public async Task GetToken()
{
var tenantId = TestEnvironment.ServicePrincipalTenantId;
var clientId = TestEnvironment.ServicePrincipalClientId;
var secret = TestEnvironment.ServicePrincipalClientSecret;
var options = Recording.InstrumentClientOptions(new TokenCredentialOptions());
var credential = new ClientSecretCredential(tenantId, clientId, secret, options);
var tokenRequestContext = new TokenRequestContext(new[] { AzureAuthorityHosts.GetDefaultScope(AzureAuthorityHosts.AzurePublicCloud) });
// ensure we can initially acquire a token
AccessToken token = await credential.GetTokenAsync(tokenRequestContext);
Assert.IsNotNull(token.Token);
// ensure subsequent calls before the token expires are served from the token cache
AccessToken cachedToken = await credential.GetTokenAsync(tokenRequestContext);
Assert.AreEqual(token.Token, cachedToken.Token);
// ensure new credentials don't share tokens from the cache
var credential2 = new ClientSecretCredential(tenantId, clientId, secret, options);
AccessToken token2 = await credential2.GetTokenAsync(tokenRequestContext);
if (Mode != RecordedTestMode.Playback && Mode != RecordedTestMode.None)
{
Assert.AreNotEqual(token.Token, token2.Token);
}
}
public async Task FromX509Certificate2()
{
var tenantId = TestEnvironment.ServicePrincipalTenantId;
var clientId = TestEnvironment.ServicePrincipalClientId;
var cert = new X509Certificate2(TestEnvironment.ServicePrincipalCertificatePfxPath);
var options = Recording.InstrumentClientOptions(new TokenCredentialOptions());
var credential = new ClientCertificateCredential(tenantId, clientId, cert, options);
var tokenRequestContext = new TokenRequestContext(new[] { AzureAuthorityHosts.GetDefaultScope(AzureAuthorityHosts.AzurePublicCloud) });
// ensure we can initially acquire a token
AccessToken token = await credential.GetTokenAsync(tokenRequestContext);
Assert.IsNotNull(token.Token);
// ensure subsequent calls before the token expires are served from the token cache
AccessToken cachedToken = await credential.GetTokenAsync(tokenRequestContext);
Assert.AreEqual(token.Token, cachedToken.Token);
// ensure new credentials don't share tokens from the cache
var credential2 = new ClientCertificateCredential(tenantId, clientId, cert, options);
AccessToken token2 = await credential2.GetTokenAsync(tokenRequestContext);
// this assert is conditional because the access token is scrubbed in the recording so they will never be different
if (Mode != RecordedTestMode.Playback && Mode != RecordedTestMode.None)
{
Assert.AreNotEqual(token.Token, token2.Token);
}
}
public void IncorrectCertificate()
{
var tenantId = TestEnvironment.ServicePrincipalTenantId;
var clientId = TestEnvironment.ServicePrincipalClientId;
var certPath = Path.Combine(TestContext.CurrentContext.TestDirectory, "Data", "cert.pfx");
var options = InstrumentClientOptions(new TokenCredentialOptions());
var credential = new ClientCertificateCredential(tenantId, clientId, new X509Certificate2(certPath), options);
var tokenRequestContext = new TokenRequestContext(new[] { AzureAuthorityHosts.GetDefaultScope(AzureAuthorityHosts.AzurePublicCloud) });
// ensure the incorrect client claim is rejected, handled and wrapped in AuthenticationFailedException
Assert.ThrowsAsync <AuthenticationFailedException>(async() => await credential.GetTokenAsync(tokenRequestContext));
}
public void GetTokenIncorrectPassword()
{
var tenantId = TestEnvironment.ServicePrincipalTenantId;
var clientId = TestEnvironment.ServicePrincipalClientId;
var secret = "badsecret";
var options = InstrumentClientOptions(new TokenCredentialOptions());
var credential = new ClientSecretCredential(tenantId, clientId, secret, options);
var tokenRequestContext = new TokenRequestContext(new[] { AzureAuthorityHosts.GetDefaultScope(AzureAuthorityHosts.AzurePublicCloud) });
// ensure we can initially acquire a token
Assert.ThrowsAsync <AuthenticationFailedException>(async() => await credential.GetTokenAsync(tokenRequestContext));
}
public async Task AuthnenticateWithAssertionCallback(bool useAsyncCallback)
{
var tenantId = TestEnvironment.ServicePrincipalTenantId;
var clientId = TestEnvironment.ServicePrincipalClientId;
var cert = new X509Certificate2(TestEnvironment.ServicePrincipalCertificatePfxPath);
var options = InstrumentClientOptions(new ClientAssertionCredentialOptions());
