CHANGELOG.md

  1# Release History
  2
  3## 1.7.0 (2024-06-20)
  4
  5### Features Added
  6* `AzurePipelinesCredential` authenticates an Azure Pipelines service connection with
  7  workload identity federation
  8
  9### Breaking Changes
 10> These changes affect only code written against a beta version such as v1.7.0-beta.1
 11* Removed the persistent token caching API. It will return in v1.8.0-beta.1
 12
 13## 1.7.0-beta.1 (2024-06-10)
 14
 15### Features Added
 16* Restored `AzurePipelinesCredential` and persistent token caching API
 17
 18## Breaking Changes
 19> These changes affect only code written against a beta version such as v1.6.0-beta.4
 20* Values which `NewAzurePipelinesCredential` read from environment variables in
 21  prior versions are now parameters
 22* Renamed `AzurePipelinesServiceConnectionCredentialOptions` to `AzurePipelinesCredentialOptions`
 23
 24### Bugs Fixed
 25* Managed identity bug fixes
 26
 27## 1.6.0 (2024-06-10)
 28
 29### Features Added
 30* `NewOnBehalfOfCredentialWithClientAssertions` creates an on-behalf-of credential
 31  that authenticates with client assertions such as federated credentials
 32
 33### Breaking Changes
 34> These changes affect only code written against a beta version such as v1.6.0-beta.4
 35* Removed `AzurePipelinesCredential` and the persistent token caching API.
 36  They will return in v1.7.0-beta.1
 37
 38### Bugs Fixed
 39* Managed identity bug fixes
 40
 41## 1.6.0-beta.4 (2024-05-14)
 42
 43### Features Added
 44* `AzurePipelinesCredential` authenticates an Azure Pipeline service connection with
 45  workload identity federation
 46
 47## 1.6.0-beta.3 (2024-04-09)
 48
 49### Breaking Changes
 50* `DefaultAzureCredential` now sends a probe request with no retries for IMDS managed identity
 51  environments to avoid excessive retry delays when the IMDS endpoint is not available. This
 52  should improve credential chain resolution for local development scenarios.
 53
 54### Bugs Fixed
 55* `ManagedIdentityCredential` now specifies resource IDs correctly for Azure Container Instances
 56
 57## 1.5.2 (2024-04-09)
 58
 59### Bugs Fixed
 60* `ManagedIdentityCredential` now specifies resource IDs correctly for Azure Container Instances
 61
 62### Other Changes
 63* Restored v1.4.0 error behavior for empty tenant IDs
 64* Upgraded dependencies
 65
 66## 1.6.0-beta.2 (2024-02-06)
 67
 68### Breaking Changes
 69> These changes affect only code written against a beta version such as v1.6.0-beta.1
 70* Replaced `ErrAuthenticationRequired` with `AuthenticationRequiredError`, a struct
 71  type that carries the `TokenRequestOptions` passed to the `GetToken` call which
 72  returned the error.
 73
 74### Bugs Fixed
 75* Fixed more cases in which credential chains like `DefaultAzureCredential`
 76  should try their next credential after attempting managed identity
 77  authentication in a Docker Desktop container
 78
 79### Other Changes
 80* `AzureCLICredential` uses the CLI's `expires_on` value for token expiration
 81
 82## 1.6.0-beta.1 (2024-01-17)
 83
 84### Features Added
 85* Restored persistent token caching API first added in v1.5.0-beta.1
 86* Added `AzureCLICredentialOptions.Subscription`
 87
 88## 1.5.1 (2024-01-17)
 89
 90### Bugs Fixed
 91* `InteractiveBrowserCredential` handles `AdditionallyAllowedTenants` correctly
 92
 93## 1.5.0 (2024-01-16)
 94
 95### Breaking Changes
 96> These changes affect only code written against a beta version such as v1.5.0-beta.1
 97* Removed persistent token caching. It will return in v1.6.0-beta.1
 98
 99### Bugs Fixed
100* Credentials now preserve MSAL headers e.g. X-Client-Sku
101
102### Other Changes
103* Upgraded dependencies
104
105## 1.5.0-beta.2 (2023-11-07)
106
107### Features Added
108* `DefaultAzureCredential` and `ManagedIdentityCredential` support Azure ML managed identity
109* Added spans for distributed tracing.
