static async Task Main(string[] args)
{
string tenantId = "00000000-0000-0000-0000-000000000000";
string subscriptionId = "00000000-0000-0000-0000-000000000000";
DefaultAzureCredential credential = new DefaultAzureCredential();
// If utilizing a user assigned managed identity, then uncomment the second line and comment out the line above
// DefaultAzureCredential credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = UserAssignedManagedIdentityId });
// Create token request context with scope set to .default for the ARM and MS Graph endpoints
// Get token which will sequentially call the included credentials in the order
// EnvironmentCredential, ManagedIdentityCredential, SharedTokenCacheCredential,
// and InteractiveBrowserCredential returning the first successfully obtained AccessToken
// for more information: https://docs.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential.gettokenasync?view=azure-dotnet
TokenRequestContext tokenRequestContextARM = new TokenRequestContext(new[] { "https://management.core.windows.net//.default" });
AccessToken tokenRequestResultARM = await credential.GetTokenAsync(tokenRequestContextARM);
TokenRequestContext tokenRequestContextGraph = new TokenRequestContext(new[] { "https://graph.microsoft.com//.default" });
AccessToken tokenRequestResultGraph = await credential.GetTokenAsync(tokenRequestContextGraph);
// Credentials used for authenticating a fluent management client to Azure.
AzureCredentials credentials = new AzureCredentials(
new TokenCredentials(tokenRequestResultARM.Token),
new TokenCredentials(tokenRequestResultGraph.Token),
tenantId,
AzureEnvironment.AzureGlobalCloud);
// Top level abstraction of Azure. https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.management.fluent.iazure?view=azure-dotnet
// .WithSubscription is optional if you wish to return resource beyond the scope of a single subscription.
IAzure azure = Microsoft.Azure.Management.Fluent.Azure
.Configure()
.WithLogLevel(HttpLoggingDelegatingHandler.Level.Basic)
.Authenticate(credentials)
.WithSubscription(subscriptionId);
// Iterate through Microsoft.Sql top level resources (servers) and a list of databases (sub resources)
// for data collection define IList<T> outside of these nested loops and add resources and sub resources
// of interest to collections.
IPagedCollection <ISqlServer> servers = await azure.SqlServers.ListAsync();
do
{
foreach (ISqlServer server in servers)
{
Console.WriteLine($"Server: {server.Name} Azure AD Admin: {server.GetActiveDirectoryAdministrator().SignInName}");
Console.WriteLine($"\tResource Group: {server.ResourceGroupName}");
IReadOnlyList <ISqlDatabase> databases = await server.Databases.ListAsync();
foreach (ISqlDatabase database in databases)
{
Console.WriteLine($"\t\tDatabase name: {database.Name} created: {database.CreationDate}");
}
}
servers = await servers.GetNextPageAsync();
} while (servers != null);
}
public async static Task <GraphServiceClient> GetGraphClientAsync()
{
// Create the Microsoft Graph service client
// with a DefaultAzureCredential class, which gets an access token
// by using the available Managed Identity.
// In order to use user assigned managed identity use the following two lines.
// string userAssignedClientId = "<your managed identity client Id>";
// var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = userAssignedClientId });
var credential = new DefaultAzureCredential();
var token = await credential.GetTokenAsync(
new Azure.Core.TokenRequestContext(
new[] { "https://graph.microsoft.com/.default" }));
var graphServiceClient = new GraphServiceClient(
new DelegateAuthenticationProvider((requestMessage) =>
{
requestMessage
.Headers
.Authorization = new AuthenticationHeaderValue("bearer", token.Token);
return(Task.CompletedTask);
}));
return(graphServiceClient);
}
public async Task <IActionResult> CallFunction()
{
string apiUrl = _configuration.GetValue <string>("APIUrl");
string resource = _configuration.GetValue <string>("APIScope");
DefaultAzureCredential credential = new DefaultAzureCredential();
TokenRequestContext tokenRequestContext = new TokenRequestContext(new string[]
{
resource
});
AccessToken accessToken = await credential.GetTokenAsync(tokenRequestContext);
ViewBag.AccessToken = accessToken.Token;
_httpClient.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", accessToken.Token);
HttpResponseMessage httpResponseMessage = await _httpClient.GetAsync(apiUrl);
if (httpResponseMessage.IsSuccessStatusCode)
{
string response = await httpResponseMessage.Content.ReadAsStringAsync();
dynamic json = JsonConvert.DeserializeObject <dynamic>(response);
ViewBag.DateTime = json.datetime;
}
return(View());
}
private async Task <DbConnection> GetDbConnectionAsync(Request request, Result result)
{
if (request.DatabaseType == SqlConnectionDatabaseType.SqlServer)
{
var connection = new SqlConnection(request.SqlConnectionStringValue);
if (request.UseAzureManagedIdentity)
{
// Request an access token for Azure SQL Database using the current Azure Managed Identity.