ClientAssertionCredential credential;
if (useAsyncCallback)
{
Func <CancellationToken, Task <string> > assertionCallback = (ct) => Task.FromResult(CreateClientAssertionJWT(options.AuthorityHost, clientId, tenantId, cert));
credential = InstrumentClient(new ClientAssertionCredential(tenantId, clientId, assertionCallback, options));
}
else
{
Func <string> assertionCallback = () => CreateClientAssertionJWT(options.AuthorityHost, clientId, tenantId, cert);
credential = InstrumentClient(new ClientAssertionCredential(tenantId, clientId, assertionCallback, options));
}
var tokenRequestContext = new TokenRequestContext(new[] { AzureAuthorityHosts.GetDefaultScope(new Uri(TestEnvironment.AuthorityHostUrl)) });
// ensure we can initially acquire a token
AccessToken token = await credential.GetTokenAsync(tokenRequestContext);
Assert.IsNotNull(token.Token);
// ensure subsequent calls before the token expires are served from the token cache
AccessToken cachedToken = await credential.GetTokenAsync(tokenRequestContext);
Assert.AreEqual(token.Token, cachedToken.Token);
// ensure new credentials don't share tokens from the cache
var credential2 = new ClientCertificateCredential(tenantId, clientId, cert, options);
AccessToken token2 = await credential2.GetTokenAsync(tokenRequestContext);
// this assert is conditional because the access token is scrubbed in the recording so they will never be different
if (Mode != RecordedTestMode.Playback && Mode != RecordedTestMode.None)
{
Assert.AreNotEqual(token.Token, token2.Token);
}
}
public async Task IncludeX5CCliamHeader()
{
var tenantId = TestEnvironment.ServicePrincipalTenantId;
var clientId = TestEnvironment.ServicePrincipalClientId;
var certPath = TestEnvironment.ServicePrincipalSniCertificatePath;
var options = InstrumentClientOptions(new ClientCertificateCredentialOptions {
IncludeX5CCliamHeader = true
});
var credential = new ClientCertificateCredential(tenantId, clientId, certPath, options);
var tokenRequestContext = new TokenRequestContext(new[] { AzureAuthorityHosts.GetDefaultScope(AzureAuthorityHosts.AzurePublicCloud) });
// ensure we can initially acquire a token
AccessToken token = await credential.GetTokenAsync(tokenRequestContext);
Assert.IsNotNull(token.Token);
}
public async Task GetToken()
{
var tenantId = TestEnvironment.ServicePrincipalTenantId;
var clientId = TestEnvironment.ServicePrincipalClientId;
var secret = TestEnvironment.ServicePrincipalClientSecret;
var cache = new MemoryTokenCache();
var options = InstrumentClientOptions(new ClientSecretCredentialOptions()
{
TokenCachePersistenceOptions = cache
});
var credential = InstrumentClient(new ClientSecretCredential(tenantId, clientId, secret, options));
var tokenRequestContext = new TokenRequestContext(new[] { AzureAuthorityHosts.GetDefaultScope(new Uri(TestEnvironment.AuthorityHostUrl)) });
// ensure we can initially acquire a token
AccessToken token = await credential.GetTokenAsync(tokenRequestContext);
Assert.IsNotNull(token.Token);
Assert.That(cache.CacheReadCount, Is.Not.Zero);
Assert.That(cache.CacheUpdatedCount, Is.Not.Zero);
// ensure subsequent calls before the token expires are served from the token cache
AccessToken cachedToken = await credential.GetTokenAsync(tokenRequestContext);
Assert.AreEqual(token.Token, cachedToken.Token);
var options2 = InstrumentClientOptions(new ClientSecretCredentialOptions());
// ensure new credentials don't share tokens from the cache
var credential2 = new ClientSecretCredential(tenantId, clientId, secret, options2);
AccessToken token2 = await credential2.GetTokenAsync(tokenRequestContext);
if (Mode != RecordedTestMode.Playback && Mode != RecordedTestMode.None)
{
Assert.AreNotEqual(token.Token, token2.Token);
}
}
public void ValidateUserAssignedIdentity()
{
if (string.IsNullOrEmpty(TestEnvironment.ArcEnable))
{
Assert.Ignore();
}
using (ReadOrRestoreManagedIdentityEnvironment())
{
var vaultUri = new Uri(TestEnvironment.SystemAssignedVault);
var cred = InstrumentClient(new ManagedIdentityCredential(clientId: Guid.NewGuid().ToString(), options: InstrumentClientOptions(new TokenCredentialOptions())));
Assert.ThrowsAsync <AuthenticationFailedException>(async() => await cred.GetTokenAsync(new TokenRequestContext(new string[] { AzureAuthorityHosts.GetDefaultScope(AzureAuthorityHosts.AzurePublicCloud) })));
}
}