public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
{
var deviceCodeParameters = parameters as DeviceCodeParameters;
var tokenCacheProvider = parameters.TokenCacheProvider;
var onPremise = parameters.Environment.OnPremise;
//null instead of "organizations" should be passed to Azure.Identity to support MSA account
var tenantId = onPremise ? AdfsTenant :
(string.Equals(parameters.TenantId, OrganizationsTenant, StringComparison.OrdinalIgnoreCase) ? null : parameters.TenantId);
var resource = parameters.Environment.GetEndpoint(parameters.ResourceId) ?? parameters.ResourceId;
var scopes = AuthenticationHelpers.GetScope(onPremise, resource);
var clientId = AuthenticationHelpers.PowerShellClientId;
var authority = parameters.Environment.ActiveDirectoryAuthority;
var requestContext = new TokenRequestContext(scopes);
DeviceCodeCredentialOptions options = new DeviceCodeCredentialOptions()
{
DeviceCodeCallback = DeviceCodeFunc,
AuthorityHost = new Uri(authority),
ClientId = clientId,
TenantId = tenantId,
TokenCachePersistenceOptions = tokenCacheProvider.GetTokenCachePersistenceOptions(),
};
var codeCredential = new DeviceCodeCredential(options);
TracingAdapter.Information($"{DateTime.Now:T} - [DeviceCodeAuthenticator] Calling DeviceCodeCredential.AuthenticateAsync - TenantId:'{options.TenantId}', Scopes:'{string.Join(",", scopes)}', AuthorityHost:'{options.AuthorityHost}'");
var authTask = codeCredential.AuthenticateAsync(requestContext, cancellationToken);
return(MsalAccessToken.GetAccessTokenAsync(
authTask,
codeCredential,
requestContext,
cancellationToken));
}
//MSAL doesn't cache Service Principal into msal.cache
public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
{
var spParameters = parameters as ClientAssertionParameters;
var onPremise = spParameters.Environment.OnPremise;
var tenantId = onPremise ? AdfsTenant :
(string.Equals(parameters.TenantId, OrganizationsTenant, StringComparison.OrdinalIgnoreCase) ? null : parameters.TenantId);
var resource = spParameters.Environment.GetEndpoint(spParameters.ResourceId) ?? spParameters.ResourceId;
var scopes = AuthenticationHelpers.GetScope(onPremise, resource);
var authority = spParameters.Environment.ActiveDirectoryAuthority;
var requestContext = new TokenRequestContext(scopes);
AzureSession.Instance.TryGetComponent(nameof(AzureCredentialFactory), out AzureCredentialFactory azureCredentialFactory);
TokenCredential tokenCredential = new ClientAssertionCredential(tenantId, spParameters.ClientId, spParameters.ClientAssertion.ConvertToString());
string parametersLog = $"- ClientId:'{spParameters.ClientId}', TenantId:'{tenantId}', ClientAssertion:'***' Scopes:'{string.Join(",", scopes)}'";
return(MsalAccessToken.GetAccessTokenAsync(
nameof(ClientAssertionAuthenticator),
parametersLog,
tokenCredential,
requestContext,
cancellationToken,
spParameters.TenantId,
spParameters.ClientId));
}
public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
{
var deviceCodeParameters = parameters as DeviceCodeParameters;
var tokenCacheProvider = parameters.TokenCacheProvider;
var onPremise = parameters.Environment.OnPremise;
//null instead of "organizations" should be passed to Azure.Identity to support MSA account
var tenantId = onPremise ? AdfsTenant :
(string.Equals(parameters.TenantId, OrganizationsTenant, StringComparison.OrdinalIgnoreCase) ? null : parameters.TenantId);
var resource = parameters.Environment.GetEndpoint(parameters.ResourceId) ?? parameters.ResourceId;
var scopes = AuthenticationHelpers.GetScope(onPremise, resource);
var clientId = AuthenticationHelpers.PowerShellClientId;
var authority = parameters.Environment.ActiveDirectoryAuthority;
var requestContext = new TokenRequestContext(scopes);
AzureSession.Instance.TryGetComponent(nameof(PowerShellTokenCache), out PowerShellTokenCache tokenCache);
DeviceCodeCredentialOptions options = new DeviceCodeCredentialOptions()
{
DeviceCodeCallback = DeviceCodeFunc,
AuthorityHost = new Uri(authority),
ClientId = clientId,
TenantId = onPremise ? tenantId : null,
TokenCache = tokenCache.TokenCache,
};
var codeCredential = new DeviceCodeCredential(options);
var authTask = codeCredential.AuthenticateAsync(requestContext, cancellationToken);
return(MsalAccessToken.GetAccessTokenAsync(
authTask,
codeCredential,
requestContext,
cancellationToken));
}
public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
{
var silentParameters = parameters as SilentParameters;
var onPremise = silentParameters.Environment.OnPremise;
var tenantId = onPremise ? AdfsTenant :
