.csproj
index 109b2b4..34caaf7 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Redis/Microsoft.UnifiedPlatform.Service.Redis.csproj
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Redis/Microsoft.UnifiedPlatform.Service.Redis.csproj
@@ -6,6 +6,8 @@
 
   <ItemGroup>
     <PackageReference Include="AppInsights.EnterpriseTelemetry" Version="1.0.2" />
+    <PackageReference Include="Azure.Identity" Version="1.14.0" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.72.1" />
     <PackageReference Include="StackExchange.Redis" Version="2.0.601" />
 
   </ItemGroup>
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Secrets/Microsoft.UnifiedPlatform.Service.Secrets.csproj b/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Secrets/Microsoft.UnifiedPlatform.Service.Secrets.csproj
index 54af514..c576ba0 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Secrets/Microsoft.UnifiedPlatform.Service.Secrets.csproj
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Secrets/Microsoft.UnifiedPlatform.Service.Secrets.csproj
@@ -5,9 +5,10 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Azure.Identity" Version="1.13.2" />
+    <PackageReference Include="Azure.Identity" Version="1.14.0" />
     <PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.6.0" />
     <PackageReference Include="Microsoft.Azure.Services.AppAuthentication" Version="1.6.0" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.72.1" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Storage/Microsoft.UnifiedPlatform.Storage.csproj b/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Storage/Microsoft.UnifiedPlatform.Storage.csproj
index b256916..2718797 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Storage/Microsoft.UnifiedPlatform.Storage.csproj
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/Infrastructure/Storage/Microsoft.UnifiedPlatform.Storage.csproj
@@ -6,8 +6,10 @@
 
   <ItemGroup>
     <PackageReference Include="Azure.Data.Tables" Version="12.8.3" />
+    <PackageReference Include="Azure.Identity" Version="1.14.0" />
     <PackageReference Include="Azure.Storage.Blobs" Version="12.20.0" />
     <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.Storage" Version="5.3.0" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.72.1" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/Library/AzureRegion/Microsoft.AzureRegion.csproj b/src/service/Microsoft.UnifiedRedisPlatform.Service/Library/AzureRegion/Microsoft.AzureRegion.csproj
index 55caaa4..3cba8e5 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/Library/AzureRegion/Microsoft.AzureRegion.csproj
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/Library/AzureRegion/Microsoft.AzureRegion.csproj
@@ -5,9 +5,9 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Azure.Identity" Version="1.13.2" />
+    <PackageReference Include="Azure.Identity" Version="1.14.0" />
     <PackageReference Include="GeoCoordinate.NetCore" Version="1.0.0.1" />
-    <PackageReference Include="Microsoft.Identity.Client" Version="4.67.2" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.72.1" />
     <PackageReference Include="Microsoft.Identity.Web" Version="2.18.1" />
     <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="8.9.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
diff --git a/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Microsoft.UnifiedPlatform.Service.Common.csproj b/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Microsoft.UnifiedPlatform.Service.Common.csproj
index 1698f20..0da8f0d 100644
--- a/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Microsoft.UnifiedPlatform.Service.Common.csproj
+++ b/src/service/Microsoft.UnifiedRedisPlatform.Service/SharedKernel/Common/Microsoft.UnifiedPlatform.Service.Common.csproj
@@ -7,8 +7,9 @@
   <ItemGroup>
     <PackageReference Include="AppInsights.EnterpriseTelemetry" Version="1.0.2" />
     <PackageReference Include="AppInsights.EnterpriseTelemetry.AspNetCore.Extension" Version="1.0.3" />
-    <PackageReference Include="Azure.Identity" Version="1.13.2" />
+    <PackageReference Include="Azure.Identity" Version="1.14.0" />
     <PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="3.1.30" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.72.1" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageReference Include="StackExchange.Redis" Version="2.0.601" />
     <PackageReference Include="Azure.Data.Tables" Version="12.8.3" />