110
111## 1.5.0-beta.1 (2023-10-10)
112
113### Features Added
114* Optional persistent token caching for most credentials. Set `TokenCachePersistenceOptions`
115  on a credential's options to enable and configure this. See the package documentation for
116  this version and [TOKEN_CACHING.md](https://aka.ms/azsdk/go/identity/caching) for more
117  details.
118* `AzureDeveloperCLICredential` authenticates with the Azure Developer CLI (`azd`). This
119  credential is also part of the `DefaultAzureCredential` authentication flow.
120
121## 1.4.0 (2023-10-10)
122
123### Bugs Fixed
124* `ManagedIdentityCredential` will now retry when IMDS responds 410 or 503
125
126## 1.4.0-beta.5 (2023-09-12)
127
128### Features Added
129* Service principal credentials can request CAE tokens
130
131### Breaking Changes
132> These changes affect only code written against a beta version such as v1.4.0-beta.4
133* Whether `GetToken` requests a CAE token is now determined by `TokenRequestOptions.EnableCAE`. Azure
134  SDK clients which support CAE will set this option automatically. Credentials no longer request CAE
135  tokens by default or observe the environment variable "AZURE_IDENTITY_DISABLE_CP1".
136
137### Bugs Fixed
138* Credential chains such as `DefaultAzureCredential` now try their next credential, if any, when
139  managed identity authentication fails in a Docker Desktop container
140  ([#21417](https://github.com/Azure/azure-sdk-for-go/issues/21417))
141
142## 1.4.0-beta.4 (2023-08-16)
143
144### Other Changes
145* Upgraded dependencies
146
147## 1.3.1 (2023-08-16)
148
149### Other Changes
150* Upgraded dependencies
151
152## 1.4.0-beta.3 (2023-08-08)
153
154### Bugs Fixed
155* One invocation of `AzureCLICredential.GetToken()` and `OnBehalfOfCredential.GetToken()`
156  can no longer make two authentication attempts
157
158## 1.4.0-beta.2 (2023-07-14)
159
160### Other Changes
161* `DefaultAzureCredentialOptions.TenantID` applies to workload identity authentication
162* Upgraded dependencies
163
164## 1.4.0-beta.1 (2023-06-06)
165
166### Other Changes
167* Re-enabled CAE support as in v1.3.0-beta.3
168
169## 1.3.0 (2023-05-09)
170
171### Breaking Changes
172> These changes affect only code written against a beta version such as v1.3.0-beta.5
173* Renamed `NewOnBehalfOfCredentialFromCertificate` to `NewOnBehalfOfCredentialWithCertificate`
174* Renamed `NewOnBehalfOfCredentialFromSecret` to `NewOnBehalfOfCredentialWithSecret`
175
176### Other Changes
177* Upgraded to MSAL v1.0.0
178
179## 1.3.0-beta.5 (2023-04-11)
180
181### Breaking Changes
182> These changes affect only code written against a beta version such as v1.3.0-beta.4
183* Moved `NewWorkloadIdentityCredential()` parameters into `WorkloadIdentityCredentialOptions`.
184  The constructor now reads default configuration from environment variables set by the Azure
185  workload identity webhook by default.
186  ([#20478](https://github.com/Azure/azure-sdk-for-go/pull/20478))
187* Removed CAE support. It will return in v1.4.0-beta.1
188  ([#20479](https://github.com/Azure/azure-sdk-for-go/pull/20479))
189
190### Bugs Fixed
191* Fixed an issue in `DefaultAzureCredential` that could cause the managed identity endpoint check to fail in rare circumstances.