this.Logger.LogInformation("Acquiring access token using Azure Managed Identity using Client ID \"{ClientId}\"", request.AzureManagedIdentityClientId);
// If AzureManagedIdentityClientId is requested, that indicates the User-Assigned Managed Identity to use; if omitted the System-Assigned Managed Identity will be used.
var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions {
ManagedIdentityClientId = request.AzureManagedIdentityClientId
});
var authenticationResult = await credential.GetTokenAsync(new TokenRequestContext(new[] { "https://database.windows.net/.default" }));
var accessToken = authenticationResult.Token;
connection.AccessToken = accessToken;
result.AccessToken = accessToken;
}
return(connection);
}
else if (request.DatabaseType == SqlConnectionDatabaseType.PostgreSql)
{
return(new NpgsqlConnection(request.SqlConnectionStringValue));
}
else if (request.DatabaseType == SqlConnectionDatabaseType.MySql)
{
return(new MySqlConnection(request.SqlConnectionStringValue));
}
else
{
throw new NotSupportedException($"\"{request.DatabaseType.ToString()}\" is not a supported ADO.NET database type");
}
}
public static async Task <IActionResult> RunAsync([HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = null)] HttpRequest req)
{
string referer = req.Headers["Referer"];
if (string.IsNullOrEmpty(referer))
{
return(new UnauthorizedResult());
}
string result = Array.Find(allowd, site => referer.StartsWith(site, StringComparison.OrdinalIgnoreCase));
if (string.IsNullOrEmpty(result))
{
return(new UnauthorizedResult());
}
// Managed identities for Azure resources and Azure Maps
// For the Web SDK to authorize correctly, you still must assign Azure role based access control for the managed identity
// https://docs.microsoft.com/en-us/azure/azure-maps/how-to-manage-authentication
var tokenCredential = new DefaultAzureCredential();
var accessToken = await tokenCredential.GetTokenAsync(
new TokenRequestContext(new[] { "https://atlas.microsoft.com/.default" })
);
return(new OkObjectResult(accessToken.Token));
}
public async Task CredentialTypeLogged(Type availableCredential)
{
List <string> messages = new();
using AzureEventSourceListener listener = new AzureEventSourceListener(
(_, message) => messages.Add(message),
EventLevel.Informational);
var expToken = new AccessToken(Guid.NewGuid().ToString(), DateTimeOffset.MaxValue);
List <Type> calledCredentials = new();
var credFactory = GetMockDefaultAzureCredentialFactory(availableCredential, expToken, calledCredentials);
var options = new DefaultAzureCredentialOptions
{
ExcludeEnvironmentCredential = false,
ExcludeManagedIdentityCredential = false,
ExcludeSharedTokenCacheCredential = false,
ExcludeAzureCliCredential = false,
ExcludeInteractiveBrowserCredential = false,
};
var cred = new DefaultAzureCredential(credFactory, options);
await cred.GetTokenAsync(new TokenRequestContext(MockScopes.Default));
Assert.That(messages, Has.Some.Match(availableCredential.Name).And.Some.Match("DefaultAzureCredential credential selected"));
}
public static async Task <IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = null)] HttpRequest req,
ILogger log)
{
log.LogInformation("e request");
// Manually get access token for storage (demo purposes only)
// NEVER LOG TOKENS LIKE THAT IN PRODUCTION!
