1//go:build go1.18
2// +build go1.18
3
4// Copyright (c) Microsoft Corporation. All rights reserved.
5// Licensed under the MIT License.
6
7package azidentity
8
9import (
10 "context"
11 "errors"
12
13 "github.com/Azure/azure-sdk-for-go/sdk/azcore"
14 "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
15 "github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
16 "github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential"
17)
18
19const credNameAssertion = "ClientAssertionCredential"
20
21// ClientAssertionCredential authenticates an application with assertions provided by a callback function.
22// This credential is for advanced scenarios. [ClientCertificateCredential] has a more convenient API for
23// the most common assertion scenario, authenticating a service principal with a certificate. See
24// [Microsoft Entra ID documentation] for details of the assertion format.
25//
26// [Microsoft Entra ID documentation]: https://learn.microsoft.com/entra/identity-platform/certificate-credentials#assertion-format
27type ClientAssertionCredential struct {
28 client *confidentialClient
29}
30
31// ClientAssertionCredentialOptions contains optional parameters for ClientAssertionCredential.
32type ClientAssertionCredentialOptions struct {
33 azcore.ClientOptions
34
35 // AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
36 // Add the wildcard value "*" to allow the credential to acquire tokens for any tenant in which the
37 // application is registered.
38 AdditionallyAllowedTenants []string
39
40 // DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
41 // private clouds such as Azure Stack. It determines whether the credential requests Microsoft Entra instance metadata
42 // from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
43 // the application responsible for ensuring the configured authority is valid and trustworthy.
44 DisableInstanceDiscovery bool
45
46 // tokenCachePersistenceOptions enables persistent token caching when not nil.
47 tokenCachePersistenceOptions *tokenCachePersistenceOptions
48}
49
50// NewClientAssertionCredential constructs a ClientAssertionCredential. The getAssertion function must be thread safe. Pass nil for options to accept defaults.
51func NewClientAssertionCredential(tenantID, clientID string, getAssertion func(context.Context) (string, error), options *ClientAssertionCredentialOptions) (*ClientAssertionCredential, error) {
52 if getAssertion == nil {
53 return nil, errors.New("getAssertion must be a function that returns assertions")
54 }
55 if options == nil {
56 options = &ClientAssertionCredentialOptions{}
57 }
58 cred := confidential.NewCredFromAssertionCallback(
59 func(ctx context.Context, _ confidential.AssertionRequestOptions) (string, error) {
60 return getAssertion(ctx)
61 },
62 )
63 msalOpts := confidentialClientOptions{
64 AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
65 ClientOptions: options.ClientOptions,
66 DisableInstanceDiscovery: options.DisableInstanceDiscovery,
67 tokenCachePersistenceOptions: options.tokenCachePersistenceOptions,
68 }
69 c, err := newConfidentialClient(tenantID, clientID, credNameAssertion, cred, msalOpts)
70 if err != nil {
71 return nil, err
72 }
73 return &ClientAssertionCredential{client: c}, nil
74}
75
76// GetToken requests an access token from Microsoft Entra ID. This method is called automatically by Azure SDK clients.
77func (c *ClientAssertionCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
78 var err error
79 ctx, endSpan := runtime.StartSpan(ctx, credNameAssertion+"."+traceOpGetToken, c.client.azClient.Tracer(), nil)
80 defer func() { endSpan(err) }()
81 tk, err := c.client.GetToken(ctx, opts)
82 return tk, err
83}
84
85var _ azcore.TokenCredential = (*ClientAssertionCredential)(nil)