192
193## 1.3.0-beta.4 (2023-03-08)
194
195### Features Added
196* Added `WorkloadIdentityCredentialOptions.AdditionallyAllowedTenants` and `.DisableInstanceDiscovery`
197
198### Bugs Fixed
199* Credentials now synchronize within `GetToken()` so a single instance can be shared among goroutines
200  ([#20044](https://github.com/Azure/azure-sdk-for-go/issues/20044))
201
202### Other Changes
203* Upgraded dependencies
204
205## 1.2.2 (2023-03-07)
206
207### Other Changes
208* Upgraded dependencies
209
210## 1.3.0-beta.3 (2023-02-07)
211
212### Features Added
213* By default, credentials set client capability "CP1" to enable support for
214  [Continuous Access Evaluation (CAE)](https://learn.microsoft.com/entra/identity-platform/app-resilience-continuous-access-evaluation).
215  This indicates to Microsoft Entra ID that your application can handle CAE claims challenges.
216  You can disable this behavior by setting the environment variable "AZURE_IDENTITY_DISABLE_CP1" to "true".
217* `InteractiveBrowserCredentialOptions.LoginHint` enables pre-populating the login
218  prompt with a username ([#15599](https://github.com/Azure/azure-sdk-for-go/pull/15599))
219* Service principal and user credentials support ADFS authentication on Azure Stack.
220  Specify "adfs" as the credential's tenant.
221* Applications running in private or disconnected clouds can prevent credentials from
222  requesting Microsoft Entra instance metadata by setting the `DisableInstanceDiscovery`
223  field on credential options.
224* Many credentials can now be configured to authenticate in multiple tenants. The
225  options types for these credentials have an `AdditionallyAllowedTenants` field
226  that specifies additional tenants in which the credential may authenticate.
227
228## 1.3.0-beta.2 (2023-01-10)
229
230### Features Added
231* Added `OnBehalfOfCredential` to support the on-behalf-of flow
232  ([#16642](https://github.com/Azure/azure-sdk-for-go/issues/16642))
233
234### Bugs Fixed
235* `AzureCLICredential` reports token expiration in local time (should be UTC)
236
237### Other Changes
238* `AzureCLICredential` imposes its default timeout only when the `Context`
239  passed to `GetToken()` has no deadline
240* Added `NewCredentialUnavailableError()`. This function constructs an error indicating
241  a credential can't authenticate and an encompassing `ChainedTokenCredential` should
242  try its next credential, if any.
243
244## 1.3.0-beta.1 (2022-12-13)
245
246### Features Added
247* `WorkloadIdentityCredential` and `DefaultAzureCredential` support
248  Workload Identity Federation on Kubernetes. `DefaultAzureCredential`
249  support requires environment variable configuration as set by the
250  Workload Identity webhook.
251  ([#15615](https://github.com/Azure/azure-sdk-for-go/issues/15615))
252
253## 1.2.0 (2022-11-08)
254
255### Other Changes
256* This version includes all fixes and features from 1.2.0-beta.*
257
258## 1.2.0-beta.3 (2022-10-11)
259
260### Features Added
261* `ManagedIdentityCredential` caches tokens in memory
262
263### Bugs Fixed
264* `ClientCertificateCredential` sends only the leaf cert for SNI authentication
265
266## 1.2.0-beta.2 (2022-08-10)
267
268### Features Added
269* Added `ClientAssertionCredential` to enable applications to authenticate
270  with custom client assertions
271
272### Other Changes
273* Updated AuthenticationFailedError with links to TROUBLESHOOTING.md for relevant errors
274* Upgraded `microsoft-authentication-library-for-go` requirement to v0.6.0
275
276## 1.2.0-beta.1 (2022-06-07)
277
278### Features Added
279* `EnvironmentCredential` reads certificate passwords from `AZURE_CLIENT_CERTIFICATE_PASSWORD`
280  ([#17099](https://github.com/Azure/azure-sdk-for-go/pull/17099))
281
282## 1.1.0 (2022-06-07)
283
284### Features Added
285* `ClientCertificateCredential` and `ClientSecretCredential` support ESTS-R. First-party
286  applications can set environment variable `AZURE_REGIONAL_AUTHORITY_NAME` with a
287  region name.