var cred = new DefaultAzureCredential();
var token = await cred.GetTokenAsync(new TokenRequestContext(new[] { "https://storage.azure.com/.default" }));
log.LogInformation(token.Token);
// Download a blob with the Azure-provided token
const string containerEndpoint = "https://stvwazureday.blob.core.windows.net/vwazureday/";
var containerClient = new BlobContainerClient(new Uri(containerEndpoint), new DefaultAzureCredential());
var blockBlobClient = containerClient.GetBlockBlobClient("hello-world.txt");
using var memorystream = new MemoryStream();
await blockBlobClient.DownloadToAsync(memorystream);
var message = Encoding.UTF8.GetString(memorystream.ToArray());
log.LogInformation("Done processing the request");
return(new OkObjectResult(message));
}
public static async Task GetSubscriptions(DefaultAzureCredential credential)
{
// Create token request context with scope set to .default
TokenRequestContext tokenRequestContext = new TokenRequestContext(new[] { "https://management.core.windows.net//.default" });
AccessToken tokenRequestResult = await credential.GetTokenAsync(tokenRequestContext);
// Initialize ServiceClientCredential utilizing acquired token
ServiceClientCredentials serviceClientCreds = new TokenCredentials(tokenRequestResult.Token);
// ServiceClientCredentials is the abstraction for credentials used by ServiceClients accessing REST services.
Microsoft.Azure.Management.Subscription.SubscriptionClient subClient = new Microsoft.Azure.Management.Subscription.SubscriptionClient(serviceClientCreds);
// Get list of subscriptions in tenant
var listSubscriptions = subClient.Subscriptions.List();
int i = 0;
// Print out results to the console
foreach (var sub in listSubscriptions)
{
Debug.WriteLine(sub);
list[i] = sub.DisplayName;
Debug.WriteLine("array output " + list[i]);
Debug.WriteLine("Subscription: " + sub.DisplayName);
i++;
SubscriptionID = Convert.ToString(sub.SubscriptionId);
}
}
public async Task <IActionResult> GetTokenAsync()
{
// tokenProvider will cache the token in memory, if you would like to reduce the dependency on Azure AD we recommend
// implementing a distributed cache combined with using the other methods available on tokenProvider.
var accessToken = await tokenProvider.GetTokenAsync(new TokenRequestContext(new string[] { "https://atlas.microsoft.com/.default" }), HttpContext.RequestAborted);
return(Ok(accessToken.Token));
}
private ValueTask <AccessToken> GetTokenFromDefaultAzureCredential(Action <DefaultAzureCredentialOptions> optBuilder)
{
var opts = new DefaultAzureCredentialOptions();
optBuilder?.Invoke(opts);
var defaultCredentials = new DefaultAzureCredential(opts);
return(defaultCredentials.GetTokenAsync(_requestContext, System.Threading.CancellationToken.None));
}
private async Task <SqlConnection> CreateSqlConnection()
{
var resource = "https://database.windows.net/.default";
var cred = new DefaultAzureCredential();
var token = await cred.GetTokenAsync(new TokenRequestContext(new[] { resource }));
var con = new SqlConnection(_connectionString);
con.AccessToken = token.Token;
return(con);
}
/// <summary>
/// Prototype of certificate-less authentication using a signed assertion
/// acquired with managed identity (certificateless).
/// </summary>
/// <returns>The signed assertion.</returns>
private async Task <ClientAssertion> GetSignedAssertionFromFederatedTokenProvider(CancellationToken cancellationToken)
{
var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions {
ManagedIdentityClientId = _managedIdentityClientId
});
var result = await credential.GetTokenAsync(
new TokenRequestContext(new[] { "api://AzureADTokenExchange/.default" }, null),
cancellationToken).ConfigureAwait(false);
return(new ClientAssertion(result.Token, result.ExpiresOn));
}
public async Task <string> GetConnectionString()
{
if (UseCredentialChain)
{
var credential = new DefaultAzureCredential();
var accessToken = await credential.GetTokenAsync(new TokenRequestContext(new[] { "https://ossrdbms-aad.database.windows.net" }));
stringBuilder.Add("password", accessToken.Token);
}
return(stringBuilder.ConnectionString);
}
/// <summary>
/// Authenticates to Azure and gets a bearer token.
