1 //go:build go1.18
2 // +build go1.18
3 4 // Copyright (c) Microsoft Corporation. All rights reserved.
5 // Licensed under the MIT License.
6 7 package azidentity
8 9 import (
10 "context"
11 12 "github.com/Azure/azure-sdk-for-go/sdk/azcore"
13 "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
14 "github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
15 "github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential"
16 )
17 18 const credNameSecret = "ClientSecretCredential"
19 20 // ClientSecretCredentialOptions contains optional parameters for ClientSecretCredential.
21 type ClientSecretCredentialOptions struct {
22 azcore.ClientOptions
23 24 // AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
25 // Add the wildcard value "*" to allow the credential to acquire tokens for any tenant in which the
26 // application is registered.
27 AdditionallyAllowedTenants []string
28 29 // DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
30 // private clouds such as Azure Stack. It determines whether the credential requests Microsoft Entra instance metadata
31 // from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
32 // the application responsible for ensuring the configured authority is valid and trustworthy.
33 DisableInstanceDiscovery bool
34 35 // Cache is a persistent cache the credential will use to store the tokens it acquires, making
36 // them available to other processes and credential instances. The default, zero value means the
37 // credential will store tokens in memory and not share them with any other credential instance.
38 Cache Cache
39 }
40 41 // ClientSecretCredential authenticates an application with a client secret.
42 type ClientSecretCredential struct {
43 client *confidentialClient
44 }
45 46 // NewClientSecretCredential constructs a ClientSecretCredential. Pass nil for options to accept defaults.
47 func NewClientSecretCredential(tenantID string, clientID string, clientSecret string, options *ClientSecretCredentialOptions) (*ClientSecretCredential, error) {
48 if options == nil {
49 options = &ClientSecretCredentialOptions{}
50 }
51 cred, err := confidential.NewCredFromSecret(clientSecret)
52 if err != nil {
53 return nil, err
54 }
55 msalOpts := confidentialClientOptions{
56 AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
57 Cache: options.Cache,
58 ClientOptions: options.ClientOptions,
59 DisableInstanceDiscovery: options.DisableInstanceDiscovery,
60 }
61 c, err := newConfidentialClient(tenantID, clientID, credNameSecret, cred, msalOpts)
62 if err != nil {
63 return nil, err
64 }
65 return &ClientSecretCredential{client: c}, nil
66 }
67 68 // GetToken requests an access token from Microsoft Entra ID. This method is called automatically by Azure SDK clients.
69 func (c *ClientSecretCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
70 var err error
71 ctx, endSpan := runtime.StartSpan(ctx, credNameSecret+"."+traceOpGetToken, c.client.azClient.Tracer(), nil)
72 defer func() { endSpan(err) }()
73 tk, err := c.client.GetToken(ctx, opts)
74 return tk, err
75 }
76 77 var _ azcore.TokenCredential = (*ClientSecretCredential)(nil)
78