288  ([#15605](https://github.com/Azure/azure-sdk-for-go/issues/15605))
289
290## 1.0.1 (2022-06-07)
291
292### Other Changes
293* Upgrade `microsoft-authentication-library-for-go` requirement to v0.5.1
294  ([#18176](https://github.com/Azure/azure-sdk-for-go/issues/18176))
295
296## 1.0.0 (2022-05-12)
297
298### Features Added
299* `DefaultAzureCredential` reads environment variable `AZURE_CLIENT_ID` for the
300  client ID of a user-assigned managed identity
301  ([#17293](https://github.com/Azure/azure-sdk-for-go/pull/17293))
302
303### Breaking Changes
304* Removed `AuthorizationCodeCredential`. Use `InteractiveBrowserCredential` instead
305  to authenticate a user with the authorization code flow.
306* Instances of `AuthenticationFailedError` are now returned by pointer.
307* `GetToken()` returns `azcore.AccessToken` by value
308
309### Bugs Fixed
310* `AzureCLICredential` panics after receiving an unexpected error type
311  ([#17490](https://github.com/Azure/azure-sdk-for-go/issues/17490))
312
313### Other Changes
314* `GetToken()` returns an error when the caller specifies no scope
315* Updated to the latest versions of `golang.org/x/crypto`, `azcore` and `internal`
316
317## 0.14.0 (2022-04-05)
318
319### Breaking Changes
320* This module now requires Go 1.18
321* Removed `AuthorityHost`. Credentials are now configured for sovereign or private
322  clouds with the API in `azcore/cloud`, for example:
323  ```go
324  // before
325  opts := azidentity.ClientSecretCredentialOptions{AuthorityHost: azidentity.AzureGovernment}
326  cred, err := azidentity.NewClientSecretCredential(tenantID, clientID, secret, &opts)
327
328  // after
329  import "github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
330
331  opts := azidentity.ClientSecretCredentialOptions{}
332  opts.Cloud = cloud.AzureGovernment
333  cred, err := azidentity.NewClientSecretCredential(tenantID, clientID, secret, &opts)
334  ```
335
336## 0.13.2 (2022-03-08)
337
338### Bugs Fixed
339* Prevented a data race in `DefaultAzureCredential` and `ChainedTokenCredential`
340  ([#17144](https://github.com/Azure/azure-sdk-for-go/issues/17144))
341
342### Other Changes
343* Upgraded App Service managed identity version from 2017-09-01 to 2019-08-01
344  ([#17086](https://github.com/Azure/azure-sdk-for-go/pull/17086))
345
346## 0.13.1 (2022-02-08)
347
348### Features Added
349* `EnvironmentCredential` supports certificate SNI authentication when
350  `AZURE_CLIENT_SEND_CERTIFICATE_CHAIN` is "true".
351  ([#16851](https://github.com/Azure/azure-sdk-for-go/pull/16851))
352
353### Bugs Fixed
354* `ManagedIdentityCredential.GetToken()` now returns an error when configured for
355   a user assigned identity in Azure Cloud Shell (which doesn't support such identities)
356   ([#16946](https://github.com/Azure/azure-sdk-for-go/pull/16946))
357
358### Other Changes
359* `NewDefaultAzureCredential()` logs non-fatal errors. These errors are also included in the
360  error returned by `DefaultAzureCredential.GetToken()` when it's unable to acquire a token
361  from any source. ([#15923](https://github.com/Azure/azure-sdk-for-go/issues/15923))
362
363## 0.13.0 (2022-01-11)
364
365### Breaking Changes
366* Replaced `AuthenticationFailedError.RawResponse()` with a field having the same name
367* Unexported `CredentialUnavailableError`
368* Instances of `ChainedTokenCredential` will now skip looping through the list of source credentials and re-use the first successful credential on subsequent calls to `GetToken`.
369  * If `ChainedTokenCredentialOptions.RetrySources` is true, `ChainedTokenCredential` will continue to try all of the originally provided credentials each time the `GetToken` method is called.
370  * `ChainedTokenCredential.successfulCredential` will contain a reference to the last successful credential.
371  * `DefaultAzureCredenial` will also re-use the first successful credential on subsequent calls to `GetToken`.