/// </summary>
private async Task <string> GetIdentityTokenAsync()
{
Console.WriteLine($"Attempting to authenticate.");
var cred = new DefaultAzureCredential();
string[] scopes = new string[] { ManagementUri + "/.default" };
var accessToken = await cred.GetTokenAsync(new TokenRequestContext(scopes));
var token = accessToken.Token;
return(token);
}
private static string GetAccessTokenFromAzureIdentity()
{
var tokenCredential = new DefaultAzureCredential();
var context = new TokenRequestContext(new string[] { azureSqlResourceId });
var token = tokenCredential.GetTokenAsync(context).GetAwaiter().GetResult();
Console.WriteLine(DateTime.UtcNow + $" ******** Azure Identity Library ********");
PrintAccessTokenExpiry(token.Token);
Console.WriteLine(DateTime.UtcNow + $" Azure Identity Expires On: " + token.ExpiresOn);
Console.WriteLine(DateTime.UtcNow + $" ********************");
return(token.Token);
}
public async Task <DbConnection> GetConnectionAsync(
CancellationToken cancellationToken = default(CancellationToken))
{
var sqlConnection = new SqlConnection(_connectionString);
var credential = new DefaultAzureCredential();
var accessToken =
(await credential.GetTokenAsync(
new TokenRequestContext(_authenticationTokenScopes),
cancellationToken)).Token;
sqlConnection.AccessToken = accessToken;
return(sqlConnection);
}
public ApplicationService(
DefaultAzureCredential defaultAzureCredential,
ILogger <ApplicationService> logger
)
{
client = new GraphServiceClient(new DelegateAuthenticationProvider(async message =>
{
var at = await defaultAzureCredential.GetTokenAsync(new TokenRequestContext(new[] { "https://graph.microsoft.com/.default" }));
message.Headers.Authorization = new AuthenticationHeaderValue("Bearer", at.Token);
await Task.CompletedTask;
}));
this.logger = logger;
}
private async Task <AccessTokenItem> GetNewAuthToken(string resource)
{
var tokenCredential = new DefaultAzureCredential(new DefaultAzureCredentialOptions {
ManagedIdentityClientId = essManagedIdentityConfiguration.Value.ClientId
});
var accessToken = await tokenCredential.GetTokenAsync(
new TokenRequestContext(scopes : new string[] { resource + "/.default" }) { }
);
return(new AccessTokenItem
{
ExpiresIn = accessToken.ExpiresOn.UtcDateTime,
AccessToken = accessToken.Token
});
}
public async Task ValidateSelectedCredentialCaching(Type availableCredential)
{
var expToken = new AccessToken(Guid.NewGuid().ToString(), DateTimeOffset.MaxValue);
List <Type> calledCredentials = new();
var credFactory = GetMockDefaultAzureCredentialFactory(availableCredential, expToken, calledCredentials);
var options = new DefaultAzureCredentialOptions
{
ExcludeEnvironmentCredential = false,
ExcludeManagedIdentityCredential = false,
ExcludeSharedTokenCacheCredential = false,
ExcludeAzureCliCredential = false,
ExcludeAzurePowerShellCredential = false,
ExcludeInteractiveBrowserCredential = false
};
var cred = new DefaultAzureCredential(credFactory, options);
AccessToken actToken = await cred.GetTokenAsync(new TokenRequestContext(MockScopes.Default));
Assert.AreEqual(expToken.Token, actToken.Token);
// assert that the available credential was the last credential called
Assert.AreEqual(calledCredentials[calledCredentials.Count - 1], availableCredential);
calledCredentials.Clear();
actToken = await cred.GetTokenAsync(new TokenRequestContext(MockScopes.Default));
Assert.AreEqual(expToken.Token, actToken.Token);
// assert that the available credential was the only credential called
Assert.AreEqual(calledCredentials.Count, 1);
Assert.AreEqual(calledCredentials[0], availableCredential);
}
/// <summary>
/// Gets a valid token using a Service Principal or a Managed Identity
/// </summary>
public static async Task <TokenCredentials> GetTokenCredentialsAsync(string resource, string tenantId, AzureAuthenticationInfo authenticationInfo, System.Uri azureAuthorityHost)
{
Guard.NotNullOrWhitespace(resource, nameof(resource));
Guard.NotNullOrWhitespace(tenantId, nameof(tenantId));
Guard.NotNull(authenticationInfo, nameof(authenticationInfo));
TokenCredential tokenCredential;
var tokenCredentialOptions = new TokenCredentialOptions {
AuthorityHost = azureAuthorityHost
};
switch (authenticationInfo.Mode)
{
case AuthenticationMode.ServicePrincipal:
tokenCredential = new ClientSecretCredential(tenantId, authenticationInfo.IdentityId, authenticationInfo.Secret, tokenCredentialOptions);
break;
case AuthenticationMode.UserAssignedManagedIdentity:
tokenCredential = new ManagedIdentityCredential(authenticationInfo.IdentityId, tokenCredentialOptions);
break;
case AuthenticationMode.SystemAssignedManagedIdentity:
tokenCredential = new ManagedIdentityCredential(options: tokenCredentialOptions);
break;
default:
tokenCredential = new DefaultAzureCredential();
break;
}
// When you reaching an endpoint, using an impersonate identity, the only endpoint available is always '/.default'
// MSAL add the './default' string to your resource request behind the scene.
