private async ValueTask <AccessToken> GetTokenImplAsync(bool async, TokenRequestContext requestContext, CancellationToken cancellationToken)
{
using CredentialDiagnosticScope scope = _pipeline.StartGetTokenScope("EnvironmentCredential.GetToken", requestContext);
if (_credential is null)
{
throw scope.Failed(new CredentialUnavailableException(UnavailbleErrorMessage));
}
try
{
AccessToken token = async
? await _credential.GetTokenAsync(requestContext, cancellationToken).ConfigureAwait(false)
: _credential.GetToken(requestContext, cancellationToken);
return(scope.Succeeded(token));
}
catch (OperationCanceledException e)
{
scope.Failed(e);
throw;
}
catch (Exception e)
{
throw scope.FailAndWrap(e);
}
}
/// <inheritdoc />
private async ValueTask ProcessAsync(HttpMessage message, ReadOnlyMemory <HttpPipelinePolicy> pipeline, bool async)
{
if (message.Request.Uri.Scheme != Uri.UriSchemeHttps)
{
throw new InvalidOperationException("Bearer token authentication is not permitted for non TLS protected (https) endpoints.");
}
if (DateTimeOffset.UtcNow >= _refreshOn)
{
AccessToken token = async ?
await _credential.GetTokenAsync(new TokenRequestContext(_scopes, message.Request.ClientRequestId), message.CancellationToken).ConfigureAwait(false) :
_credential.GetToken(new TokenRequestContext(_scopes, message.Request.ClientRequestId), message.CancellationToken);
_headerValue = "Bearer " + token.Token;
_refreshOn = token.ExpiresOn - TimeSpan.FromMinutes(2);
}
if (_headerValue != null)
{
message.Request.SetHeader(HttpHeader.Names.Authorization, _headerValue);
}
if (async)
{
await ProcessNextAsync(message, pipeline).ConfigureAwait(false);
}
else
{
ProcessNext(message, pipeline);
}
}
private ExtendedAccessToken GetTokenImpl(TokenRequestContext requestContext, CancellationToken cancellationToken)
{
using CredentialDiagnosticScope scope = _pipeline.StartGetTokenScope("Azure.Identity.EnvironmentCredential.GetToken", requestContext);
if (_credential is null)
{
return(new ExtendedAccessToken(scope.Failed(new CredentialUnavailableException(_unavailbleErrorMessage))));
}
try
{
AccessToken token = _credential.GetToken(requestContext, cancellationToken);
return(new ExtendedAccessToken(scope.Succeeded(token)));
}
catch (OperationCanceledException e)
{
scope.Failed(e);
throw;
}
catch (Exception e)
{
return(new ExtendedAccessToken(scope.Failed(e)));
}
}
public async ValueTask ProcessAsync(HttpPipelineMessage message, ReadOnlyMemory <HttpPipelinePolicy> pipeline, bool async)
{
if (DateTimeOffset.UtcNow >= _refreshOn)
{
AccessToken token = async ?
await _credential.GetTokenAsync(new TokenRequest(_scopes), message.CancellationToken).ConfigureAwait(false) :
_credential.GetToken(new TokenRequest(_scopes), message.CancellationToken);
_headerValue = "Bearer " + token.Token;
_refreshOn = token.ExpiresOn - TimeSpan.FromMinutes(2);
}
if (_headerValue != null)
{
message.Request.SetHeader(HttpHeader.Names.Authorization, _headerValue);
}
if (async)
{
await ProcessNextAsync(message, pipeline).ConfigureAwait(false);
}
else
{
ProcessNext(message, pipeline);
}
}
public void CreateGetTokenCallsDelegate(TokenCredential credential)
{
AccessToken actualToken = credential.GetToken(new TokenRequestContext(scopes), ctx);
Assert.AreEqual(expectedToken, actualToken.Token);
Assert.AreEqual(expires, actualToken.ExpiresOn);
}
public AccessTokenResponse GetAccessToken(string[] scopes, bool forceRefresh = false)
{
_log.LogInformation($"Getting token via {_cred.GetType()} for {string.Join(',', scopes)}");
var b = _cred.GetToken(new Azure.Core.TokenRequestContext(scopes), CancellationToken.None);
var resource = ScopeUtil.GetResourceFromScope(scopes);
return(new AccessTokenResponse(resource, b.Token, b.ExpiresOn));
}
public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
{
if (credential is null)
{
