1 //go:build go1.18
2 // +build go1.18
3 4 // Copyright (c) Microsoft Corporation. All rights reserved.
5 // Licensed under the MIT License.
6 7 package azidentity
8 9 import (
10 "context"
11 "errors"
12 13 "github.com/Azure/azure-sdk-for-go/sdk/azcore"
14 "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
15 "github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
16 "github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential"
17 )
18 19 const credNameAssertion = "ClientAssertionCredential"
20 21 // ClientAssertionCredential authenticates an application with assertions provided by a callback function.
22 // This credential is for advanced scenarios. [ClientCertificateCredential] has a more convenient API for
23 // the most common assertion scenario, authenticating a service principal with a certificate. See
24 // [Microsoft Entra ID documentation] for details of the assertion format.
25 //
26 // [Microsoft Entra ID documentation]: https://learn.microsoft.com/entra/identity-platform/certificate-credentials#assertion-format
27 type ClientAssertionCredential struct {
28 client *confidentialClient
29 }
30 31 // ClientAssertionCredentialOptions contains optional parameters for ClientAssertionCredential.
32 type ClientAssertionCredentialOptions struct {
33 azcore.ClientOptions
34 35 // AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
36 // Add the wildcard value "*" to allow the credential to acquire tokens for any tenant in which the
37 // application is registered.
38 AdditionallyAllowedTenants []string
39 40 // Cache is a persistent cache the credential will use to store the tokens it acquires, making
41 // them available to other processes and credential instances. The default, zero value means the
42 // credential will store tokens in memory and not share them with any other credential instance.
43 Cache Cache
44 45 // DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
46 // private clouds such as Azure Stack. It determines whether the credential requests Microsoft Entra instance metadata
47 // from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
48 // the application responsible for ensuring the configured authority is valid and trustworthy.
49 DisableInstanceDiscovery bool
50 }
51 52 // NewClientAssertionCredential constructs a ClientAssertionCredential. The getAssertion function must be thread safe. Pass nil for options to accept defaults.
53 func NewClientAssertionCredential(tenantID, clientID string, getAssertion func(context.Context) (string, error), options *ClientAssertionCredentialOptions) (*ClientAssertionCredential, error) {
54 if getAssertion == nil {
55 return nil, errors.New("getAssertion must be a function that returns assertions")
56 }
57 if options == nil {
58 options = &ClientAssertionCredentialOptions{}
59 }
60 cred := confidential.NewCredFromAssertionCallback(
61 func(ctx context.Context, _ confidential.AssertionRequestOptions) (string, error) {
62 return getAssertion(ctx)
63 },
64 )
65 msalOpts := confidentialClientOptions{
66 AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
67 Cache: options.Cache,
68 ClientOptions: options.ClientOptions,
69 DisableInstanceDiscovery: options.DisableInstanceDiscovery,
70 }
71 c, err := newConfidentialClient(tenantID, clientID, credNameAssertion, cred, msalOpts)
72 if err != nil {
73 return nil, err
74 }
75 return &ClientAssertionCredential{client: c}, nil
76 }
77 78 // GetToken requests an access token from Microsoft Entra ID. This method is called automatically by Azure SDK clients.
79 func (c *ClientAssertionCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
80 var err error
81 ctx, endSpan := runtime.StartSpan(ctx, credNameAssertion+"."+traceOpGetToken, c.client.azClient.Tracer(), nil)
82 defer func() { endSpan(err) }()
83 tk, err := c.client.GetToken(ctx, opts)
84 return tk, err
85 }
86 87 var _ azcore.TokenCredential = (*ClientAssertionCredential)(nil)
88