[Identity] Enable identity binding mode for WorkloadIdentityCredential in AKS (#53436)

* Add new environment variables

* Add new property to use the proxy

* Add config class for the proxy

* Add custom pipeline

* Add tests

* Export API

* Remove comments

* Rename AzureKubernetesTokenProxy to IsAzureKubernetesTokenProxyEnabled

* Add section in readme and changelog entry

* Improve validation for CA data in TryCreate method

* Add a semaphore to KubernetesProxyHttpHandler instead of waiting a fixed amount of time

* Use PemReader.LoadCertificate

* Remove TestEnvVar class

* fb

* fb

* Apply suggestions from code review

* fixed up handler disposal

* fix tests

* load cert without PK

* mark live tests as Ignore

* cert validation tests

* fix test

* fb

* Add conditional compilation for X509Certificate2.CreateFromPem

* Update code snippet to remove deprecated ctor

* Update KubernetesProxy tests to use a fixed token file path

* Replace deprecated X509Certificate2.CreateFromPem with PemReader.LoadCertificate in tests

* Enhance SSL certificate validation in KubernetesProxyHttpHandler to reject non-chain errors and ensure proper handler reloading on CA file changes

* Use snippets in Readme

* Add logging for Kubernetes proxy CA certificate handling events

* Refactor CA certificate comparison to use Span for improved performance and remove redundant method

* Replace Thread.Sleep with Task.Delay in KubernetesProxyHttpHandlerTests

* Add method to create handler and make requests; refactor tests for CA file handling

* Refactor SendAsync test to use KubernetesProxyHttpHandler and validate cached handler behavior on CA file read failure

* Refactor SendAsync tests to use KubernetesProxyHttpHandler directly and verify handler behavior on CA file changes

---------

Co-authored-by: Christopher Scott <chriscott@hotmail.com>

Author: JonathanCrd

sdk/identity/Azure.Identity/CHANGELOG.md

@@ -4,6 +4,8 @@
 
 ### Features Added
 
+- Added Kubernetes token proxy support (identity binding mode) to `WorkloadIdentityCredential`. When enabled via the `IsAzureKubernetesTokenProxyEnabled ` option, the credential redirects token requests to an AKS-provided proxy to work around Entra ID's limit on federated identity credentials per managed identity. This feature is opt-in and only available when using `WorkloadIdentityCredential` directly (not supported by `DefaultAzureCredential` or `ManagedIdentityCredential`).
+
 ### Breaking Changes
 
 ### Bugs Fixed

sdk/identity/Azure.Identity/README.md

@@ -107,6 +107,45 @@ While `DefaultAzureCredential` is generally the quickest way to authenticate app
 
 As of version 1.8.0, `ManagedIdentityCredential` supports [token caching](#token-caching).
 
+## Identity binding mode (WorkloadIdentityCredential)
+
+`WorkloadIdentityCredential` supports an opt-in identity binding mode to work around [Entra ID's limit on federated identity credentials (FICs)](https://learn.microsoft.com/entra/workload-id/workload-identity-federation-considerations#federated-identity-credential-considerations) per managed identity. When enabled via the `IsAzureKubernetesTokenProxyEnabled ` option, the credential redirects token requests to an AKS-provided proxy that handles the FIC exchange centrally, allowing multiple pods to share the same identity without hitting FIC limits.
+
+**Note:** This feature is only available when using `WorkloadIdentityCredential` directly. It is not supported by `DefaultAzureCredential` or `ManagedIdentityCredential`.
+
+### Usage
+
+```C# Snippet:WorkloadIdentityCredentialWithIdentityBinding
+var credential = new WorkloadIdentityCredential(new WorkloadIdentityCredentialOptions
+{
+    IsAzureKubernetesTokenProxyEnabled = true  // Enable identity binding mode
+});
+```
+
+When enabled, the credential reads these environment variables (typically configured by AKS):
+
+* `AZURE_KUBERNETES_TOKEN_PROXY` - Base HTTPS URL for the proxy endpoint
+* `AZURE_KUBERNETES_CA_FILE` - Path to PEM bundle with proxy CA certificates
+* `AZURE_KUBERNETES_CA_DATA` - PEM-encoded CA bundle (mutually exclusive with `AZURE_KUBERNETES_CA_FILE `)
+* `AZURE_KUBERNETES_SNI_NAME` - TLS Server Name Indication (optional)
+
+The credential validates the configuration at construction time and throws `InvalidOperationException` if the configuration is invalid or incomplete.
+
+### Migration from ManagedIdentityCredential
+
+If you're currently using `ManagedIdentityCredential` for workload identity in AKS and need to use identity binding mode, migrate to `WorkloadIdentityCredential`:
+
+```C# Snippet:MigrationToWorkloadIdentityCredential
+// Before (no identity binding support):
+// var credential = new ManagedIdentityCredential(ManagedIdentityId.SystemAssigned);
+
+// After (with identity binding support):
+var credential = new WorkloadIdentityCredential(new WorkloadIdentityCredentialOptions
+{
+    IsAzureKubernetesTokenProxyEnabled = true
+});
+```
+
 ## Sovereign cloud configuration
 
