MSAL client type

Confidential

Problem Statement

When client_credential is set to client_assertion, the only acceptable value is a token. However, tokens have a definite validity and as a result, the library as is it not suitable when using dynamic tokens - such as when using workload identities in AKS - because at some point the token becomes expired and a new instance of the Confidential client has to be initiated, which is not straightforward.

Proposed solution

I propose that client_assertion should accept a callback function which is evaluated on demand by the MSAL library, allowing the user-supplied function to retrieve a custom token.

This feature is already available in the .NET and JS versions of this library.