Add workload identity as a MSAL option

src/libraries/Authentication/Authentication.Msal/Model/AuthTypes.cs

@@ -10,6 +10,7 @@ public enum AuthTypes
         ClientSecret,
         UserManagedIdentity,
         SystemManagedIdentity,
-        FederatedCredentials
+        FederatedCredentials,
+        WorkloadIdentity
     }
 }

src/libraries/Authentication/Authentication.Msal/Model/ConnectionSettings.cs

@@ -68,6 +68,11 @@ public ConnectionSettings(IConfigurationSection msalConfigurationSection) : base
         /// </summary>
         public bool SendX5C { get; set; } = false;
 
+        /// <summary>
+        /// Token path used for the workload identity, like the MSAL example for AKS, equal to AZURE_FEDERATED_TOKEN_FILE 
+        /// </summary>
+        public string FederatedTokenFile { get; set; }
+
         /// <summary>
         /// ClientId of the ManagedIdentity used with FederatedCredentials
         /// </summary>
@@ -146,6 +151,20 @@ public void ValidateConfiguration()
                         throw new ArgumentNullException(nameof(Authority), "TenantId or Authority is required");
                     }
                     break;
+                case AuthTypes.WorkloadIdentity:
+                    if (string.IsNullOrEmpty(ClientId))
+                    {
+                        throw new ArgumentNullException(nameof(ClientId), "ClientId is required");
+                    }
+                    if (string.IsNullOrEmpty(Authority) && string.IsNullOrEmpty(TenantId))
+                    {
+                        throw new ArgumentNullException(nameof(Authority), "TenantId or Authority is required");
+                    }
+                    if (string.IsNullOrEmpty(FederatedTokenFile))
+                    {
+                        throw new ArgumentNullException(nameof(FederatedTokenFile), "FederatedTokenFile is required");
+                    }
+                    break;
                 default:
                     break;
             }

src/libraries/Authentication/Authentication.Msal/MsalAuth.cs

@@ -14,6 +14,7 @@
 using System;
 using System.Collections.Concurrent;
 using System.Collections.Generic;
+using System.IO;
 using System.Linq;
 using System.Threading.Tasks;
 
@@ -35,6 +36,8 @@ public class MsalAuth : IAccessTokenProvider, IOBOExchange, IMSALProvider
         private readonly ConnectionSettings _connectionSettings;
         private readonly ILogger _logger;
         private readonly ICertificateProvider _certificateProvider;
+        private DateTimeOffset _lastReadWorkloadIdentity;
+        private string _lastJwtWorkLoadIdentity = null;
 
         /// <summary>
         /// Creates a MSAL Authentication Instance. 
@@ -225,6 +228,18 @@ async Task<String> FetchExternalTokenAsync()
                     }
                     cAppBuilder.WithClientAssertion((AssertionRequestOptions options) => FetchExternalTokenAsync());
                 }
+                else if (_connectionSettings.AuthType == AuthTypes.WorkloadIdentity)
+                {
+                    cAppBuilder.WithClientAssertion(() =>
+                    {
+                        // read only once every 5 minutes, less heavy for I/O
+                        if (_lastJwtWorkLoadIdentity != null && DateTimeOffset.UtcNow.Subtract(_lastReadWorkloadIdentity) <= TimeSpan.FromMinutes(5)) 
+                            return _lastJwtWorkLoadIdentity;
+                        _lastReadWorkloadIdentity = DateTimeOffset.UtcNow;
+                        _lastJwtWorkLoadIdentity = File.ReadAllText(_connectionSettings.FederatedTokenFile);
+                        return _lastJwtWorkLoadIdentity;
+                    });
+                }
                 else
                 {
                     throw new System.NotImplementedException();