Fixing az login --identity support when using az cli v 2.74+

Program.cs

@@ -15,6 +15,8 @@
 
 // Can be consumed by ManagedIdentityCredential by specifying IDENTITY_ENDPOINT and IMDS_ENDPOINT environment variables to this action URL
 // See https://github.com/Azure/azure-sdk-for-net/blob/Azure.Identity_1.8.0/sdk/identity/Azure.Identity/src/AzureArcManagedIdentitySource.cs
+// For supporting "az login --identity" (version >= 2.74) this can be consumed by specifying IDENTITY_ENDPOINT and IDENTITY_HEADER environment
+// variables. See https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/b1d8cd71145a8b1889b490f9b0dfbe4b1ac3a7f1/msal/managed_identity.py#L437
 app.MapGet("/token", async (HttpContext context, string resource, CancellationToken cancellationToken) =>
 {
     var token = await tokenCredential.GetTokenAsync(new TokenRequestContext([resource]), cancellationToken);
@@ -29,7 +31,7 @@
     return Results.Ok(result);
 });
 
-// Can be consumed by "az login --identity" by specifying MSI_ENDPOINT environment variable to this action URL
+// Can be consumed by "az login --identity" (version < 2.74) by specifying MSI_ENDPOINT environment variable to this action URL
 // https://github.com/Azure/msrestazure-for-python/blob/master/msrestazure/azure_active_directory.py#L474
 app.MapPost("/token", async (HttpContext context, HttpRequest request, CancellationToken cancellationToken) =>
 {

README.md

@@ -70,7 +70,9 @@ Then, we must add two environment variables to each service:
 With these two environment variables, any service that uses `DefaultAzureCredential` or `ManagedIdentityCredential` will now call the proxy when Azure credentials are needed. This is because one of `ManagedIdentityCredential`'s [source implementations](https://github.com/Azure/azure-sdk-for-net/blob/Azure.Identity_1.6.0/sdk/identity/Azure.Identity/src/AzureArcManagedIdentitySource.cs) explicitly looks for both of these environment variables if they are specified.
 
 > [!NOTE]
-> If you are using using `az cli` in your service and your service wants to do `az login --identity` then specify `MSI_ENDPOINT`: the URL of the proxy endpoint (e.g., `http://azclicredsproxy:8080/token`) environment variable instead. `IDENTITY_ENDPOINT` and `IMDS_ENDPOINT` are not required for `az login --identity`.
+> If you are using `az cli` in your service and your service wants to do `az login --identity` then:  
+> For `az cli` version < 2.74: specify `MSI_ENDPOINT`: the URL of the proxy endpoint (e.g., `http://azclicredsproxy:8080/token`) environment variable instead. `IDENTITY_ENDPOINT` and `IMDS_ENDPOINT` are not required for `az login --identity`.  
+> For `az cli` v2.74 and above: Specify `IDENTITY_ENDPOINT`: the URL of the proxy endpoint (e.g., `http://azclicredsproxy:8080/token`) environment variable instead along with `IDENTITY_HEADER`: an arbitrary but mandatory value (e.g., "random-placeholder").
 
 With this proxy, Dockerfiles can remain untouched and production-ready. The proxy can easily be added to an existing `docker-compose.yml`, and the environment variables are also easy to add. Now, the containerized environment looks like this: