private static BlobClient GetBlobClient(ILogger log,
string mode,
string miClientID,
string storageEndPoint,
string clientId,
string clientSecret,
string tennat,
string blobContainerName,
string blobName)
{
log.LogInformation($"will access using {mode}");
Azure.Identity.TokenCredentialOptions options = default;
ClientSecretCredential spnToken = new ClientSecretCredential(tennat, clientId, clientSecret);
ManagedIdentityCredential token = new ManagedIdentityCredential(miClientID, options);
string saConnectionString = "";
// note, that in a real impl, only one type should be used
if (mode.Equals("spn"))
{
var client = new SecretClient(new Uri("https://gensaskv.vault.azure.net/"), spnToken);
saConnectionString = client.GetSecret("sa-cs").Value.Value;
}
else
{
var client = new SecretClient(new Uri("https://gensaskv.vault.azure.net/"), token);
saConnectionString = client.GetSecret("sa-cs").Value.Value;
}
BlobClient blobClient = new BlobClient(saConnectionString, blobContainerName, blobName);
log.LogInformation($"got blob client via token, blobClient.CanGenerateSasUri ? {blobClient.CanGenerateSasUri}");
return(blobClient);
}
/// <summary>
/// Creates an instance of the EnvironmentCredential class and reads client secret details from environment variables.
/// If the expected environment variables are not found at this time, the GetToken method will return the default <see cref="AccessToken"/> when invoked.
/// </summary>
/// <param name="options">Options that allow to configure the management of the requests sent to the Azure Active Directory service.</param>
public EnvironmentCredential(TokenCredentialOptions options)
{
string tenantId = EnvironmentVariables.TenantId;
string clientId = EnvironmentVariables.ClientId;
string clientSecret = EnvironmentVariables.ClientSecret;
string username = EnvironmentVariables.Username;
string password = EnvironmentVariables.Password;
if (tenantId != null && clientId != null)
{
if (clientSecret != null)
{
_credential = new ClientSecretCredential(tenantId, clientId, clientSecret, options);
}
else if (username != null && password != null && tenantId != null && clientId != null)
{
_credential = new UsernamePasswordCredential(username, password, clientId, tenantId);
}
}
}
internal UsernamePasswordCredential(
string username,
string password,
string tenantId,
string clientId,
TokenCredentialOptions options,
CredentialPipeline pipeline,
MsalPublicClient client)
{
Argument.AssertNotNull(username, nameof(username));
Argument.AssertNotNull(password, nameof(password));
Argument.AssertNotNull(clientId, nameof(clientId));
_tenantId = Validations.ValidateTenantId(tenantId, nameof(tenantId));
_username = username;
_password = password.ToSecureString();
_clientId = clientId;
_pipeline = pipeline ?? CredentialPipeline.GetInstance(options);
Client = client ?? new MsalPublicClient(_pipeline, tenantId, clientId, null, options);
}
/// <summary>
/// Creates a new DeviceCodeCredential with the specifeid options, which will authenticate users with the specified application.