 By default, credentials authenticate to the Microsoft Entra endpoint for the Azure Public Cloud. To access resources in other clouds, such as Azure US Government or a private cloud, use one of the following solutions:
@@ -142,7 +181,7 @@ Not all credentials require this configuration. Credentials that authenticate th
 |-|-|-|
 |[`EnvironmentCredential`][ref_EnvironmentCredential]|Authenticates a service principal or user via credential information specified in [environment variables](#environment-variables).||
 |[`ManagedIdentityCredential`][ref_ManagedIdentityCredential]|Authenticates the managed identity of an Azure resource.|[user-assigned managed identity][uami_doc]<br>[system-assigned managed identity][sami_doc]|
-|[`WorkloadIdentityCredential`][ref_WorkloadIdentityCredential]|Supports [Microsoft Entra Workload ID](https://learn.microsoft.com/azure/aks/workload-identity-overview) on Kubernetes.||
+|[`WorkloadIdentityCredential`][ref_WorkloadIdentityCredential]|Supports [Microsoft Entra Workload ID](https://learn.microsoft.com/azure/aks/workload-identity-overview) on Kubernetes. Supports [identity binding mode](#identity-binding-mode-workloadidentitycredential) to work around FIC limits in AKS.||
 
 ### Authenticate service principals
 

sdk/identity/Azure.Identity/api/Azure.Identity.net8.0.cs

@@ -502,6 +502,7 @@ public WorkloadIdentityCredentialOptions() { }
         public System.Collections.Generic.IList<string> AdditionallyAllowedTenants { get { throw null; } }
         public string ClientId { get { throw null; } set { } }
         public bool DisableInstanceDiscovery { get { throw null; } set { } }
+        public bool IsAzureKubernetesTokenProxyEnabled { get { throw null; } set { } }
         public string TenantId { get { throw null; } set { } }
         public string TokenFilePath { get { throw null; } set { } }
     }

sdk/identity/Azure.Identity/api/Azure.Identity.netstandard2.0.cs

@@ -499,6 +499,7 @@ public WorkloadIdentityCredentialOptions() { }
         public System.Collections.Generic.IList<string> AdditionallyAllowedTenants { get { throw null; } }
         public string ClientId { get { throw null; } set { } }
         public bool DisableInstanceDiscovery { get { throw null; } set { } }
+        public bool IsAzureKubernetesTokenProxyEnabled { get { throw null; } set { } }
         public string TenantId { get { throw null; } set { } }
         public string TokenFilePath { get { throw null; } set { } }
     }

sdk/identity/Azure.Identity/src/AzureIdentityEventSource.cs

@@ -43,6 +43,9 @@ internal sealed class AzureIdentityEventSource : AzureEventSource, IIdentityLogg
         private const int ServiceFabricManagedIdentityRuntimeConfigurationNotSupportedEvent = 22;
         private const int ManagedIdentitySourceAttemptedEvent = 25;
         private const int ManagedIdentityCredentialSelectedEvent = 26;
+        private const int KubernetesProxyCaCertificateReloadSkippedEvent = 27;
+        private const int KubernetesProxyCaCertificateReloadFailedEvent = 28;
+        private const int KubernetesProxyCaCertificateReloadedEvent = 29;
 