372  * `DefaultAzureCredential.chain.successfulCredential` will also contain a reference to the last successful credential.
373
374### Other Changes
375* `ManagedIdentityCredential` no longer probes IMDS before requesting a token
376  from it. Also, an error response from IMDS no longer disables a credential
377  instance. Following an error, a credential instance will continue to send
378  requests to IMDS as necessary.
379* Adopted MSAL for user and service principal authentication
380* Updated `azcore` requirement to 0.21.0
381
382## 0.12.0 (2021-11-02)
383### Breaking Changes
384* Raised minimum go version to 1.16
385* Removed `NewAuthenticationPolicy()` from credentials. Clients should instead use azcore's
386 `runtime.NewBearerTokenPolicy()` to construct a bearer token authorization policy.
387* The `AuthorityHost` field in credential options structs is now a custom type,
388  `AuthorityHost`, with underlying type `string`
389* `NewChainedTokenCredential` has a new signature to accommodate a placeholder
390  options struct:
391  ```go
392  // before
393  cred, err := NewChainedTokenCredential(credA, credB)
394
395  // after
396  cred, err := NewChainedTokenCredential([]azcore.TokenCredential{credA, credB}, nil)
397  ```
398* Removed `ExcludeAzureCLICredential`, `ExcludeEnvironmentCredential`, and `ExcludeMSICredential`
399  from `DefaultAzureCredentialOptions`
400* `NewClientCertificateCredential` requires a `[]*x509.Certificate` and `crypto.PrivateKey` instead of
401  a path to a certificate file. Added `ParseCertificates` to simplify getting these in common cases:
402  ```go
403  // before
404  cred, err := NewClientCertificateCredential("tenant", "client-id", "/cert.pem", nil)
405
406  // after
407  certData, err := os.ReadFile("/cert.pem")
408  certs, key, err := ParseCertificates(certData, password)
409  cred, err := NewClientCertificateCredential(tenantID, clientID, certs, key, nil)
410  ```
411* Removed `InteractiveBrowserCredentialOptions.ClientSecret` and `.Port`
412* Removed `AADAuthenticationFailedError`
413* Removed `id` parameter of `NewManagedIdentityCredential()`. User assigned identities are now
414  specified by `ManagedIdentityCredentialOptions.ID`:
415  ```go
416  // before
417  cred, err := NewManagedIdentityCredential("client-id", nil)
418  // or, for a resource ID
419  opts := &ManagedIdentityCredentialOptions{ID: ResourceID}
420  cred, err := NewManagedIdentityCredential("/subscriptions/...", opts)
421
422  // after
423  clientID := ClientID("7cf7db0d-...")
424  opts := &ManagedIdentityCredentialOptions{ID: clientID}
425  // or, for a resource ID
426  resID: ResourceID("/subscriptions/...")
427  opts := &ManagedIdentityCredentialOptions{ID: resID}
428  cred, err := NewManagedIdentityCredential(opts)
429  ```
430* `DeviceCodeCredentialOptions.UserPrompt` has a new type: `func(context.Context, DeviceCodeMessage) error`
431* Credential options structs now embed `azcore.ClientOptions`. In addition to changing literal initialization
432  syntax, this change renames `HTTPClient` fields to `Transport`.
433* Renamed `LogCredential` to `EventCredential`
434* `AzureCLICredential` no longer reads the environment variable `AZURE_CLI_PATH`
435* `NewManagedIdentityCredential` no longer reads environment variables `AZURE_CLIENT_ID` and
436  `AZURE_RESOURCE_ID`. Use `ManagedIdentityCredentialOptions.ID` instead.
437* Unexported `AuthenticationFailedError` and `CredentialUnavailableError` structs. In their place are two
438  interfaces having the same names.
