public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
        {
            var deviceCodeParameters = parameters as DeviceCodeParameters;
            var tokenCacheProvider   = parameters.TokenCacheProvider;
            var onPremise            = parameters.Environment.OnPremise;
            //null instead of "organizations" should be passed to Azure.Identity to support MSA account
            var tenantId = onPremise ? AdfsTenant :
                           (string.Equals(parameters.TenantId, OrganizationsTenant, StringComparison.OrdinalIgnoreCase) ? null : parameters.TenantId);
            var resource  = parameters.Environment.GetEndpoint(parameters.ResourceId) ?? parameters.ResourceId;
            var scopes    = AuthenticationHelpers.GetScope(onPremise, resource);
            var clientId  = AuthenticationHelpers.PowerShellClientId;
            var authority = parameters.Environment.ActiveDirectoryAuthority;

            var requestContext = new TokenRequestContext(scopes);
            DeviceCodeCredentialOptions options = new DeviceCodeCredentialOptions()
            {
                DeviceCodeCallback           = DeviceCodeFunc,
                AuthorityHost                = new Uri(authority),
                ClientId                     = clientId,
                TenantId                     = tenantId,
                TokenCachePersistenceOptions = tokenCacheProvider.GetTokenCachePersistenceOptions(),
            };
            var codeCredential = new DeviceCodeCredential(options);

            TracingAdapter.Information($"{DateTime.Now:T} - [DeviceCodeAuthenticator] Calling DeviceCodeCredential.AuthenticateAsync - TenantId:'{options.TenantId}', Scopes:'{string.Join(",", scopes)}', AuthorityHost:'{options.AuthorityHost}'");
            var authTask = codeCredential.AuthenticateAsync(requestContext, cancellationToken);

            return(MsalAccessToken.GetAccessTokenAsync(
                       authTask,
                       codeCredential,
                       requestContext,
                       cancellationToken));
        }
        //MSAL doesn't cache Service Principal into msal.cache
        public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
        {
            var spParameters = parameters as ClientAssertionParameters;
            var onPremise    = spParameters.Environment.OnPremise;
            var tenantId     = onPremise ? AdfsTenant :
                               (string.Equals(parameters.TenantId, OrganizationsTenant, StringComparison.OrdinalIgnoreCase) ? null : parameters.TenantId);
            var resource  = spParameters.Environment.GetEndpoint(spParameters.ResourceId) ?? spParameters.ResourceId;
            var scopes    = AuthenticationHelpers.GetScope(onPremise, resource);
            var authority = spParameters.Environment.ActiveDirectoryAuthority;

            var requestContext = new TokenRequestContext(scopes);

            AzureSession.Instance.TryGetComponent(nameof(AzureCredentialFactory), out AzureCredentialFactory azureCredentialFactory);

            TokenCredential tokenCredential = new ClientAssertionCredential(tenantId, spParameters.ClientId, spParameters.ClientAssertion.ConvertToString());
            string          parametersLog   = $"- ClientId:'{spParameters.ClientId}', TenantId:'{tenantId}', ClientAssertion:'***' Scopes:'{string.Join(",", scopes)}'";

            return(MsalAccessToken.GetAccessTokenAsync(
                       nameof(ClientAssertionAuthenticator),
                       parametersLog,
                       tokenCredential,
                       requestContext,
                       cancellationToken,
                       spParameters.TenantId,
                       spParameters.ClientId));
        }
Esempio n. 3
0
        public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
        {
            var deviceCodeParameters = parameters as DeviceCodeParameters;
            var tokenCacheProvider   = parameters.TokenCacheProvider;
            var onPremise            = parameters.Environment.OnPremise;
            //null instead of "organizations" should be passed to Azure.Identity to support MSA account
            var tenantId = onPremise ? AdfsTenant :
                           (string.Equals(parameters.TenantId, OrganizationsTenant, StringComparison.OrdinalIgnoreCase) ? null : parameters.TenantId);
            var resource  = parameters.Environment.GetEndpoint(parameters.ResourceId) ?? parameters.ResourceId;
            var scopes    = AuthenticationHelpers.GetScope(onPremise, resource);
            var clientId  = AuthenticationHelpers.PowerShellClientId;
            var authority = parameters.Environment.ActiveDirectoryAuthority;

            var requestContext = new TokenRequestContext(scopes);