throw new CredentialUnavailableException("No configured Azure Identity options.");
}
return(credential.GetToken(requestContext, cancellationToken));
}
private void Renew()
{
if (IsNearExpiration())
{
var token = TokenCredential.GetToken(TokenRequestContext, default(CancellationToken));
AccessToken = token.Token;
ExpiresOn = token.ExpiresOn;
}
}
private async Task AddHeaders(HttpMessage message, bool async)
{
using var cts = new CancellationTokenSource(_getTokenTimeout);
AccessToken token = async
? await _credential.GetTokenAsync(new TokenRequestContext(), cts.Token).ConfigureAwait(false)
: _credential.GetToken(new TokenRequestContext(), cts.Token);
message.Request.Headers.Add(HttpHeader.Names.Authorization, token.Token);
}
private string GetAccessToken()
{
if (CachedTokenIsValid())
{
return(_cachedToken.Token);
}
_cachedToken = _tokenCredential.GetToken(new TokenRequestContext(Scopes), default);
return(_cachedToken.Token);
}
private static async ValueTask <AccessToken> GetTokenFromCredentialAsync(TokenCredential credential, TokenRequestContext requestContext, bool async, CancellationToken cancellationToken)
{
try
{
return(async
? await credential.GetTokenAsync(requestContext, cancellationToken).ConfigureAwait(false)
: credential.GetToken(requestContext, cancellationToken));
}
catch (Exception e) when(!(e is CredentialUnavailableException))
{
throw new AuthenticationFailedException(UnhandledExceptionMessage, e);
}
}
/// <summary>
/// Configures the RestSharp RestClient.
/// </summary>
private void ConfigureRestClient()
{
if (!isConfigured)
{
Exception exceptionInLock = null;
lock (configLock)
{
if (!isConfigured)
{
try
{
var amsAccessToken = _tokenCredential.GetToken(
new TokenRequestContext(
scopes: new[] { "https://rest.media.azure.net/.default" },
parentRequestId: null),
default);
_restClient.Authenticator = new JwtAuthenticator(amsAccessToken.Token);
_restClient.UseNewtonsoftJson(
new Newtonsoft.Json.JsonSerializerSettings()
{
ContractResolver = new DefaultContractResolver(),
});
_restClient.AddDefaultHeader("Content-Type", $"{ContentType.Json};odata=verbose");
_restClient.AddDefaultHeader("Accept", $"{ContentType.Json};odata=verbose");
_restClient.AddDefaultHeader("DataServiceVersion", "3.0");
_restClient.AddDefaultHeader("MaxDataServiceVersion", "3.0");
_restClient.AddDefaultHeader("x-ms-version", "2.19");
}
catch (Exception e)
{
exceptionInLock = e;
_log.LogError(e, $"Failed to {nameof(ConfigureRestClient)}");
}
finally
{
isConfigured = true;
}
}
}
if (exceptionInLock != null)
{
throw exceptionInLock;
}
}
return;
}
public override string GetAuthorizationHeader()
{
lock (_tokenLock)
{
// A new token is generated if it is the first time or the cached token is close to expiry.
if (!_cachedAccessToken.HasValue ||
TokenHelper.IsCloseToExpiry(_cachedAccessToken.Value.ExpiresOn))
{
_cachedAccessToken = _credential.GetToken(
new TokenRequestContext(CommonConstants.IotHubAadTokenScopes),
new CancellationToken());
}
}
return($"Bearer {_cachedAccessToken.Value.Token}");
}
/// <summary> Gets the rank processor initiated with live model to use </summary>
internal virtual RlNetProcessor GetConfigurationForRankProcessor(CancellationToken cancellationToken = default)
{
Configuration config = new Configuration();
// set up the model
if (azureKeyCredential != null)
{
config["http.api.key"] = azureKeyCredential.Key;
}
else if (tokenCredential != null)
{
var tokenRequestContext = new TokenRequestContext(scopes);
AccessToken token = tokenCredential.GetToken(tokenRequestContext, cancellationToken);
config["http.api.key"] = "Bearer " + token.Token;
config["http.api.header.key.name"] = "Authorization";
tokenExpiry = token.ExpiresOn;
}
else
{
throw new ApplicationException("PersonalizerClient is neither initalized with Token Credential nor with AzureKey Credential");