// We have to do it here, since we are at a lower level(and we are not using MSAL; by the way)
if (!resource.ToLowerInvariant().EndsWith("/.default"))
{
if (!resource.EndsWith("/"))
{
resource += "/";
}
resource += ".default";
}
var accessToken = await tokenCredential.GetTokenAsync(new TokenRequestContext(new[] { resource }), default);
return(new TokenCredentials(accessToken.Token));
}
protected override async Task <Result> ExecuteCoreAsync(Request request)
{
this.Logger.LogInformation("Acquiring token using Azure Managed Identity for Scopes \"{Scopes}\" using Client ID \"{ClientId}\"", request.Scopes, request.AzureManagedIdentityClientId);
var scopes = request.Scopes == null?Array.Empty <string>() : request.Scopes.Split(' ', StringSplitOptions.RemoveEmptyEntries);
// If AzureManagedIdentityClientId is requested, that indicates the User-Assigned Managed Identity to use; if omitted the System-Assigned Managed Identity will be used.
var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions {
ManagedIdentityClientId = request.AzureManagedIdentityClientId
});
var authenticationResult = await credential.GetTokenAsync(new TokenRequestContext(scopes));
return(new Result
{
AccessToken = authenticationResult.Token,
ExpiresOn = authenticationResult.ExpiresOn
});
}
public static async Task <IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = null)] HttpRequest req,
ILogger log)
{
log.LogInformation("Starting to process request");
var resultBuilder = new StringBuilder();
try
{
resultBuilder.Append("Claims:\n");
foreach (var claim in req.HttpContext.User.Claims)
{
resultBuilder.Append($" {claim.Type}: {claim.Value}\n");
}
resultBuilder.Append("\n");
// Manually get access token for storage (demo purposes only)
// NEVER LOG TOKENS LIKE THAT IN PRODUCTION!
var cred = new DefaultAzureCredential();
var token = await cred.GetTokenAsync(new TokenRequestContext(new[] { "https://storage.azure.com/.default" }));
resultBuilder.Append($"Token: {token.Token}\n\n");
var addresses = Dns.GetHostAddresses("stvwazuredayprivate.blob.core.windows.net");
foreach (var hostAddress in addresses)
{
resultBuilder.Append($"Address: {hostAddress}\n\n");
}
using var client = new HttpClient();
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token.Token);
client.DefaultRequestHeaders.Add("x-ms-version", "2017-11-09");
var message = await client.GetStringAsync("https://stvwazuredayprivate.blob.core.windows.net/vwazureday/hello-world.txt");
log.LogInformation("Done processing the request");
resultBuilder.Append($"Message: {message}\n\n");
}
catch (Exception ex)
{
resultBuilder.Append($"Exception: {ex.Message}\n\n");
}
return(new OkObjectResult(resultBuilder.ToString()));
}
public async Task <IActionResult> About()
{
// Get token
var tokenRequestContext = new TokenRequestContext(new[] { "api://a3cad856-d73c-40bc-b082-64982a3e55ac/KeyVault" });
var tokenCredential = new DefaultAzureCredential(new DefaultAzureCredentialOptions()
{
InteractiveBrowserTenantId = "72f988bf-86f1-41af-91ab-2d7cd011db47",
SharedTokenCacheTenantId = "common",
SharedTokenCacheUsername = User.Identity.Name,
ExcludeEnvironmentCredential = true,
ExcludeManagedIdentityCredential = true,
ExcludeAzureCliCredential = true,
ExcludeVisualStudioCodeCredential = true,
});
//var credOption = new SharedTokenCacheCredentialOptions();
//credOption.TenantId = User.Claims.FirstOrDefault(t => t.Type == "http://schemas.microsoft.com/identity/claims/tenantid").Value;
//credOption.Username = User.Identity.Name;
//var sharedCredential = new SharedTokenCacheCredential(credOption);
var token = await tokenCredential.GetTokenAsync(tokenRequestContext, CancellationToken.None);
//var token = await new SharedTokenCacheCredential(credOption).GetTokenAsync(tokenRequestContext, CancellationToken.None);
// Get Key Vault secret
var secretName = "DbPassword";
var httpClient = clientFactory.CreateClient();
httpClient.BaseAddress = new Uri(config["ServicePrinciple:KeyVaultEndpoint"]);