            AzureSession.Instance.TryGetComponent(nameof(PowerShellTokenCache), out PowerShellTokenCache tokenCache);

            DeviceCodeCredentialOptions options = new DeviceCodeCredentialOptions()
            {
                DeviceCodeCallback = DeviceCodeFunc,
                AuthorityHost      = new Uri(authority),
                ClientId           = clientId,
                TenantId           = onPremise ? tenantId : null,
                TokenCache         = tokenCache.TokenCache,
            };
            var codeCredential = new DeviceCodeCredential(options);

            var authTask = codeCredential.AuthenticateAsync(requestContext, cancellationToken);

            return(MsalAccessToken.GetAccessTokenAsync(
                       authTask,
                       codeCredential,
                       requestContext,
                       cancellationToken));
        }
        public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
        {
            var silentParameters = parameters as SilentParameters;
            var onPremise        = silentParameters.Environment.OnPremise;
            var tenantId         = onPremise ? AdfsTenant :
                                   (string.Equals(parameters.TenantId, OrganizationsTenant, StringComparison.OrdinalIgnoreCase) ? null : parameters.TenantId);
            var resource  = silentParameters.Environment.GetEndpoint(silentParameters.ResourceId) ?? silentParameters.ResourceId;
            var scopes    = AuthenticationHelpers.GetScope(onPremise, resource);
            var authority = silentParameters.Environment.ActiveDirectoryAuthority;

            AzureSession.Instance.TryGetComponent(nameof(PowerShellTokenCache), out PowerShellTokenCache tokenCache);
            var options = new SharedTokenCacheCredentialOptions(tokenCache.TokenCache)
            {
                EnableGuestTenantAuthentication = true,
                ClientId      = AuthenticationHelpers.PowerShellClientId,
                Username      = silentParameters.UserId,
                AuthorityHost = new Uri(authority),
                TenantId      = tenantId,
            };

            var cacheCredential = new SharedTokenCacheCredential(options);
            var requestContext  = new TokenRequestContext(scopes);
            var parametersLog   = $"- TenantId:'{options.TenantId}', Scopes:'{string.Join(",", scopes)}', AuthorityHost:'{options.AuthorityHost}', UserId:'{silentParameters.UserId}'";

            return(MsalAccessToken.GetAccessTokenAsync(
                       nameof(SilentAuthenticator),
                       parametersLog,
                       cacheCredential,
                       requestContext,
                       cancellationToken,
                       silentParameters.TenantId,
                       silentParameters.UserId,
                       silentParameters.HomeAccountId));
        }
        public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
        {
            var interactiveParameters = parameters as InteractiveParameters;
            var onPremise             = interactiveParameters.Environment.OnPremise;
            //null instead of "organizations" should be passed to Azure.Identity to support MSA account
            var tenantId = onPremise ? AdfsTenant :
                           (string.Equals(parameters.TenantId, OrganizationsTenant, StringComparison.OrdinalIgnoreCase) ? null : parameters.TenantId);
            var tokenCacheProvider = interactiveParameters.TokenCacheProvider;
            var resource           = interactiveParameters.Environment.GetEndpoint(interactiveParameters.ResourceId) ?? interactiveParameters.ResourceId;
            var scopes             = AuthenticationHelpers.GetScope(onPremise, resource);
            var clientId           = AuthenticationHelpers.PowerShellClientId;

            var requestContext = new TokenRequestContext(scopes);
            var authority      = interactiveParameters.Environment.ActiveDirectoryAuthority;

            var options = new InteractiveBrowserCredentialOptions()
            {
                ClientId = clientId,
                TenantId = tenantId,
                TokenCachePersistenceOptions = tokenCacheProvider.GetTokenCachePersistenceOptions(),
                AuthorityHost = new Uri(authority),
                RedirectUri   = GetReplyUrl(onPremise, interactiveParameters),
                LoginHint     = interactiveParameters.UserId,
            };
            var browserCredential = new InteractiveBrowserCredential(options);

