static void Main(string[] args)
{
var storageUri = Environment.GetEnvironmentVariable("APP_STORAGE_URI");
var containerName = Environment.GetEnvironmentVariable("APP_STORAGE_CONTAINER");
var serviceScope = Environment.GetEnvironmentVariable("APP_SERVICE_SCOPE");
var serviceUri = Environment.GetEnvironmentVariable("APP_SERVICE_URI");
var credential = new ChainedTokenCredential(
new ManagedIdentityCredential(),
new EnvironmentCredential());
var functionToken = credential.GetToken(new TokenRequestContext(new string[] { serviceScope }));
var blobServiceClient = new BlobServiceClient(
new Uri(storageUri),
credential);
var blobContainerClient = blobServiceClient.GetBlobContainerClient(containerName);
var blobClient = blobContainerClient.GetBlobClient($"{DateTime.Now.ToString("yyyy-MM-ddTHH-mm-ss")}.jpg");
blobClient.Upload("test.jpg");
var functionClient = new HttpClient();
functionClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(
"Bearer",
functionToken.Token);
var response = functionClient.GetAsync(serviceUri).Result;
response.EnsureSuccessStatusCode();
}
public static async Task <IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req,
ILogger log)
{
log.LogInformation("C# HTTP trigger function processed a request.");
string name = req.Query["deviceid"];
string primaryKey = "";
var credential = new ChainedTokenCredential(
new ManagedIdentityCredential(),
new VisualStudioCodeCredential());
var client = new SecretClient(new Uri("https://deviceonboardingkeyvault.vault.azure.net/"), credential);
var secret = client.GetSecret("dpsconnectionstring");
using (var provisioningServiceClient = ProvisioningServiceClient.CreateFromConnectionString(secret.Value.Value)){
var attestation = new SymmetricKeyAttestation("", "");
var ie = new IndividualEnrollment(name, attestation);
var enrollment = await provisioningServiceClient.CreateOrUpdateIndividualEnrollmentAsync(ie);
var keys = enrollment.Attestation as SymmetricKeyAttestation;
primaryKey = keys.PrimaryKey;
log.LogInformation(enrollment.IotHubHostName);
}
return(new OkObjectResult(primaryKey));
}
protected SecretClient GetSecretClient()
{
var credentials = new ChainedTokenCredential(new[] { new AzureServiceTokenProviderCredential(TokenCredentialProvider.MsftAdTenantId) });
var client = new SecretClient(new Uri($"https://{KeyVaultName}.vault.azure.net/"), credentials);
return(client);
}
public KeyVaultClient(IConfiguration configuration)
{
var keyVaultUrl = configuration["KeyVault:Endpoint"];
var cred = new ChainedTokenCredential(new ManagedIdentityCredential(), new AzureCliCredential());
Client = new SecretClient(new Uri(keyVaultUrl), cred);
}
public void CustomChainedTokenCredential()
{
#region Snippet:CustomChainedTokenCredential
// authenticate using managed identity if it is available otherwise use the Azure CLI to auth
var credential = new ChainedTokenCredential(new ManagedIdentityCredential(), new AzureCliCredential());
var eventHubProducerClient = new EventHubProducerClient("myeventhub.eventhubs.windows.net", "myhubpath", credential);
#endregion
}
public async Task CredentialThrows()
{
var cred1 = new SimpleMockTokenCredential("scopeA", "tokenA");
var cred2 = new ExceptionalMockTokenCredential();
var cred3 = new SimpleMockTokenCredential("scopeB", "tokenB");
var provider = new ChainedTokenCredential(cred1, cred2, cred3);
Assert.AreEqual("tokenA", (await provider.GetTokenAsync(new TokenRequestContext(new string[] { "scopeA" }))).Token);
Assert.CatchAsync <AuthenticationFailedException>(async() => await provider.GetTokenAsync(new TokenRequestContext(new string[] { "ScopeB" })));
Assert.CatchAsync <AuthenticationFailedException>(async() => await provider.GetTokenAsync(new TokenRequestContext(new string[] { "ScopeC" })));
}
/// <summary>
/// Initialise a new instance of Ms Sql Connection provider using Default Azure Credentials to acquire Access Tokens.