httpClient.DefaultRequestHeaders.Add("Authorization", $"Bearer {token}");
var requestKeyVault = new HttpRequestMessage(HttpMethod.Get, $"secrets/{secretName}?api-version=7.0");
var keyVaultResponse = await httpClient.SendAsync(requestKeyVault);
if (keyVaultResponse.IsSuccessStatusCode)
{
var message = await keyVaultResponse.Content.ReadAsStringAsync();
ViewBag.DbPassword = JsonSerializer.Deserialize <KeyVaultResponse>(message).value;
}
else
{
ViewBag.DbPassword = keyVaultResponse.ReasonPhrase;
}
return(View());
}
private static async Task <GraphServiceClient> GetGraphApiClient()
{
var credential = new DefaultAzureCredential();
var token = await credential.GetTokenAsync(
new Azure.Core.TokenRequestContext(
new[] { "https://graph.microsoft.com/.default" }));
var accessToken = token.Token;
var graphServiceClient = new GraphServiceClient(
new DelegateAuthenticationProvider((requestMessage) =>
{
requestMessage
.Headers
.Authorization = new AuthenticationHeaderValue("bearer", accessToken);
return(Task.CompletedTask);
}));
return(graphServiceClient);
}
internal static async Task <GraphServiceClient> InitializeGraphClientWithMsiAsync()
{
var credential = new DefaultAzureCredential();
var tokenResult = await credential.GetTokenAsync(new Azure.Core.TokenRequestContext(new string[] { "https://graph.microsoft.com" }));
string token = tokenResult.Token;
Console.WriteLine("MSI token that is used in the GraphServiceClient:");
Console.WriteLine(token);
Console.WriteLine("\n\n");
var client = new GraphServiceClient(
new DelegateAuthenticationProvider((requestMessage) =>
{
requestMessage
.Headers
.Authorization = new AuthenticationHeaderValue("Bearer", token);
return(Task.CompletedTask);
}));
return(client);
}
static async Task GetSubscriptions(DefaultAzureCredential credential)
{
// Create token request context with scope set to .default
TokenRequestContext tokenRequestContext = new TokenRequestContext(new[] { "https://management.core.windows.net//.default" });
// Get token which will sequentially call the included credentials in the order
// EnvironmentCredential, ManagedIdentityCredential, SharedTokenCacheCredential,
// and InteractiveBrowserCredential returning the first successfully obtained AccessToken
// for more information: https://docs.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential.gettokenasync?view=azure-dotnet
AccessToken tokenRequestResult = await credential.GetTokenAsync(tokenRequestContext);
// Initialize ServiceClientCredential utilizing acquired token
ServiceClientCredentials serviceClientCreds = new TokenCredentials(tokenRequestResult.Token);
// Initialize SubscriptionClient with the service client credentials
SubscriptionClient subClient = new SubscriptionClient(serviceClientCreds);
// Get list of subscriptions in tenant
var listSubscriptions = subClient.Subscriptions.List();
// Print out results to the console
foreach (var sub in listSubscriptions)
{
Console.WriteLine("Subscription: " + sub.DisplayName);
// Get all resource groups in the subscription
await GetResourceGroups(credential, sub.SubscriptionId);
Console.WriteLine("\n");
}
}
public async Task ValidateSelectedCredentialCaching([Values(typeof(EnvironmentCredential), typeof(ManagedIdentityCredential), typeof(SharedTokenCacheCredential), typeof(AzureCliCredential), typeof(InteractiveBrowserCredential))] Type availableCredential)
{
var expToken = new AccessToken(Guid.NewGuid().ToString(), DateTimeOffset.MaxValue);
var credFactory = new MockDefaultAzureCredentialFactory(CredentialPipeline.GetInstance(null));
List <Type> calledCredentials = new List <Type>();
credFactory.OnCreateEnvironmentCredential = (c) =>
{
((MockTokenCredential)c).TokenFactory = (context, cancel) =>
{
calledCredentials.Add(typeof(EnvironmentCredential));
return((availableCredential == typeof(EnvironmentCredential)) ? expToken : throw new CredentialUnavailableException("Unavailable"));
};
};
credFactory.OnCreateManagedIdentityCredential = (clientId, c) =>
{
((MockTokenCredential)c).TokenFactory = (context, cancel) =>
