Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

Using Dex with the Microsoft connector with an Entra ID (Azure AD) app requires setting a client secret in the configuration. Applications are generally discouraged to work with pre-shared keys (like client secrets) whenever possible, as they can pose a security risk.

Apps that are running in Azure, or in environments that can be federated with Entra (e.g. Workload Identity Federation, that works on Kubernetes clusters hosted anywhere, as well as a bunch of other places including Google Cloud, AWS, etc), can leverage managed identity / workload identity to perform a token exchange instead of requiring pre-shared credentials.

Proposed Solution

Support for obtaining a token from Entra ID using signed assertions.

When invoking the /token endpoint to exchange an authorization code for an access token, it should be possible to use a signed assertion instead of a client secret. The assertion can come from a certificate, or can come from a token issued by Managed Identity / Workload Identity.

Alternatives Considered

No response

Additional Information

This feature request would greatly improve the security of environments that use Dex, as they would be able to run without any pre-shared credentials, which are susceptible to being leaked.