            TracingAdapter.Information($"{DateTime.Now:T} - [InteractiveUserAuthenticator] Calling InteractiveBrowserCredential.AuthenticateAsync with TenantId:'{options.TenantId}', Scopes:'{string.Join(",", scopes)}', AuthorityHost:'{options.AuthorityHost}', RedirectUri:'{options.RedirectUri}'");
            var authTask = browserCredential.AuthenticateAsync(requestContext, cancellationToken);

            return(MsalAccessToken.GetAccessTokenAsync(
                       authTask,
                       browserCredential,
                       requestContext,
                       cancellationToken));
        }
Esempio n. 6
0
        public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
        {
            var msiParameters = parameters as ManagedServiceIdentityParameters;

            var scopes         = new[] { GetResourceId(msiParameters.ResourceId, msiParameters.Environment) };
            var requestContext = new TokenRequestContext(scopes);
            ManagedIdentityCredential identityCredential = new ManagedIdentityCredential();
            var tokenTask = identityCredential.GetTokenAsync(requestContext);

            return(MsalAccessToken.GetAccessTokenAsync(tokenTask, msiParameters.TenantId, msiParameters.Account.Id));
        }
        //MSAL doesn't cache Service Principal into msal.cache
        public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
        {
            var spParameters = parameters as ServicePrincipalParameters;
            var onPremise    = spParameters.Environment.OnPremise;
            var tenantId     = onPremise ? AdfsTenant :
                               (string.Equals(parameters.TenantId, OrganizationsTenant, StringComparison.OrdinalIgnoreCase) ? null : parameters.TenantId);
            var resource  = spParameters.Environment.GetEndpoint(spParameters.ResourceId) ?? spParameters.ResourceId;
            var scopes    = AuthenticationHelpers.GetScope(onPremise, resource);
            var clientId  = spParameters.ApplicationId;
            var authority = spParameters.Environment.ActiveDirectoryAuthority;

            var requestContext = new TokenRequestContext(scopes);

            var options = new ClientCertificateCredentialOptions()
            {
                AuthorityHost = new Uri(authority)
            };

            if (!string.IsNullOrEmpty(spParameters.Thumbprint))
            {
                //Service Principal with Certificate
                ClientCertificateCredential certCredential;
                if (!ClientCertCredentialMap.TryGetValue(spParameters.ApplicationId, out certCredential))
                {
                    //first time login
                    var certificate = AzureSession.Instance.DataStore.GetCertificate(spParameters.Thumbprint);
                    certCredential = new ClientCertificateCredential(tenantId, spParameters.ApplicationId, certificate, options);
                    var tokenTask = certCredential.GetTokenAsync(requestContext, cancellationToken);
                    return(MsalAccessToken.GetAccessTokenAsync(tokenTask,
                                                               () => { ClientCertCredentialMap[spParameters.ApplicationId] = certCredential; },
                                                               spParameters.TenantId,
                                                               spParameters.ApplicationId));
                }
                else
                {
                    var tokenTask = certCredential.GetTokenAsync(requestContext, cancellationToken);
                    return(MsalAccessToken.GetAccessTokenAsync(tokenTask, spParameters.TenantId, spParameters.ApplicationId));
                }
            }
            else if (spParameters.Secret != null)
            {
                // service principal with secret
                var secretCredential = new ClientSecretCredential(tenantId, spParameters.ApplicationId, spParameters.Secret.ConvertToString(), options);
                var tokenTask        = secretCredential.GetTokenAsync(requestContext, cancellationToken);
                return(MsalAccessToken.GetAccessTokenAsync(
                           tokenTask,
                           spParameters.TenantId,
                           spParameters.ApplicationId));
            }
            else
            {
                throw new MsalException(MsalError.AuthenticationFailed, string.Format(AuthenticationFailedMessage, clientId));
            }
        }
        //MSAL doesn't cache Service Principal into msal.cache
        public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
        {
            var spParameters = parameters as ServicePrincipalParameters;
            var onPremise    = spParameters.Environment.OnPremise;
            var tenantId     = onPremise ? AdfsTenant :
                               (string.Equals(parameters.TenantId, OrganizationsTenant, StringComparison.OrdinalIgnoreCase) ? null : parameters.TenantId);
            var resource  = spParameters.Environment.GetEndpoint(spParameters.ResourceId) ?? spParameters.ResourceId;
            var scopes    = AuthenticationHelpers.GetScope(onPremise, resource);
            var clientId  = spParameters.ApplicationId;
            var authority = spParameters.Environment.ActiveDirectoryAuthority;