439
440### Bugs Fixed
441* `AzureCLICredential.GetToken` no longer mutates its `opts.Scopes`
442
443### Features Added
444* Added connection configuration options to `DefaultAzureCredentialOptions`
445* `AuthenticationFailedError.RawResponse()` returns the HTTP response motivating the error,
446  if available
447
448### Other Changes
449* `NewDefaultAzureCredential()` returns `*DefaultAzureCredential` instead of `*ChainedTokenCredential`
450* Added `TenantID` field to `DefaultAzureCredentialOptions` and `AzureCLICredentialOptions`
451
452## 0.11.0 (2021-09-08)
453### Breaking Changes
454* Unexported `AzureCLICredentialOptions.TokenProvider` and its type,
455  `AzureCLITokenProvider`
456
457### Bug Fixes
458* `ManagedIdentityCredential.GetToken` returns `CredentialUnavailableError`
459  when IMDS has no assigned identity, signaling `DefaultAzureCredential` to
460  try other credentials
461
462
463## 0.10.0 (2021-08-30)
464### Breaking Changes
465* Update based on `azcore` refactor [#15383](https://github.com/Azure/azure-sdk-for-go/pull/15383)
466
467## 0.9.3 (2021-08-20)
468
469### Bugs Fixed
470* `ManagedIdentityCredential.GetToken` no longer mutates its `opts.Scopes`
471
472### Other Changes
473* Bumps version of `azcore` to `v0.18.1`
474
475
476## 0.9.2 (2021-07-23)
477### Features Added
478* Adding support for Service Fabric environment in `ManagedIdentityCredential`
479* Adding an option for using a resource ID instead of client ID in `ManagedIdentityCredential`
480
481
482## 0.9.1 (2021-05-24)
483### Features Added
484* Add LICENSE.txt and bump version information
485
486
487## 0.9.0 (2021-05-21)
488### Features Added
489* Add support for authenticating in Azure Stack environments
490* Enable user assigned identities for the IMDS scenario in `ManagedIdentityCredential`
491* Add scope to resource conversion in `GetToken()` on `ManagedIdentityCredential`
492
493
494## 0.8.0 (2021-01-20)
495### Features Added
496* Updating documentation
497
498
499## 0.7.1 (2021-01-04)
500### Features Added
501* Adding port option to `InteractiveBrowserCredential`
502
503
504## 0.7.0 (2020-12-11)
505### Features Added
506* Add `redirectURI` parameter back to authentication code flow
507
508
509## 0.6.1 (2020-12-09)
510### Features Added
511* Updating query parameter in `ManagedIdentityCredential` and updating datetime string for parsing managed identity access tokens.
512
513
514## 0.6.0 (2020-11-16)
515### Features Added
516* Remove `RedirectURL` parameter from auth code flow to align with the MSAL implementation which relies on the native client redirect URL.
517
518
519## 0.5.0 (2020-10-30)
520### Features Added
521* Flattening credential options
522
523
524## 0.4.3 (2020-10-21)
525### Features Added
526* Adding Azure Arc support in `ManagedIdentityCredential`
527
528
529## 0.4.2 (2020-10-16)
530### Features Added
531* Typo fixes
532
533
534## 0.4.1 (2020-10-16)
535### Features Added
536* Ensure authority hosts are only HTTPs
537
538
539## 0.4.0 (2020-10-16)
540### Features Added
541* Adding options structs for credentials
542
543
544## 0.3.0 (2020-10-09)
545### Features Added
546* Update `DeviceCodeCredential` callback
547
548
549## 0.2.2 (2020-10-09)
550### Features Added
551* Add `AuthorizationCodeCredential`
552
553
554## 0.2.1 (2020-10-06)
555### Features Added
556* Add `InteractiveBrowserCredential`
557
558
559## 0.2.0 (2020-09-11)
560### Features Added
561* Refactor `azidentity` on top of `azcore` refactor
562* Updated policies to conform to `policy.Policy` interface changes.
563* Updated non-retriable errors to conform to `azcore.NonRetriableError`.
564* Fixed calls to `Request.SetBody()` to include content type.
565* Switched endpoints to string types and removed extra parsing code.
566
567
568## 0.1.1 (2020-09-02)
569### Features Added
570* Add `AzureCLICredential` to `DefaultAzureCredential` chain
571
572
573## 0.1.0 (2020-07-23)
574### Features Added
575* Initial Release. Azure Identity library that provides Microsoft Entra token authentication support for the SDK.