I have a single Azure Web App that connects back to Azure Flexible Postgres using AD authentication.
I've managed to add the AD Administrator to Postgres and add two user managed identities as Postgres roles (both of which have different permissions and access to different database tables).
The Azure Web App is set up with Authentication on a single tenant, and I have restricted access to certain AD users/groups within the Enterprise Application.
What I want is to be able to assign the two different user managed identities to different active directory users, who I have granted access to the application. This is to define what data they are able to view within the application (given the different Postgres roles assigned to the two different user managed identities).
However, how do I do this if I add the two user-managed-identities to the Azure Web App? Currently any user who has access to the application can request access tokens for either user managed identity, so long as they know the Object ID of the managed identity.
The access token is being generated within the app by the node version of @azure/identity with the following commands:
const credential = new DefaultAzureCredential({ managedIdentityClientId: '<client-id-of-user-assigned-identity>' })
const accessToken = await credential.getToken("https://ossrdbms-aad.database.windows.net")
This poses an additional question - how would I pass the client ID of the managed identity to the application, depending on the AD user, as I don't wish to hard code this into the application. One assumes if it's possible to link a managed identity to a AD User (as I am seeking to do here), it should be possible to get this dynamically, however I see no option for this within the custom claims options for JWT, and when I try and add custom options (that aren't within the drop down lists), I get an error about adding signing keys.
Is this scenario possible? I really don't want to have to have two applications to manage the two different postgres user permissions!
Thanks,
Ed