            var requestContext = new TokenRequestContext(scopes);

            var options = new ClientCertificateCredentialOptions()
            {
                AuthorityHost        = new Uri(authority),
                SendCertificateChain = spParameters.SendCertificateChain ?? default(bool)
            };

            if (!string.IsNullOrEmpty(spParameters.Thumbprint))
            {
                //Service Principal with Certificate
                var certificate = AzureSession.Instance.DataStore.GetCertificate(spParameters.Thumbprint);
                ClientCertificateCredential certCredential = new ClientCertificateCredential(tenantId, spParameters.ApplicationId, certificate, options);
                var parametersLog = $"- Thumbprint:'{spParameters.Thumbprint}', ApplicationId:'{spParameters.ApplicationId}', TenantId:'{tenantId}', Scopes:'{string.Join(",", scopes)}', AuthorityHost:'{options.AuthorityHost}'";
                return(MsalAccessToken.GetAccessTokenAsync(
                           nameof(ServicePrincipalAuthenticator),
                           parametersLog,
                           certCredential,
                           requestContext,
                           cancellationToken,
                           spParameters.TenantId,
                           spParameters.ApplicationId));
            }
            else if (spParameters.Secret != null)
            {
                // service principal with secret
                var secretCredential = new ClientSecretCredential(tenantId, spParameters.ApplicationId, spParameters.Secret.ConvertToString(), options);
                var parametersLog    = $"- ApplicationId:'{spParameters.ApplicationId}', TenantId:'{tenantId}', Scopes:'{string.Join(",", scopes)}', AuthorityHost:'{options.AuthorityHost}'";
                return(MsalAccessToken.GetAccessTokenAsync(
                           nameof(ServicePrincipalAuthenticator),
                           parametersLog,
                           secretCredential,
                           requestContext,
                           cancellationToken,
                           spParameters.TenantId,
                           spParameters.ApplicationId));
            }
            else
            {
                throw new MsalException(MsalError.AuthenticationFailed, string.Format(AuthenticationFailedMessage, clientId));
            }
        }
        public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
        {
            var msiParameters = parameters as ManagedServiceIdentityParameters;

            var scopes         = new[] { GetResourceId(msiParameters.ResourceId, msiParameters.Environment) };
            var requestContext = new TokenRequestContext(scopes);
            var userAccountId  = SystemMsiNameRegex.IsMatch(msiParameters.Account.Id) ? null : msiParameters.Account.Id;
            ManagedIdentityCredential identityCredential = new ManagedIdentityCredential(userAccountId);