/// </summary>
/// <param name="deviceCodeCallback">The callback to be executed to display the device code to the user</param>
/// <param name="tenantId">The tenant id of the application to which users will authenticate. This can be null for multi-tenanted applications.</param>
/// <param name="clientId">The client id of the application to which the users will authenticate</param>
/// <param name="options">The client options for the newly created DeviceCodeCredential</param>
public DeviceCodeCredential(Func <DeviceCodeInfo, CancellationToken, Task> deviceCodeCallback, string tenantId, string clientId, TokenCredentialOptions options = default)
{
_clientId = clientId ?? throw new ArgumentNullException(nameof(clientId));
_deviceCodeCallback = deviceCodeCallback ?? throw new ArgumentNullException(nameof(deviceCodeCallback));
_options = options ?? new TokenCredentialOptions();
_pipeline = HttpPipelineBuilder.Build(_options);
_clientDiagnostics = new ClientDiagnostics(options);
var pubAppBuilder = PublicClientApplicationBuilder.Create(_clientId).WithHttpClientFactory(new HttpPipelineClientFactory(_pipeline)).WithRedirectUri("https://login.microsoftonline.com/common/oauth2/nativeclient");
if (!string.IsNullOrEmpty(tenantId))
{
pubAppBuilder = pubAppBuilder.WithTenantId(tenantId);
}
_pubApp = pubAppBuilder.Build();
}
internal UsernamePasswordCredential(
string username,
string password,
string tenantId,
string clientId,
TokenCredentialOptions options,
CredentialPipeline pipeline,
MsalPublicClient client)
{
Argument.AssertNotNull(username, nameof(username));
Argument.AssertNotNull(password, nameof(password));
Argument.AssertNotNull(clientId, nameof(clientId));
_tenantId = Validations.ValidateTenantId(tenantId, nameof(tenantId));
_allowMultiTenantAuthentication = options?.AllowMultiTenantAuthentication ?? false;
_username = username;
_password = password.ToSecureString();
_clientId = clientId;
_pipeline = pipeline ?? CredentialPipeline.GetInstance(options);
Client = client ?? new MsalPublicClient(_pipeline, tenantId, clientId, null, options as ITokenCacheOptions, options?.IsLoggingPIIEnabled ?? false);
}
internal EnvironmentCredential(CredentialPipeline pipeline, TokenCredentialOptions options = null)
{
_pipeline = pipeline;
_options = options ?? new TokenCredentialOptions();
string tenantId = EnvironmentVariables.TenantId;
string clientId = EnvironmentVariables.ClientId;
string clientSecret = EnvironmentVariables.ClientSecret;
string clientCertificatePath = EnvironmentVariables.ClientCertificatePath;
string clientSendCertificateChain = EnvironmentVariables.ClientSendCertificateChain;
string username = EnvironmentVariables.Username;
string password = EnvironmentVariables.Password;
if (!string.IsNullOrEmpty(tenantId) && !string.IsNullOrEmpty(clientId))
{
if (!string.IsNullOrEmpty(clientSecret))
{
Credential = new ClientSecretCredential(tenantId, clientId, clientSecret, _options, _pipeline, null);
}
else if (!string.IsNullOrEmpty(username) && !string.IsNullOrEmpty(password))
{
Credential = new UsernamePasswordCredential(username, password, tenantId, clientId, _options, _pipeline, null);
}
else if (!string.IsNullOrEmpty(clientCertificatePath))
{
bool sendCertificateChain = !string.IsNullOrEmpty(clientSendCertificateChain) &&
(clientSendCertificateChain == "1" || clientSendCertificateChain == "true");
ClientCertificateCredentialOptions clientCertificateCredentialOptions = new ClientCertificateCredentialOptions
{
AuthorityHost = _options.AuthorityHost,
IsLoggingPIIEnabled = _options.IsLoggingPIIEnabled,
Transport = _options.Transport,
SendCertificateChain = sendCertificateChain
};
Credential = new ClientCertificateCredential(tenantId, clientId, clientCertificatePath, clientCertificateCredentialOptions, _pipeline, null);
}
}
}
/// <summary>
/// Creates an instance of the ClientCertificateCredential with the details needed to authenticate against Azure Active Directory with the specified certificate.
/// </summary>
/// <param name="tenantId">The Azure Active Directory tenant (directory) Id of the service principal.</param>
/// <param name="clientId">The client (application) ID of the service principal</param>
/// <param name="clientCertificate">The authentication X509 Certificate of the service principal</param>
/// <param name="options">Options that allow to configure the management of the requests sent to the Azure Active Directory service.</param>
public ClientCertificateCredential(string tenantId, string clientId, X509Certificate2 clientCertificate, TokenCredentialOptions options)
{
TenantId = tenantId ?? throw new ArgumentNullException(nameof(tenantId));
ClientId = clientId ?? throw new ArgumentNullException(nameof(clientId));
ClientCertificate = clientCertificate ?? throw new ArgumentNullException(nameof(clientCertificate));
_client = (options != null) ? new AadIdentityClient(options) : AadIdentityClient.SharedClient;
}
internal DeviceCodeCredential(Func <DeviceCodeInfo, CancellationToken, Task> deviceCodeCallback, string tenantId, string clientId, TokenCredentialOptions options, CredentialPipeline pipeline)
: this(deviceCodeCallback, tenantId, clientId, options, pipeline, null)
{
}
/// <inheritdoc />
internal VisualStudioCredential(string tenantId, TokenCredentialOptions options) : this(tenantId, options, default, default)
{
}
internal ClientCertificateCredential(string tenantId, string clientId, string certificatePath, TokenCredentialOptions options, CredentialPipeline pipeline, MsalConfidentialClient client)
: this(tenantId, clientId, new X509Certificate2FromFileProvider(certificatePath ?? throw new ArgumentNullException(nameof(certificatePath))), options, pipeline, client)
/// <summary>
/// Creates an instance of the <see cref="UsernamePasswordCredential"/> with the details needed to authenticate against Azure Active Directory with a simple username
/// and password.