}
personalizerServiceProperties = ServiceConfigurationRestClient.Get(cancellationToken);
personalizerPolicy = PolicyRestClient.Get(cancellationToken);
//interactions & observations
config["interaction.http.api.host"] = stringEndpoint + "personalizer/v1.1-preview.3/logs/interactions";
config["observation.http.api.host"] = stringEndpoint + "personalizer/v1.1-preview.3/logs/observations";
config["interaction.sender.implementation"] = "INTERACTION_HTTP_API_SENDER";
config["observation.sender.implementation"] = "OBSERVATION_HTTP_API_SENDER";
config["interaction.subsample.rate"] = Convert.ToString(this.subsampleRate, CultureInfo.InvariantCulture);
config["observation.subsample.rate"] = Convert.ToString(this.subsampleRate, CultureInfo.InvariantCulture);
//model
config["model.blob.uri"] = stringEndpoint + "personalizer/v1.1-preview.3/model";
config["model.source"] = "HTTP_MODEL_DATA";
config["model.vw.initial_command_line"] = personalizerPolicy.Arguments;
config["protocol.version"] = "2";
config["initial_exploration.epsilon"] = Convert.ToString(personalizerServiceProperties.ExplorationPercentage, CultureInfo.InvariantCulture);
config["rank.learning.mode"] = Convert.ToString(personalizerServiceProperties.LearningMode, CultureInfo.InvariantCulture);
LiveModel liveModel = new LiveModel(config);
liveModel.Init();
LiveModelBase liveModelAdapter = new LiveModelAdapter(liveModel);
liveModelLastRefresh = DateTimeOffset.UtcNow;
return(new RlNetProcessor(liveModelAdapter));
}
public override InterceptionResult ConnectionOpening(
DbConnection connection,
ConnectionEventData eventData,
InterceptionResult result)
{
var sqlConnection = (SqlConnection)connection;
if (DoesConnectionNeedAccessToken(sqlConnection))
{
var tokenRequestContext = new TokenRequestContext(_azureSqlScopes);
var token = _credential.GetToken(tokenRequestContext, default);
sqlConnection.AccessToken = token.Token;
}
return(base.ConnectionOpening(connection, eventData, result));
}
// The HTTP protocol uses this method to get the bearer token for authentication.
public override string GetAuthorizationHeader()
{
#if NET451
throw new InvalidOperationException($"TokenCredential is not supported on NET451");
#else
lock (_tokenLock)
{
// A new token is generated if it is the first time or the cached token is close to expiry.
if (!_cachedAccessToken.HasValue ||
TokenHelper.IsCloseToExpiry(_cachedAccessToken.Value.ExpiresOn))
{
_cachedAccessToken = _credential.GetToken(
new TokenRequestContext(CommonConstants.IotHubAadTokenScopes),
new CancellationToken());
}
}
return($"{TokenType} {_cachedAccessToken.Value.Token}");
#endif
}
private string GetAccessToken()
{
_semaphoreToken.Wait();
try
{
//If the Token has more than 5 minutes Validity
if (DateTime.UtcNow.AddMinutes(_cacheLifeTime) <= _token.ExpiresOn.UtcDateTime)
{
return(_token.Token);
}
var tokenRequestContext = new TokenRequestContext(_azureSqlScopes);
var token = _credential.GetToken(tokenRequestContext, CancellationToken.None);
_token = token;
return(token.Token);
}
finally
{
_semaphoreToken.Release();
}
}
public async Task ProcessAsync(HttpPipelineMessage message, ReadOnlyMemory <HttpPipelinePolicy> pipeline, bool async)
{
string token = async ?
await _credential.GetTokenAsync(_scopes, message.Cancellation).ConfigureAwait(false) :
_credential.GetToken(_scopes, message.Cancellation);
if (token != _currentToken)
{
// Avoid per request allocations
_currentToken = token;
_headerValue = "Bearer " + token;
}
message.Request.SetHeader(HttpHeader.Names.Authorization, _headerValue);
if (async)
{
await ProcessNextAsync(pipeline, message);
}
else
{
ProcessNext(pipeline, message);
}
}
/// <summary>
/// This should be called before any call to <see cref="IRestClient"/>,
/// it sets up the auth token and default headers per the AMS V2 API specification.