            return(MsalAccessToken.GetAccessTokenAsync(identityCredential, requestContext, cancellationToken,
                                                       msiParameters.TenantId, msiParameters.Account.Id));
        }
Esempio n. 10
0
        public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
        {
            var upParameters       = parameters as UsernamePasswordParameters;
            var onPremise          = upParameters.Environment.OnPremise;
            var tenantId           = onPremise ? AdfsTenant : upParameters.TenantId; //Is user name + password valid in Adfs env?
            var tokenCacheProvider = upParameters.TokenCacheProvider;
            var resource           = upParameters.Environment.GetEndpoint(upParameters.ResourceId) ?? upParameters.ResourceId;
            var scopes             = AuthenticationHelpers.GetScope(onPremise, resource);
            var clientId           = AuthenticationHelpers.PowerShellClientId;
            var authority          = upParameters.Environment.ActiveDirectoryAuthority;

            var requestContext = new TokenRequestContext(scopes);
            UsernamePasswordCredential passwordCredential;

            AzureSession.Instance.TryGetComponent(nameof(PowerShellTokenCache), out PowerShellTokenCache tokenCache);

            var credentialOptions = new UsernamePasswordCredentialOptions()
            {
                AuthorityHost = new Uri(authority),
                TokenCache    = tokenCache.TokenCache
            };

            if (upParameters.Password != null)
            {
                passwordCredential = new UsernamePasswordCredential(upParameters.UserId, upParameters.Password.ConvertToString(), tenantId, clientId, credentialOptions);
                TracingAdapter.Information($"{DateTime.Now:T} - [UsernamePasswordAuthenticator] Calling UsernamePasswordCredential.AuthenticateAsync - TenantId:'{tenantId}', Scopes:'{string.Join(",", scopes)}', AuthorityHost:'{authority}', UserId:'{upParameters.UserId}'");
                var authTask = passwordCredential.AuthenticateAsync(requestContext, cancellationToken);
                return(MsalAccessToken.GetAccessTokenAsync(
                           authTask,
                           passwordCredential,
                           requestContext,
                           cancellationToken));
            }
            else
            {
                throw new InvalidOperationException(Resources.MissingPasswordAndNoCache);
            }
        }
        public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
        {
            var interactiveParameters = parameters as InteractiveParameters;
            var onPremise             = interactiveParameters.Environment.OnPremise;
            //null instead of "organizations" should be passed to Azure.Identity to support MSA account
            var tenantId = onPremise ? AdfsTenant :
                           (string.Equals(parameters.TenantId, OrganizationsTenant, StringComparison.OrdinalIgnoreCase) ? null : parameters.TenantId);
            var tokenCacheProvider = interactiveParameters.TokenCacheProvider;
            var resource           = interactiveParameters.Environment.GetEndpoint(interactiveParameters.ResourceId) ?? interactiveParameters.ResourceId;
            var scopes             = AuthenticationHelpers.GetScope(onPremise, resource);
            var clientId           = AuthenticationHelpers.PowerShellClientId;

            var requestContext = new TokenRequestContext(scopes);
            var authority      = interactiveParameters.Environment.ActiveDirectoryAuthority;

            AzureSession.Instance.TryGetComponent(nameof(PowerShellTokenCache), out PowerShellTokenCache tokenCache);

            var options = new InteractiveBrowserCredentialOptions()
            {
                ClientId      = clientId,
                TenantId      = tenantId,
                TokenCache    = tokenCache.TokenCache,
                AuthorityHost = new Uri(authority),
                RedirectUri   = GetReplyUrl(onPremise, interactiveParameters),
            };
            var browserCredential = new InteractiveBrowserCredential(options);
            var source            = new CancellationTokenSource();

            source.CancelAfter(TimeSpan.FromMinutes(5));
            var authTask = browserCredential.AuthenticateAsync(requestContext, source.Token);

            return(MsalAccessToken.GetAccessTokenAsync(
                       authTask,
                       browserCredential,
                       requestContext,
                       source.Token));
        }