/// </summary>
/// <param name="configuration">Ms Sql Configuration</param>
/// <param name="credentialSources">List of Token Providers to use when trying to obtain a token.</param>
public ServiceBusChainedClientProvider(MsSqlConfiguration configuration,
params TokenCredential[] credentialSources) : base(configuration)
{
if (credentialSources == null || credentialSources.Length < 1)
{
throw new ArgumentNullException(nameof(credentialSources),
"Credential Sources is null or empty, ensure this is set in the constructor.");
}
_credential = new ChainedTokenCredential(credentialSources);
}
private async Task <string> GetConnectionStringFromKV()
{
// Get the credential of user assigned identity
var credential = new ChainedTokenCredential(
new ManagedIdentityCredential(Configuration["UserAssignedIdentityClientId"]),
new AzureCliCredential());
// Get secret from key vault
var kvClient = new SecretClient(new Uri(Configuration["KeyVaultUri"]), credential);
var secretBundle = await kvClient.GetSecretAsync("ConnectionString");
return(secretBundle.Value.Value);
}
protected async Task <TokenCredentials> GetServiceClientCredentials()
{
var cts = new CancellationTokenSource();
var creds = new ChainedTokenCredential(new[] { new AzureServiceTokenProviderCredential(TokenCredentialProvider.MsftAdTenantId) });
AccessToken token = await creds.GetTokenAsync(new TokenRequestContext(new[]
{
"https://management.azure.com/.default",
}), cts.Token);
return(new TokenCredentials(token.Token));
}
public static BlobContainerClient CreateClient(IConfiguration config, string section)
{
var options = new BlobContainerConfig();
config.GetSection(section).Bind(options);
var credentials = new ChainedTokenCredential(
new ManagedIdentityCredential(),
new AzureCliCredential()
);
return(new BlobContainerClient(
options.GetContainerUrl(), credentials));
}
public async Task CredentialSequenceValid()
{
var cred1 = new SimpleMockTokenCredential("scopeA", "tokenA");
var cred2 = new SimpleMockTokenCredential("scopeB", "tokenB");
var cred3 = new SimpleMockTokenCredential("scopeB", "NotToBeReturned");
var cred4 = new SimpleMockTokenCredential("scopeC", "tokenC");
var provider = new ChainedTokenCredential(cred1, cred2, cred3, cred4);
Assert.AreEqual("tokenA", (await provider.GetTokenAsync(new string[] { "scopeA" })).Token);
Assert.AreEqual("tokenB", (await provider.GetTokenAsync(new string[] { "scopeB" })).Token);
Assert.AreEqual("tokenC", (await provider.GetTokenAsync(new string[] { "scopeC" })).Token);
Assert.IsNull((await provider.GetTokenAsync(new string[] { "scopeD" })).Token);
}
private static void InitializeClient()
{
if (_secretClient == null)
{
var settings = ConfigurationService.GetSection <KeyVaultSettings>();
if (settings.IsEnabled && !string.IsNullOrEmpty(settings.KeyVaultEndpoint))
{
// Create a new secret client using the default credential from Azure.Identity using environment variables previously set,
// including AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID.
var cred = new ChainedTokenCredential(new ManagedIdentityCredential(), new AzureCliCredential());
_secretClient = new SecretClient(vaultUri: new Uri(settings.KeyVaultEndpoint), cred);
}
}
}
public async Task AllCredentialSkipped()
{
var cred1 = new UnavailbleCredential();
var cred2 = new UnavailbleCredential();
var chain = new ChainedTokenCredential(cred1, cred2);
var ex = Assert.CatchAsync <AuthenticationFailedException>(async() => await chain.GetTokenAsync(new TokenRequestContext(MockScopes.Default)));
Assert.IsInstanceOf(typeof(AggregateException), ex.InnerException);
CollectionAssert.AllItemsAreInstancesOfType(((AggregateException)ex.InnerException).InnerExceptions, typeof(CredentialUnavailableException));
await Task.CompletedTask;
}
public async Task <string> GetAccessToken(string videoId)
{
// TLS 1.2 (or above) is required to send requests
var httpHandler = new SocketsHttpHandler();
httpHandler.SslOptions.EnabledSslProtocols |= SslProtocols.Tls12;
var client = new HttpClient(httpHandler);
if (apiKey == null || apiKey == "")
{
// Use AzureCredential to generate Azure Video Analyzer for Media Access Token
var credential = new ChainedTokenCredential(new ManagedIdentityCredential(), new DefaultAzureCredential());
string[] scopes = new string[1];
scopes[0] = "https://management.azure.com/.default";
var access_token = credential.GetToken(new TokenRequestContext(scopes));
Console.WriteLine(access_token.Token.ToString());
string url = $"https://management.azure.com{resourceId}/generateAccessToken?api-version=2021-10-18-preview";
var getAccountsRequest = new HttpRequestMessage(HttpMethod.Post, url);