/// </summary>
/// <param name="username">The user account's user name, UPN.</param>
/// <param name="password">The user account's password.</param>
/// <param name="tenantId">The Azure Active Directory tenant (directory) ID or name.</param>
/// <param name="clientId">The client (application) ID of an App Registration in the tenant.</param>
/// <param name="options">The client options for the newly created UsernamePasswordCredential</param>
public UsernamePasswordCredential(string username, string password, string tenantId, string clientId, TokenCredentialOptions options)
: this(username, password, tenantId, clientId, options, null, null)
{
}
internal InteractiveBrowserCredential(string tenantId, string clientId, TokenCredentialOptions options, CredentialPipeline pipeline)
: this(tenantId, clientId, options, pipeline, null)
{
}
public DefaultAzureCredentialFactory(TokenCredentialOptions options)
: this(CredentialPipeline.GetInstance(options))
{
}
internal UsernamePasswordCredential(string username, string password, string tenantId, string clientId, CredentialPipeline pipeline, TokenCredentialOptions options = default)
: this(username, password, pipeline, pipeline.CreateMsalPublicClient(clientId, tenantId, cacheOptions : options as ITokenCacheOptions))
{
}
/// <summary>
/// Creates an instance of the <see cref="UsernamePasswordCredential"/> with the details needed to authenticate against Azure Active Directory with a simple username
/// and password.
/// </summary>
/// <param name="username">The user account's user name, UPN.</param>
/// <param name="password">The user account's password.</param>
/// <param name="tenantId">The Azure Active Directory tenant (directory) ID or name.</param>
/// <param name="clientId">The client (application) ID of an App Registration in the tenant.</param>
/// <param name="options">The client options for the newly created UsernamePasswordCredential</param>
public UsernamePasswordCredential(string username, string password, string tenantId, string clientId, TokenCredentialOptions options)
: this(username, password, tenantId, clientId, CredentialPipeline.GetInstance(options))
{
}
internal DeviceCodeCredential(Func <DeviceCodeInfo, CancellationToken, Task> deviceCodeCallback, string tenantId, string clientId, TokenCredentialOptions options, CredentialPipeline pipeline, MsalPublicClient client)
{
Argument.AssertNotNull(clientId, nameof(clientId));
Argument.AssertNotNull(deviceCodeCallback, nameof(deviceCodeCallback));
_tenantId = tenantId;
ClientId = clientId;
DeviceCodeCallback = deviceCodeCallback;
DisableAutomaticAuthentication = (options as DeviceCodeCredentialOptions)?.DisableAutomaticAuthentication ?? false;
Record = (options as DeviceCodeCredentialOptions)?.AuthenticationRecord;
Pipeline = pipeline ?? CredentialPipeline.GetInstance(options);
Client = client ?? new MsalPublicClient(
Pipeline,
tenantId,
ClientId,
AzureAuthorityHosts.GetDeviceCodeRedirectUri(Pipeline.AuthorityHost).AbsoluteUri,
options as ITokenCacheOptions,
options?.IsLoggingPIIEnabled ?? false);
}
/// <summary>
/// Creates a new <see cref="InteractiveBrowserCredential"/> with the specified options, which will authenticate users with the specified application.
