Id.Web should not use DefaultAzureCredential in production code

[bgavrilMS]

Description

As per https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication/best-practices?tabs=aspdotnet#use-deterministic-credentials-in-production-environments, DefaultAzureCredential (DAC) should not be used in production scenarios. This is based on a PIR. Please read the public doc for to see the scenario where DAC breaks production.

Id.Web uses DAC in production code

microsoft-identity-web/src/Microsoft.Identity.Web.Certificate/KeyVaultCertificateLoader.cs

Line 82 in 9bd5211

DefaultAzureCredential credential = new(options);

Expected behavior

Consider using https://learn.microsoft.com/en-us/aspnet/core/fundamentals/environments?view=aspnetcore-9.0 to determine if the app runs in DEV or in STAGING or PROD. Not sure about ASP.NET Classic. If not possible, we should let the app developer choose.

If production env, we could use only the SP auth (env credential, msi credential, workload cred, FICs). In "dev" scenarios we can continue to use DAC.

[bgavrilMS]

Would need an opinion on how to actually fix this @jmprieur @jennyf19 . If we can use the "environment" concept, I would argue that this is not a breaking change. https://learn.microsoft.com/en-us/aspnet/core/fundamentals/environments?view=aspnetcore-9.0

Otherwise, it could be a breaking change.

[jmprieur]

Needs to be taking with the test buble support