{
calledCredentials.Add(typeof(ManagedIdentityCredential));
return((availableCredential == typeof(ManagedIdentityCredential)) ? expToken : throw new CredentialUnavailableException("Unavailable"));
};
};
credFactory.OnCreateSharedTokenCacheCredential = (tenantId, username, c) =>
{
((MockTokenCredential)c).TokenFactory = (context, cancel) =>
{
calledCredentials.Add(typeof(SharedTokenCacheCredential));
return((availableCredential == typeof(SharedTokenCacheCredential)) ? expToken : throw new CredentialUnavailableException("Unavailable"));
};
};
credFactory.OnCreateAzureCliCredential = (c) =>
{
((MockTokenCredential)c).TokenFactory = (context, cancel) =>
{
calledCredentials.Add(typeof(AzureCliCredential));
return((availableCredential == typeof(AzureCliCredential)) ? expToken : throw new CredentialUnavailableException("Unavailable"));
};
};
credFactory.OnCreateInteractiveBrowserCredential = (_, c) =>
{
((MockTokenCredential)c).TokenFactory = (context, cancel) =>
{
calledCredentials.Add(typeof(InteractiveBrowserCredential));
return((availableCredential == typeof(InteractiveBrowserCredential)) ? expToken : throw new CredentialUnavailableException("Unavailable"));
};
};
var options = new DefaultAzureCredentialOptions
{
ExcludeEnvironmentCredential = false,
ExcludeManagedIdentityCredential = false,
ExcludeSharedTokenCacheCredential = false,
ExcludeAzureCliCredential = false,
ExcludeInteractiveBrowserCredential = false
};
var cred = new DefaultAzureCredential(credFactory, options);
AccessToken actToken = await cred.GetTokenAsync(new TokenRequestContext(MockScopes.Default));
Assert.AreEqual(expToken.Token, actToken.Token);
// assert that the available credential was the last credential called
Assert.AreEqual(calledCredentials[calledCredentials.Count - 1], availableCredential);
calledCredentials.Clear();
actToken = await cred.GetTokenAsync(new TokenRequestContext(MockScopes.Default));
Assert.AreEqual(expToken.Token, actToken.Token);
// assert that the available credential was the only credential called
Assert.AreEqual(calledCredentials.Count, 1);
Assert.AreEqual(calledCredentials[0], availableCredential);
}
public void ValidateUnhandledException([Values(0, 1, 2, 3, 4)] int exPossition)
{
var credFactory = new MockDefaultAzureCredentialFactory(CredentialPipeline.GetInstance(null));
credFactory.OnCreateEnvironmentCredential = (c) =>
{
((MockTokenCredential)c).TokenFactory = (context, cancel) =>
{
if (exPossition > 0)
{
throw new CredentialUnavailableException("EnvironmentCredential Unavailable");
}
else
{
throw new MockClientException("EnvironmentCredential unhandled exception");
}
};
};
credFactory.OnCreateManagedIdentityCredential = (clientId, c) =>
{
((MockTokenCredential)c).TokenFactory = (context, cancel) =>
{
if (exPossition > 1)
{
throw new CredentialUnavailableException("ManagedIdentityCredential Unavailable");
}
else
{
throw new MockClientException("ManagedIdentityCredential unhandled exception");
}
};
};
credFactory.OnCreateSharedTokenCacheCredential = (tenantId, username, c) =>
{
((MockTokenCredential)c).TokenFactory = (context, cancel) =>
{
if (exPossition > 2)
{
throw new CredentialUnavailableException("SharedTokenCacheCredential Unavailable");
}
else
{
throw new MockClientException("SharedTokenCacheCredential unhandled exception");
}
};
};
credFactory.OnCreateAzureCliCredential = (c) =>
{
((MockTokenCredential)c).TokenFactory = (context, cancel) =>
{
if (exPossition > 3)
{
throw new CredentialUnavailableException("CliCredential Unavailable");
}
else
{
throw new MockClientException("CliCredential unhandled exception");
}
};
};
credFactory.OnCreateInteractiveBrowserCredential = (_, c) =>
{
((MockTokenCredential)c).TokenFactory = (context, cancel) =>
{
throw new MockClientException("InteractiveBrowserCredential unhandled exception");
};
};
var options = new DefaultAzureCredentialOptions
{
ExcludeEnvironmentCredential = false,
ExcludeManagedIdentityCredential = false,
ExcludeSharedTokenCacheCredential = false,