(string.Equals(parameters.TenantId, OrganizationsTenant, StringComparison.OrdinalIgnoreCase) ? null : parameters.TenantId);
var resource = silentParameters.Environment.GetEndpoint(silentParameters.ResourceId) ?? silentParameters.ResourceId;
var scopes = AuthenticationHelpers.GetScope(onPremise, resource);
var authority = silentParameters.Environment.ActiveDirectoryAuthority;
AzureSession.Instance.TryGetComponent(nameof(PowerShellTokenCache), out PowerShellTokenCache tokenCache);
var options = new SharedTokenCacheCredentialOptions(tokenCache.TokenCache)
{
EnableGuestTenantAuthentication = true,
ClientId = AuthenticationHelpers.PowerShellClientId,
Username = silentParameters.UserId,
AuthorityHost = new Uri(authority),
TenantId = tenantId,
};
var cacheCredential = new SharedTokenCacheCredential(options);
var requestContext = new TokenRequestContext(scopes);
var parametersLog = $"- TenantId:'{options.TenantId}', Scopes:'{string.Join(",", scopes)}', AuthorityHost:'{options.AuthorityHost}', UserId:'{silentParameters.UserId}'";
return(MsalAccessToken.GetAccessTokenAsync(
nameof(SilentAuthenticator),
parametersLog,
cacheCredential,
requestContext,
cancellationToken,
silentParameters.TenantId,
silentParameters.UserId,
silentParameters.HomeAccountId));
}
public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
{
var interactiveParameters = parameters as InteractiveParameters;
var onPremise = interactiveParameters.Environment.OnPremise;
//null instead of "organizations" should be passed to Azure.Identity to support MSA account
var tenantId = onPremise ? AdfsTenant :
(string.Equals(parameters.TenantId, OrganizationsTenant, StringComparison.OrdinalIgnoreCase) ? null : parameters.TenantId);
var tokenCacheProvider = interactiveParameters.TokenCacheProvider;
var resource = interactiveParameters.Environment.GetEndpoint(interactiveParameters.ResourceId) ?? interactiveParameters.ResourceId;
var scopes = AuthenticationHelpers.GetScope(onPremise, resource);
var clientId = AuthenticationHelpers.PowerShellClientId;
var requestContext = new TokenRequestContext(scopes);
var authority = interactiveParameters.Environment.ActiveDirectoryAuthority;
var options = new InteractiveBrowserCredentialOptions()
{
ClientId = clientId,
TenantId = tenantId,
TokenCachePersistenceOptions = tokenCacheProvider.GetTokenCachePersistenceOptions(),
AuthorityHost = new Uri(authority),
RedirectUri = GetReplyUrl(onPremise, interactiveParameters),
LoginHint = interactiveParameters.UserId,
};
var browserCredential = new InteractiveBrowserCredential(options);
TracingAdapter.Information($"{DateTime.Now:T} - [InteractiveUserAuthenticator] Calling InteractiveBrowserCredential.AuthenticateAsync with TenantId:'{options.TenantId}', Scopes:'{string.Join(",", scopes)}', AuthorityHost:'{options.AuthorityHost}', RedirectUri:'{options.RedirectUri}'");
var authTask = browserCredential.AuthenticateAsync(requestContext, cancellationToken);
return(MsalAccessToken.GetAccessTokenAsync(
authTask,
browserCredential,
requestContext,
cancellationToken));
}
public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
{
var msiParameters = parameters as ManagedServiceIdentityParameters;
var scopes = new[] { GetResourceId(msiParameters.ResourceId, msiParameters.Environment) };
var requestContext = new TokenRequestContext(scopes);
ManagedIdentityCredential identityCredential = new ManagedIdentityCredential();
var tokenTask = identityCredential.GetTokenAsync(requestContext);
return(MsalAccessToken.GetAccessTokenAsync(tokenTask, msiParameters.TenantId, msiParameters.Account.Id));
}
//MSAL doesn't cache Service Principal into msal.cache
public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
{
var spParameters = parameters as ServicePrincipalParameters;
var onPremise = spParameters.Environment.OnPremise;
var tenantId = onPremise ? AdfsTenant :
(string.Equals(parameters.TenantId, OrganizationsTenant, StringComparison.OrdinalIgnoreCase) ? null : parameters.TenantId);
var resource = spParameters.Environment.GetEndpoint(spParameters.ResourceId) ?? spParameters.ResourceId;
var scopes = AuthenticationHelpers.GetScope(onPremise, resource);
var clientId = spParameters.ApplicationId;
var authority = spParameters.Environment.ActiveDirectoryAuthority;
var requestContext = new TokenRequestContext(scopes);
var options = new ClientCertificateCredentialOptions()
{
AuthorityHost = new Uri(authority)
};
if (!string.IsNullOrEmpty(spParameters.Thumbprint))
{
//Service Principal with Certificate
ClientCertificateCredential certCredential;