/// </summary>
private void ConfigureRestClient()
{
var amsAccessToken = _tokenCredential.GetToken(
new TokenRequestContext(
scopes: new[] { "https://rest.media.azure.net/.default" },
parentRequestId: null),
default);
_restClient.Authenticator = new JwtAuthenticator(amsAccessToken.Token);
_restClient.UseNewtonsoftJson(
new Newtonsoft.Json.JsonSerializerSettings()
{
ContractResolver = new DefaultContractResolver(),
});
_restClient.AddDefaultHeader("Content-Type", $"{ContentType.Json};odata=verbose");
_restClient.AddDefaultHeader("Accept", $"{ContentType.Json};odata=verbose");
_restClient.AddDefaultHeader("DataServiceVersion", "3.0");
_restClient.AddDefaultHeader("MaxDataServiceVersion", "3.0");
_restClient.AddDefaultHeader("x-ms-version", "2.19");
return;
}
/// <summary>
/// Obtains a token from the Azure Active Directory service, using the specified client detailed specified in the SDK Auth file.
/// This method is called by Azure SDK clients. It isn't intended for use in application code.
/// </summary>
/// <remarks>
/// If the SDK Auth file is missing or invalid, this method throws a <see cref="AuthenticationFailedException"/> exception.
/// </remarks>
/// <param name="requestContext">The details of the authentication request</param>
/// <param name="cancellationToken">A <see cref="CancellationToken"/> controlling the request lifetime.</param>
/// <returns>An <see cref="AccessToken"/> which can be used to authenticate service client calls.</returns>
public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
{
EnsureCredential(false, cancellationToken).GetAwaiter().GetResult();
return(_credential.GetToken(requestContext, cancellationToken));
}
public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
{
return(_tokenCredential.GetToken(requestContext, cancellationToken));
}
/// <summary>
/// Retrieves the token that represents the shared access signature credential, for
/// use in authorization against an Service Bus entity.
/// </summary>
///
/// <param name="requestContext">The details of the authentication request.</param>
/// <param name="cancellationToken">The token used to request cancellation of the operation.</param>
///
/// <returns>The token representing the shared access signature for this credential.</returns>
///
public override AccessToken GetToken(
TokenRequestContext requestContext,
CancellationToken cancellationToken) =>
_credential.GetToken(requestContext, cancellationToken);
private async ValueTask <AccessToken> GetTokenImplAsync(bool async, TokenRequestContext requestContext, CancellationToken cancellationToken)
{
using CredentialDiagnosticScope scope = _pipeline.StartGetTokenScope("DefaultAzureCredential.GetToken", requestContext);
try
{
AccessToken token;
if (_credential != null)
{
token = async ? await _credential.GetTokenAsync(requestContext, cancellationToken).ConfigureAwait(false) : _credential.GetToken(requestContext, cancellationToken);
}
else
{
token = await GetTokenFromSourcesAsync(async, requestContext, cancellationToken).ConfigureAwait(false);
}
return(scope.Succeeded(token));
}
catch (OperationCanceledException e)
{
scope.Failed(e);
throw;
}
catch (Exception e) when(!(e is CredentialUnavailableException))
{
throw scope.FailAndWrap(new AuthenticationFailedException(UnhandledExceptionMessage, e));
}
}
/// <summary>
/// Obtains a token from the Azure Active Directory service, using the specified client details specified in the environment variables
/// AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET to authenticate.
/// </summary>
/// <remarks>
/// If the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET are not specified, the default <see cref="AccessToken"/>
/// </remarks>
/// <param name="requestContext">The details of the authentication request.</param>
/// <param name="cancellationToken">A <see cref="CancellationToken"/> controlling the request lifetime.</param>
/// <returns>An <see cref="AccessToken"/> which can be used to authenticate service client calls.</returns>
public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken = default)
{
return((_credential != null) ? _credential.GetToken(requestContext, cancellationToken) : default);
/// <summary>
/// Obtains a token from the Azure Active Directory service, using the specified client details specified in the environment variables
/// AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET to authenticate.
/// </summary>
/// <remarks>
/// If the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET are not specified, the default <see cref="AccessToken"/>
/// </remarks>
/// <param name="scopes">The list of scopes for which the token will have access.</param>
/// <param name="cancellationToken">A <see cref="CancellationToken"/> controlling the request lifetime.</param>
/// <returns>An <see cref="AccessToken"/> which can be used to authenticate service client calls.</returns>
public override AccessToken GetToken(string[] scopes, CancellationToken cancellationToken = default)
{
return((_credential != null) ? _credential.GetToken(scopes, cancellationToken) : default);
public override string GetToken(string[] scopes, CancellationToken cancellationToken)
{
return(_credential?.GetToken(scopes, cancellationToken));
}