getAccountsRequest.Headers.Add("Authorization", $"Bearer {access_token.Token.ToString()}");
getAccountsRequest.Content = new StringContent("{\"permissionType\":\"Contributor\",\"scope\": \"Account\"}", Encoding.UTF8, "application/json");
var result = await client.SendAsync(getAccountsRequest);
string accessToken = await result.Content.ReadAsStringAsync();
var accessTokenObj = JsonConvert.DeserializeObject <VideoAnalyzerAccessToken>(accessToken);
accessToken = $"https://www.videoindexer.ai/embed/player/{accountId}/{videoId}?location={accountLocation}&accessToken={accessTokenObj.AccessToken}";
return(accessToken);
}
else
{
// Use API Key for Video Indexer (or not ARM Azure Video Analyzer for Media)
var getAccountsRequest = new HttpRequestMessage(HttpMethod.Get, $"{apiUrl}/auth/{accountLocation}/Accounts/{accountId}/Videos/{videoId}/AccessToken");
getAccountsRequest.Headers.Add("Ocp-Apim-Subscription-Key", apiKey);
getAccountsRequest.Headers.Add("x-ms-client-request-id", Guid.NewGuid().ToString()); // Log the request id so you can include it in case you wish to report an issue for API errors or unexpected API behavior
var result = await client.SendAsync(getAccountsRequest);
Console.WriteLine("Response id to log: " + result.Headers.GetValues("x-ms-request-id").FirstOrDefault()); // Log the response id so you can include it in case you wish to report an issue for API errors or unexpected API behavior
string accessToken = (await result.Content.ReadAsStringAsync()).Trim('"'); // The access token is returned as JSON value surrounded by double-quotes
accessToken = $"https://www.videoindexer.ai/embed/player/{accountId}/{videoId}?location={accountLocation}&accessToken={accessToken}";
return(accessToken);
}
}
// Get: /GetSecretFromKV
public async Task <IActionResult> GetSecretFromKV()
{
// Get the credential of user assigned identity
var credential = new ChainedTokenCredential(
new ManagedIdentityCredential(_configuration["UserAssignedIdentityClientId"]),
new AzureCliCredential());
// Get secret from key vault
var kvClient = new SecretClient(new Uri(_configuration["KeyVaultUri"]), credential);
var secretBundle = await kvClient.GetSecretAsync(_configuration["SecretName"]);
var indexViewModel = await GetIndexViewModel();
indexViewModel.KVSecret = secretBundle.Value.Name + ": " + secretBundle.Value.Value;
return(View("Index", indexViewModel));
}
/// <summary>
/// Initializes an implementation is <see cref="IServiceBusClientProvider"/> using Default Azure Credentials for Authentication.
/// </summary>
/// <param name="fullyQualifiedNameSpace">The Fully Qualified Namespace i.e. my-servicebus.azureservicebus.net</param>
/// <param name="credentialSources">List of Token Providers to use when trying to obtain a token.</param>
/// <exception cref="ArgumentNullException">Throws is the namespace is null</exception>
public ServiceBusChainedClientProvider(string fullyQualifiedNameSpace, params TokenCredential[] credentialSources)
{
if (string.IsNullOrEmpty(fullyQualifiedNameSpace))
{
throw new ArgumentNullException(nameof(fullyQualifiedNameSpace),
"Fully qualified Namespace is null or empty, ensure this is set in the constructor.");
}
else if (credentialSources == null || credentialSources.Length < 1)
{
throw new ArgumentNullException(nameof(credentialSources),
"Credential Sources is null or empty, ensure this is set in the constructor.");
}
_tokenCredential = new ChainedTokenCredential(credentialSources);
_fullyQualifiedNameSpace = fullyQualifiedNameSpace;
}
public async Task CredentialSequenceValid()
{
var cred1 = new SimpleMockTokenCredential("scopeA", "tokenA");
var cred2 = new SimpleMockTokenCredential("scopeB", "tokenB");
var cred3 = new SimpleMockTokenCredential("scopeB", "NotToBeReturned");
var cred4 = new SimpleMockTokenCredential("scopeC", "tokenC");
var provider = new ChainedTokenCredential(cred1, cred2, cred3, cred4);
Assert.AreEqual("tokenA", (await provider.GetTokenAsync(new TokenRequestContext(new string[] { "scopeA" }))).Token);
Assert.AreEqual("tokenB", (await provider.GetTokenAsync(new TokenRequestContext(new string[] { "scopeB" }))).Token);
Assert.AreEqual("tokenC", (await provider.GetTokenAsync(new TokenRequestContext(new string[] { "scopeC" }))).Token);
var ex = Assert.CatchAsync <AuthenticationFailedException>(async() => await provider.GetTokenAsync(new TokenRequestContext(new string[] { "ScopeD" })));
Assert.IsInstanceOf(typeof(AggregateException), ex.InnerException);
CollectionAssert.AllItemsAreInstancesOfType(((AggregateException)ex.InnerException).InnerExceptions, typeof(CredentialUnavailableException));
}
public async Task <List <string> > Get()
{
var credential = new ChainedTokenCredential(
new AzureCliCredential(),