if (!ClientCertCredentialMap.TryGetValue(spParameters.ApplicationId, out certCredential))
{
//first time login
var certificate = AzureSession.Instance.DataStore.GetCertificate(spParameters.Thumbprint);
certCredential = new ClientCertificateCredential(tenantId, spParameters.ApplicationId, certificate, options);
var tokenTask = certCredential.GetTokenAsync(requestContext, cancellationToken);
return(MsalAccessToken.GetAccessTokenAsync(tokenTask,
() => { ClientCertCredentialMap[spParameters.ApplicationId] = certCredential; },
spParameters.TenantId,
spParameters.ApplicationId));
}
else
{
var tokenTask = certCredential.GetTokenAsync(requestContext, cancellationToken);
return(MsalAccessToken.GetAccessTokenAsync(tokenTask, spParameters.TenantId, spParameters.ApplicationId));
}
}
else if (spParameters.Secret != null)
{
// service principal with secret
var secretCredential = new ClientSecretCredential(tenantId, spParameters.ApplicationId, spParameters.Secret.ConvertToString(), options);
var tokenTask = secretCredential.GetTokenAsync(requestContext, cancellationToken);
return(MsalAccessToken.GetAccessTokenAsync(
tokenTask,
spParameters.TenantId,
spParameters.ApplicationId));
}
else
{
throw new MsalException(MsalError.AuthenticationFailed, string.Format(AuthenticationFailedMessage, clientId));
}
}
//MSAL doesn't cache Service Principal into msal.cache
public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
{
var spParameters = parameters as ServicePrincipalParameters;
var onPremise = spParameters.Environment.OnPremise;
var tenantId = onPremise ? AdfsTenant :
(string.Equals(parameters.TenantId, OrganizationsTenant, StringComparison.OrdinalIgnoreCase) ? null : parameters.TenantId);
var resource = spParameters.Environment.GetEndpoint(spParameters.ResourceId) ?? spParameters.ResourceId;
var scopes = AuthenticationHelpers.GetScope(onPremise, resource);
var clientId = spParameters.ApplicationId;
var authority = spParameters.Environment.ActiveDirectoryAuthority;
var requestContext = new TokenRequestContext(scopes);
var options = new ClientCertificateCredentialOptions()
{
AuthorityHost = new Uri(authority),
SendCertificateChain = spParameters.SendCertificateChain ?? default(bool)
};
if (!string.IsNullOrEmpty(spParameters.Thumbprint))
{
//Service Principal with Certificate
var certificate = AzureSession.Instance.DataStore.GetCertificate(spParameters.Thumbprint);
ClientCertificateCredential certCredential = new ClientCertificateCredential(tenantId, spParameters.ApplicationId, certificate, options);
var parametersLog = $"- Thumbprint:'{spParameters.Thumbprint}', ApplicationId:'{spParameters.ApplicationId}', TenantId:'{tenantId}', Scopes:'{string.Join(",", scopes)}', AuthorityHost:'{options.AuthorityHost}'";
return(MsalAccessToken.GetAccessTokenAsync(
nameof(ServicePrincipalAuthenticator),
parametersLog,
certCredential,
requestContext,
cancellationToken,
spParameters.TenantId,
spParameters.ApplicationId));
}
else if (spParameters.Secret != null)
{
// service principal with secret
var secretCredential = new ClientSecretCredential(tenantId, spParameters.ApplicationId, spParameters.Secret.ConvertToString(), options);
var parametersLog = $"- ApplicationId:'{spParameters.ApplicationId}', TenantId:'{tenantId}', Scopes:'{string.Join(",", scopes)}', AuthorityHost:'{options.AuthorityHost}'";
return(MsalAccessToken.GetAccessTokenAsync(
nameof(ServicePrincipalAuthenticator),
parametersLog,
secretCredential,
requestContext,
cancellationToken,
spParameters.TenantId,
spParameters.ApplicationId));
}
else
{
throw new MsalException(MsalError.AuthenticationFailed, string.Format(AuthenticationFailedMessage, clientId));
}
}
public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
{
var msiParameters = parameters as ManagedServiceIdentityParameters;
var scopes = new[] { GetResourceId(msiParameters.ResourceId, msiParameters.Environment) };
var requestContext = new TokenRequestContext(scopes);
var userAccountId = SystemMsiNameRegex.IsMatch(msiParameters.Account.Id) ? null : msiParameters.Account.Id;
ManagedIdentityCredential identityCredential = new ManagedIdentityCredential(userAccountId);
return(MsalAccessToken.GetAccessTokenAsync(identityCredential, requestContext, cancellationToken,
msiParameters.TenantId, msiParameters.Account.Id));
}
public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
{
var upParameters = parameters as UsernamePasswordParameters;
var onPremise = upParameters.Environment.OnPremise;
var tenantId = onPremise ? AdfsTenant : upParameters.TenantId; //Is user name + password valid in Adfs env?