         internal const string TenantIdDiscoveredAndNotUsedEventMessage = "A token was request for a different tenant than was configured on the credential, but the configured value was used since multi tenant authentication has been disabled. Configured TenantId: {0}, Requested TenantId {1}";
         internal const string TenantIdDiscoveredAndUsedEventMessage = "A token was requested for a different tenant than was configured on the credential, and the requested tenant id was used to authenticate. Configured TenantId: {0}, Requested TenantId {1}";
@@ -53,6 +56,9 @@ internal sealed class AzureIdentityEventSource : AzureEventSource, IIdentityLogg
         internal const string ServiceFabricManagedIdentityRuntimeConfigurationNotSupportedMessage = "Service Fabric user assigned managed identity ClientId or ResourceId is not configurable at runtime.";
         internal const string ManagedIdentitySourceAttemptedMessage = "ManagedIdentitySource {0} was attempted. IsSelected={1}.";
         internal const string ManagedIdentityCredentialSelectedMessage = "Managed Identity source selected: {0} with ID: {1}";
+        internal const string KubernetesProxyCaCertificateReloadSkippedMessage = "Kubernetes proxy CA certificate reload skipped. Reason: {0}";
+        internal const string KubernetesProxyCaCertificateReloadFailedMessage = "Kubernetes proxy CA certificate read failed. Error: {0}";
+        internal const string KubernetesProxyCaCertificateReloadedMessage = "Kubernetes proxy CA certificate changed, handler will be reloaded.";
 
         private AzureIdentityEventSource() : base(EventSourceName) { }
 
@@ -425,5 +431,32 @@ public void ManagedIdentityCredentialSelected(string credentialType, string id)
                 WriteEvent(ManagedIdentityCredentialSelectedEvent, credentialType, id);
             }
         }
+
+        [Event(KubernetesProxyCaCertificateReloadSkippedEvent, Level = EventLevel.Informational, Message = KubernetesProxyCaCertificateReloadSkippedMessage)]
+        public void KubernetesProxyCaCertificateReloadSkipped(string reason)
+        {
+            if (IsEnabled(EventLevel.Informational, EventKeywords.All))
+            {
+                WriteEvent(KubernetesProxyCaCertificateReloadSkippedEvent, reason);
+            }
+        }
+
+        [Event(KubernetesProxyCaCertificateReloadFailedEvent, Level = EventLevel.Warning, Message = KubernetesProxyCaCertificateReloadFailedMessage)]
+        public void KubernetesProxyCaCertificateReloadFailed(string error)
+        {
+            if (IsEnabled(EventLevel.Warning, EventKeywords.All))
+            {
+                WriteEvent(KubernetesProxyCaCertificateReloadFailedEvent, error);
+            }
+        }
+
+        [Event(KubernetesProxyCaCertificateReloadedEvent, Level = EventLevel.Informational, Message = KubernetesProxyCaCertificateReloadedMessage)]
+        public void KubernetesProxyCaCertificateReloaded()
+        {
+            if (IsEnabled(EventLevel.Informational, EventKeywords.All))
+            {
+                WriteEvent(KubernetesProxyCaCertificateReloadedEvent);
+            }
+        }
     }
 }

sdk/identity/Azure.Identity/src/Credentials/WorkloadIdentityCredential.cs

@@ -2,13 +2,10 @@
 // Licensed under the MIT License.
 
 using System;
-using System.Collections.Generic;
-using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
 using Azure.Core;
 using Azure.Core.Pipeline;
-using Microsoft.Identity.Client;
 
 namespace Azure.Identity
 {
@@ -47,6 +44,18 @@ public WorkloadIdentityCredential(WorkloadIdentityCredentialOptions options)
                 clientAssertionCredentialOptions.Pipeline = options.Pipeline;
                 clientAssertionCredentialOptions.MsalClient = options.MsalClient;
 
+                // Configure Kubernetes token proxy if user opted in
+                if (options.IsAzureKubernetesTokenProxyEnabled)
+                {
+                    var proxyConfig = KubernetesProxyConfig.TryCreate();
+                    if (proxyConfig != null)
+                    {
+                        var proxyHandler = new KubernetesProxyHttpHandler(proxyConfig);
+                        var httpClient = new System.Net.Http.HttpClient(proxyHandler);
+                        clientAssertionCredentialOptions.Transport = new HttpClientTransport(httpClient);
+                    }
+                }
+
                 _clientAssertionCredential = new ClientAssertionCredential(options.TenantId, options.ClientId, _tokenFileCache.GetTokenFileContentsAsync, clientAssertionCredentialOptions);
             }
             _pipeline = _clientAssertionCredential?.Pipeline ?? CredentialPipeline.GetInstance(default);

sdk/identity/Azure.Identity/src/Credentials/WorkloadIdentityCredentialOptions.cs

@@ -39,6 +39,13 @@ public class WorkloadIdentityCredentialOptions : TokenCredentialOptions, ISuppor
         /// <inheritdoc />
         public bool DisableInstanceDiscovery { get; set; }
 