/// </summary>
/// <param name="tenantId">The tenant id of the application and the users to authenticate. Can be null in the case of multi-tenant applications.</param>
/// <param name="clientId">The client id of the application to which the users will authenticate</param>
/// TODO: need to link to info on how the application has to be created to authenticate users, for multiple applications
/// <param name="options">The client options for the newly created <see cref="InteractiveBrowserCredential"/>.</param>
public InteractiveBrowserCredential(string tenantId, string clientId, TokenCredentialOptions options = default)
: this(tenantId, clientId, options, null, null)
{
}
public SharedTokenCacheCredential(string username, TokenCredentialOptions options = default)
: this(null, username, options, null, null)
{
}
/// <inheritdoc />
public VisualStudioCodeCredential(string tenantId, TokenCredentialOptions options) : this(tenantId, CredentialPipeline.GetInstance(options), default, default)
{
}
internal SharedTokenCacheCredential(string tenantId, string username, TokenCredentialOptions options, CredentialPipeline pipeline)
: this(tenantId, username, options, pipeline, null)
{
}
internal UsernamePasswordCredential(string username, string password, string tenantId, string clientId, TokenCredentialOptions options, CredentialPipeline pipeline, MsalPublicClient client)
{
_username = username ?? throw new ArgumentNullException(nameof(username));
_password = (password != null) ? password.ToSecureString() : throw new ArgumentNullException(nameof(password));
_clientId = clientId ?? throw new ArgumentNullException(nameof(clientId));
Validations.ValidateTenantId(tenantId, nameof(tenantId));
_pipeline = pipeline ?? CredentialPipeline.GetInstance(options);
_client = client ?? new MsalPublicClient(_pipeline, tenantId, clientId, null, options as ITokenCacheOptions);
}
internal ClientSecretCredential(string tenantId, string clientId, string clientSecret, TokenCredentialOptions options, CredentialPipeline pipeline, MsalConfidentialClient client)
{
TenantId = tenantId ?? throw new ArgumentNullException(nameof(tenantId));
ClientId = clientId ?? throw new ArgumentNullException(nameof(clientId));
ClientSecret = clientSecret ?? throw new ArgumentNullException(nameof(clientSecret));
_pipeline = pipeline ?? CredentialPipeline.GetInstance(options);
_client = client ?? new MsalConfidentialClient(_pipeline, tenantId, clientId, clientSecret, options as ITokenCacheOptions);
}
/// <summary>
/// Creates an instance of the ClientCertificateCredential with the details needed to authenticate against Azure Active Directory with the specified certificate.
/// </summary>
/// <param name="tenantId">The Azure Active Directory tenant (directory) Id of the service principal.</param>
/// <param name="clientId">The client (application) ID of the service principal</param>
/// <param name="clientCertificatePath">The path to a file which contains both the client certificate and private key.</param>
/// <param name="options">Options that allow to configure the management of the requests sent to the Azure Active Directory service.</param>
public ClientCertificateCredential(string tenantId, string clientId, string clientCertificatePath, TokenCredentialOptions options)
: this(tenantId, clientId, clientCertificatePath, options, null, null)
{
}
/// <summary>
/// Creates an instance of the ClientSecretCredential with the details needed to authenticate against Azure Active Directory with a prefetched authorization code.
/// </summary>
/// <param name="tenantId">The Azure Active Directory tenant (directory) Id of the service principal.</param>
/// <param name="clientId">The client (application) ID of the service principal</param>
/// <param name="clientSecret">A client secret that was generated for the App Registration used to authenticate the client.</param>
/// <param name="authorizationCode">The authorization code obtained from a call to authorize. The code should be obtained with all required scopes.
/// See https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow for more information.</param>
/// <param name="options">Options that allow to configure the management of the requests sent to the Azure Active Directory service.</param>
public AuthorizationCodeCredential(string tenantId, string clientId, string clientSecret, string authorizationCode, TokenCredentialOptions options)
{
if (tenantId is null)
{
throw new ArgumentNullException(nameof(tenantId));
}
if (clientId is null)
{
throw new ArgumentNullException(nameof(clientId));
}
if (clientSecret is null)
{
throw new ArgumentNullException(nameof(clientSecret));
}
_authCode = authorizationCode ?? throw new ArgumentNullException(nameof(authorizationCode));
options ??= new TokenCredentialOptions();
_pipeline = CredentialPipeline.GetInstance(options);
_confidentialClient = ConfidentialClientApplicationBuilder.Create(clientId).WithHttpClientFactory(new HttpPipelineClientFactory(_pipeline.HttpPipeline)).WithTenantId(tenantId).WithClientSecret(clientSecret).Build();
_clientDiagnostics = new ClientDiagnostics(options);
}
/// <summary>
/// Creates a new DeviceCodeCredential with the specified options, which will authenticate users with the specified application.