new ManagedIdentityCredential()
);
var keyVaultClient = new SecretClient(new Uri(configuration["KeyVaultUri"]), credential);
var secretOperation = await keyVaultClient.GetSecretAsync("VerySecretValue");
var secret = secretOperation.Value.Value;
var secret2 = configuration["SomeConfigValue"];
return(new List <string>()
{
secret, secret2
});
}
public static async Task <GraphServiceClient> GetGraphApiClient()
{
var credential = new ChainedTokenCredential(new ManagedIdentityCredential(), new AzureCliCredential());
var accessToken = await credential.GetTokenAsync(new
TokenRequestContext(scopes : new [] { "https://graph.microsoft.com/.default" }, parentRequestId : null), default);
var graphServiceClient = new GraphServiceClient(
new DelegateAuthenticationProvider((requestMessage) =>
{
requestMessage
.Headers
.Authorization = new AuthenticationHeaderValue("bearer", accessToken.Token);
return(Task.CompletedTask);
}));
return(graphServiceClient);
}
static void Main(string[] args)
{
var storageUri = Environment.GetEnvironmentVariable("APP_STORAGE_URI");
var containerName = Environment.GetEnvironmentVariable("APP_STORAGE_CONTAINER");
var credential = new ChainedTokenCredential(
new ManagedIdentityCredential(),
new EnvironmentCredential());
var blobServiceClient = new BlobServiceClient(
new Uri(storageUri),
credential);
var blobContainerClient = blobServiceClient.GetBlobContainerClient(containerName);
var blobClient = blobContainerClient.GetBlobClient($"{DateTime.Now.ToString("yyyy-MM-ddTHH-mm-ss")}.jpg");
blobClient.Upload("test.jpg");
}
public static IWebHostBuilder CreateHostBuilder(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.ConfigureAppConfiguration((context, config) =>
{
var builtConfig = config.Build();
var clientId = builtConfig["ClientId"];
var managedIdentityCredential = string.IsNullOrEmpty(clientId)
? new ManagedIdentityCredential()
: new ManagedIdentityCredential(clientId);
var credential = new ChainedTokenCredential(
new VisualStudioCredential(),
new AzureCliCredential(),
managedIdentityCredential);
config.AddAzureKeyVault(new Uri(builtConfig["KeyVaultUrl"]), credential);
})
.UseStartup <Startup>();
public void OnGet()
{
var clientId = configuration["ClientId"];
var managedIdentityCredential = string.IsNullOrEmpty(clientId)
? new ManagedIdentityCredential()
: new ManagedIdentityCredential(clientId);
var credential = new ChainedTokenCredential(
new VisualStudioCredential(),
new AzureCliCredential(),
managedIdentityCredential);
var client = new SecretClient(vaultUri: new Uri(configuration["KeyVaultUrl"]), credential: credential);
// Retrieve a secret using the secret client.
FromKeyVault = client.GetSecret("KVSercret").Value.Value;
// Retrive secret from config stored in Key Vault
FromConfig = configuration["SomeConfigValueFromKV"];
}
private static async Task GetChainedTokenCredential()
{
string[] scopes = new[] { "User.Read" };
string clientId = "d662ac70-7482-45af-9dc3-c3cde8eeede4";
EnvironmentCredential environmentCredential = new EnvironmentCredential();
InteractiveBrowserCredential myBrowserCredential = new InteractiveBrowserCredential(clientId);
TokenCredential [] tokenCredentials = new TokenCredential[] { environmentCredential, myBrowserCredential };
ChainedTokenCredential chainedTokenCredential = new ChainedTokenCredential(tokenCredentials);
TokenCredentialAuthProvider tokenCredentialAuthProvider = new TokenCredentialAuthProvider(chainedTokenCredential, scopes);
//Try to get something from the Graph!!
HttpClient httpClient = GraphClientFactory.Create(tokenCredentialAuthProvider);
HttpRequestMessage requestMessage = new HttpRequestMessage(HttpMethod.Get, "https://graph.microsoft.com/v1.0/users/[email protected]/");
HttpResponseMessage response = await httpClient.SendAsync(requestMessage);
//Print out the response :)
string jsonResponse = await response.Content.ReadAsStringAsync();
Console.WriteLine(jsonResponse);
}
static void Main(string[] args)
{
var serviceScope = Environment.GetEnvironmentVariable("APP_SERVICE_SCOPE");
var serviceUri = Environment.GetEnvironmentVariable("APP_SERVICE_URI");
var credential = new ChainedTokenCredential(
new ManagedIdentityCredential(),
new EnvironmentCredential());
var token = credential.GetToken(new TokenRequestContext(new string[] { serviceScope }));
var functionClient = new HttpClient();
functionClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(
"Bearer",
token.Token);
var response = functionClient.GetAsync(serviceUri).Result;
response.EnsureSuccessStatusCode();
}
public AzStorageWorker(ILogger <AzStorageWorker> logger, ChainedTokenCredential tokenCredential)
{
_logger = logger;
_tokenCredential = tokenCredential;
}
