[Feature Request] MicrosoftIdentityOptions and DefaultCertificateLoader should support user assigned managed identity

[jmprieur]

Is your feature request related to a problem? Please describe.
Currently, DefaultCertificateLoader only supports system assigned managed identities, whereas customers and partners also need it to support user assigned managed identity

Describe the solution you'd like
Have a new property named UserAssignedManagedIdentityClientId in MicrosoftIdentityOptions so that developers can provide the user assigned managed identity client ID.

public class MicrosoftIdentityOptions
{
 // Previous properties

 /// <summary>
 /// Used, when deployed to Azure, to specify explicitly a user assigned managed identity.
 /// See https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.
 /// </summary>
 string? UserAssignedManagedIdentityClientId {get;set;}
}

For customers using ASP.NET (not core), and therefore directly the DefaultCertificateLoader, also expose it as a static public member of DefaultCertificateLoader

Additional context

[admsteck]

The LoadFromKeyVault method of DefaultCertificateLoader needs both certificate and secret permissions in key vault. In our use case it would be beneficial if different client ids could be provided for the certificate client and secret client used within the LoadFromKeyVault method.

[jmprieur]

@admsteck : do you want to provide a PR that we could examine?

[jmprieur]

PR is #1008

[jmprieur]

Wei replied this would be nice to have it to allow customers to pass user assigned MSI clientId from the code instead of changing App service settings,