ExcludeAzureCliCredential = false,
ExcludeInteractiveBrowserCredential = false
};
var cred = new DefaultAzureCredential(credFactory, options);
var ex = Assert.ThrowsAsync <AuthenticationFailedException>(async() => await cred.GetTokenAsync(new TokenRequestContext(MockScopes.Default)));
switch (exPossition)
{
case 0:
Assert.AreEqual(ex.InnerException.Message, "EnvironmentCredential unhandled exception");
break;
case 1:
Assert.AreEqual(ex.InnerException.Message, "ManagedIdentityCredential unhandled exception");
break;
case 2:
Assert.AreEqual(ex.InnerException.Message, "SharedTokenCacheCredential unhandled exception");
break;
case 3:
Assert.AreEqual(ex.InnerException.Message, "CliCredential unhandled exception");
break;
case 4:
Assert.AreEqual(ex.InnerException.Message, "InteractiveBrowserCredential unhandled exception");
break;
default:
Assert.Fail();
break;
}
}
public void ValidateAllUnavailable([Values(true, false)] bool excludeEnvironmentCredential, [Values(true, false)] bool excludeManagedIdentityCredential, [Values(true, false)] bool excludeSharedTokenCacheCredential, [Values(true, false)] bool excludeCliCredential, [Values(true, false)] bool excludeInteractiveBrowserCredential)
{
if (excludeEnvironmentCredential && excludeManagedIdentityCredential && excludeSharedTokenCacheCredential && excludeCliCredential && excludeInteractiveBrowserCredential)
{
Assert.Pass();
}
var credFactory = new MockDefaultAzureCredentialFactory(CredentialPipeline.GetInstance(null));
credFactory.OnCreateEnvironmentCredential = (c) =>
{
((MockTokenCredential)c).TokenFactory = (context, cancel) => { throw new CredentialUnavailableException("EnvironmentCredential Unavailable"); };
};
credFactory.OnCreateInteractiveBrowserCredential = (_, c) =>
{
((MockTokenCredential)c).TokenFactory = (context, cancel) => { throw new CredentialUnavailableException("InteractiveBrowserCredential Unavailable"); };
};
credFactory.OnCreateManagedIdentityCredential = (clientId, c) =>
{
((MockTokenCredential)c).TokenFactory = (context, cancel) => { throw new CredentialUnavailableException("ManagedIdentityCredential Unavailable"); };
};
credFactory.OnCreateSharedTokenCacheCredential = (tenantId, username, c) =>
{
((MockTokenCredential)c).TokenFactory = (context, cancel) => { throw new CredentialUnavailableException("SharedTokenCacheCredential Unavailable"); };
};
credFactory.OnCreateAzureCliCredential = (c) =>
{
((MockTokenCredential)c).TokenFactory = (context, cancel) => { throw new CredentialUnavailableException("CliCredential Unavailable"); };
};
var options = new DefaultAzureCredentialOptions
{
ExcludeEnvironmentCredential = excludeEnvironmentCredential,
ExcludeManagedIdentityCredential = excludeManagedIdentityCredential,
ExcludeSharedTokenCacheCredential = excludeSharedTokenCacheCredential,
ExcludeAzureCliCredential = excludeCliCredential,
ExcludeInteractiveBrowserCredential = excludeInteractiveBrowserCredential
};
var cred = new DefaultAzureCredential(credFactory, options);
var ex = Assert.ThrowsAsync <CredentialUnavailableException>(async() => await cred.GetTokenAsync(new TokenRequestContext(MockScopes.Default)));
if (!excludeEnvironmentCredential)
{
Assert.True(ex.Message.Contains("EnvironmentCredential Unavailable"));
}
if (!excludeManagedIdentityCredential)
{
Assert.True(ex.Message.Contains("ManagedIdentityCredential Unavailable"));
}
if (!excludeSharedTokenCacheCredential)
{
Assert.True(ex.Message.Contains("SharedTokenCacheCredential Unavailable"));
}
if (!excludeCliCredential)
{
Assert.True(ex.Message.Contains("CliCredential Unavailable"));
}
if (!excludeInteractiveBrowserCredential)
{
Assert.True(ex.Message.Contains("InteractiveBrowserCredential Unavailable"));
}
}
public async Task <AuthenticationHeaderValue> GetAuthenticationHeaderAsync(CancellationToken cancellationToken)
{
var token = await cred.GetTokenAsync(new Azure.Core.TokenRequestContext(new[] { this.scope }));
return(new AuthenticationHeaderValue("Bearer", token.Token));
}