+        /// <summary>
+        /// Enables Azure Kubernetes token proxy mode to work around Entra's limit on federated identity credentials.
+        /// When enabled and proxy configuration environment variables are set, requests are sent to the AKS proxy instead of directly to Entra ID.
+        /// This feature is not supported when using DefaultAzureCredential.
+        /// </summary>
+        public bool IsAzureKubernetesTokenProxyEnabled { get; set; }
+
         /// <summary>
         /// Specifies tenants in addition to the specified <see cref="TenantId"/> for which the credential may acquire tokens.
         /// Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the logged in account can access.

sdk/identity/Azure.Identity/src/DisposingHttpClientHandler.cs

@@ -0,0 +1,56 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Net.Http;
+using System.Threading;
+using System.Threading.Tasks;
+using Azure.Core.Pipeline;
+
+namespace Azure.Identity
+{
+    /// <summary>
+    /// HTTP message handler that handles disposing itself only after in-flight requests complete.
+    /// </summary>
+    internal class DisposingHttpClientHandler : HttpClientHandler, IDisposable
+    {
+        private int _count;
+        private TaskCompletionSource<Task> _zeroTcs =
+            new(TaskCreationOptions.RunContinuationsAsynchronously);
+
+        public IDisposable StartSend()
+        {
+            var newCount = Interlocked.Increment(ref _count);
+            if (newCount == 1)
+            {
+                // leaving zero -> ensure future waiters actually wait
+                var tcs = Volatile.Read(ref _zeroTcs);
+                if (tcs.Task.IsCompleted)
+                {
+                    Interlocked.CompareExchange(
+                        ref _zeroTcs,
+                        new TaskCompletionSource<Task>(TaskCreationOptions.RunContinuationsAsynchronously),
+                        tcs);
+                }
+            }
+            return new Releaser(this);
+        }
+
+        public void CompleteSend()
+        {
+            if (Interlocked.Decrement(ref _count) == 0)
+            {
+                Volatile.Read(ref _zeroTcs).TrySetResult(Task.CompletedTask);
+            }
+        }
+
+        public Task WaitForOutstandingRequests() => Volatile.Read(ref _zeroTcs).Task;
+
+        private sealed class Releaser : IDisposable
+        {
+            private DisposingHttpClientHandler _owner;
+            public Releaser(DisposingHttpClientHandler owner) => _owner = owner;
+            public void Dispose() { _owner?.CompleteSend(); _owner = null; }
+        }
+    }
+}

sdk/identity/Azure.Identity/src/EnvironmentVariables.cs

@@ -33,6 +33,11 @@ internal class EnvironmentVariables
 
         public static string AzureFederatedTokenFile => GetNonEmptyStringOrNull(Environment.GetEnvironmentVariable("AZURE_FEDERATED_TOKEN_FILE"));
 
+        public static string AzureKubernetesTokenProxy => GetNonEmptyStringOrNull(Environment.GetEnvironmentVariable("AZURE_KUBERNETES_TOKEN_PROXY"));
+        public static string AzureKubernetesCaFile => GetNonEmptyStringOrNull(Environment.GetEnvironmentVariable("AZURE_KUBERNETES_CA_FILE"));
+        public static string AzureKubernetesCaData => GetNonEmptyStringOrNull(Environment.GetEnvironmentVariable("AZURE_KUBERNETES_CA_DATA"));
+        public static string AzureKubernetesSniName => GetNonEmptyStringOrNull(Environment.GetEnvironmentVariable("AZURE_KUBERNETES_SNI_NAME"));
+
         public static string CredentialSelection => GetNonEmptyStringOrNull(Environment.GetEnvironmentVariable("AZURE_TOKEN_CREDENTIALS"));
 
         private static string GetNonEmptyStringOrNull(string str)