/// </summary>
/// <param name="deviceCodeCallback">The callback to be executed to display the device code to the user</param>
/// <param name="tenantId">The tenant id of the application to which users will authenticate. This can be null for multi-tenanted applications.</param>
/// <param name="clientId">The client id of the application to which the users will authenticate</param>
/// <param name="options">The client options for the newly created DeviceCodeCredential</param>
public DeviceCodeCredential(Func <DeviceCodeInfo, CancellationToken, Task> deviceCodeCallback, string tenantId, string clientId, TokenCredentialOptions options = default)
: this(deviceCodeCallback, tenantId, clientId, options, null)
{
}
/// <summary>
/// Creates an instance of the ClientSecretCredential with the details needed to authenticate against Azure Active Directory with a client secret.
/// </summary>
/// <param name="tenantId">The Azure Active Directory tenant (directory) Id of the service principal.</param>
/// <param name="clientId">The client (application) ID of the service principal</param>
/// <param name="clientSecret">A client secret that was generated for the App Registration used to authenticate the client.</param>
/// <param name="options">Options that allow to configure the management of the requests sent to the Azure Active Directory service.</param>
public ClientSecretCredential(string tenantId, string clientId, string clientSecret, TokenCredentialOptions options)
: this(tenantId, clientId, clientSecret, options, null, null)
{
}
internal DeviceCodeCredential(Func <DeviceCodeInfo, CancellationToken, Task> deviceCodeCallback, string tenantId, string clientId, TokenCredentialOptions options, CredentialPipeline pipeline, MsalPublicClient client)
{
_clientId = clientId ?? throw new ArgumentNullException(nameof(clientId));
_deviceCodeCallback = deviceCodeCallback ?? throw new ArgumentNullException(nameof(deviceCodeCallback));
_pipeline = pipeline ?? CredentialPipeline.GetInstance(options);
_client = client ?? new MsalPublicClient(_pipeline, tenantId, clientId, AzureAuthorityHosts.GetDeviceCodeRedirectUri(_pipeline.AuthorityHost).ToString(), options as ITokenCacheOptions);
}
internal ClientSecretCredential(string tenantId, string clientId, string clientSecret, TokenCredentialOptions options, CredentialPipeline pipeline, MsalConfidentialClient client)
{
Argument.AssertNotNull(clientId, nameof(clientId));
Argument.AssertNotNull(clientSecret, nameof(clientSecret));
TenantId = Validations.ValidateTenantId(tenantId, nameof(tenantId));
ClientId = clientId ?? throw new ArgumentNullException(nameof(clientId));
ClientSecret = clientSecret;
_allowMultiTenantAuthentication = options?.AllowMultiTenantAuthentication ?? false;
_pipeline = pipeline ?? CredentialPipeline.GetInstance(options);
Client = client ??
new MsalConfidentialClient(
_pipeline,
tenantId,
clientId,
clientSecret,
options as ITokenCacheOptions,
(options as ClientSecretCredentialOptions)?.RegionalAuthority,
options?.IsLoggingPIIEnabled ?? false);
}
/// <summary>
/// Creates an instance of the ManagedIdentityCredential capable of authenticating a resource with a managed identity.
/// </summary>
/// <param name="clientId">
/// The client id to authenticate for a user assigned managed identity. More information on user assigned managed identities can be found here:
/// https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview#how-a-user-assigned-managed-identity-works-with-an-azure-vm
/// </param>
/// <param name="options">Options to configure the management of the requests sent to the Azure Active Directory service.</param>
public ManagedIdentityCredential(string clientId = null, TokenCredentialOptions options = null)
: this(clientId, CredentialPipeline.GetInstance(options))
{
}
public DeviceCodeCredential(Func <DeviceCodeInfo, CancellationToken, Task> deviceCodeCallback, string tenantId, string clientId, TokenCredentialOptions options = default)
: this(deviceCodeCallback, Validations.ValidateTenantId(tenantId, nameof(tenantId), allowNull : true), clientId, options, null)
{
}