var tokenCacheProvider = upParameters.TokenCacheProvider;
var resource = upParameters.Environment.GetEndpoint(upParameters.ResourceId) ?? upParameters.ResourceId;
var scopes = AuthenticationHelpers.GetScope(onPremise, resource);
var clientId = AuthenticationHelpers.PowerShellClientId;
var authority = upParameters.Environment.ActiveDirectoryAuthority;
var requestContext = new TokenRequestContext(scopes);
UsernamePasswordCredential passwordCredential;
AzureSession.Instance.TryGetComponent(nameof(PowerShellTokenCache), out PowerShellTokenCache tokenCache);
var credentialOptions = new UsernamePasswordCredentialOptions()
{
AuthorityHost = new Uri(authority),
TokenCache = tokenCache.TokenCache
};
if (upParameters.Password != null)
{
passwordCredential = new UsernamePasswordCredential(upParameters.UserId, upParameters.Password.ConvertToString(), tenantId, clientId, credentialOptions);
TracingAdapter.Information($"{DateTime.Now:T} - [UsernamePasswordAuthenticator] Calling UsernamePasswordCredential.AuthenticateAsync - TenantId:'{tenantId}', Scopes:'{string.Join(",", scopes)}', AuthorityHost:'{authority}', UserId:'{upParameters.UserId}'");
var authTask = passwordCredential.AuthenticateAsync(requestContext, cancellationToken);
return(MsalAccessToken.GetAccessTokenAsync(
authTask,
passwordCredential,
requestContext,
cancellationToken));
}
else
{
throw new InvalidOperationException(Resources.MissingPasswordAndNoCache);
}
}
public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
{
var interactiveParameters = parameters as InteractiveParameters;
var onPremise = interactiveParameters.Environment.OnPremise;
//null instead of "organizations" should be passed to Azure.Identity to support MSA account
var tenantId = onPremise ? AdfsTenant :
(string.Equals(parameters.TenantId, OrganizationsTenant, StringComparison.OrdinalIgnoreCase) ? null : parameters.TenantId);
var tokenCacheProvider = interactiveParameters.TokenCacheProvider;
var resource = interactiveParameters.Environment.GetEndpoint(interactiveParameters.ResourceId) ?? interactiveParameters.ResourceId;
var scopes = AuthenticationHelpers.GetScope(onPremise, resource);
var clientId = AuthenticationHelpers.PowerShellClientId;
var requestContext = new TokenRequestContext(scopes);
var authority = interactiveParameters.Environment.ActiveDirectoryAuthority;
AzureSession.Instance.TryGetComponent(nameof(PowerShellTokenCache), out PowerShellTokenCache tokenCache);
var options = new InteractiveBrowserCredentialOptions()
{
ClientId = clientId,
TenantId = tenantId,
TokenCache = tokenCache.TokenCache,
AuthorityHost = new Uri(authority),
RedirectUri = GetReplyUrl(onPremise, interactiveParameters),
};
var browserCredential = new InteractiveBrowserCredential(options);
var source = new CancellationTokenSource();
source.CancelAfter(TimeSpan.FromMinutes(5));
var authTask = browserCredential.AuthenticateAsync(requestContext, source.Token);
return(MsalAccessToken.GetAccessTokenAsync(
authTask,
browserCredential,
requestContext,
source.Token));
}