All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.azure.identity.OnBehalfOfCredentialBuilder Maven / Gradle / Ivy

// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.

package com.azure.identity;

import com.azure.core.util.logging.ClientLogger;
import com.azure.identity.implementation.util.ValidationUtil;

import java.util.function.Supplier;

/**
 * Fluent credential builder for instantiating a {@link OnBehalfOfCredential}.
 *
 * 

On Behalf of authentication in Azure is a way for a user or application to authenticate to a service or resource * using credentials from another identity provider. This type of authentication is typically used when a user or * application wants to access a resource in Azure, but their credentials are managed by a different identity provider, * such as an on-premises Active Directory or a third-party identity provider. * To use "On Behalf of" authentication in Azure, the user must first authenticate to the identity provider using their * credentials. The identity provider then issues a security token that contains information about the user and their * permissions. This security token is then passed to Azure, which uses it to authenticate the user or application and * grant them access to the requested resource. * The OnBehalfOfCredential acquires a token with a client secret/certificate and user assertion for a Microsoft Entra application * on behalf of a user principal.

* *

The following code sample demonstrates the creation of a {@link com.azure.identity.OnBehalfOfCredential}, * using the {@link com.azure.identity.OnBehalfOfCredentialBuilder} to configure it. The {@code tenantId}, * {@code clientId} and {@code clientSecret} parameters are required to create * {@link com.azure.identity.OnBehalfOfCredential}. The {@code userAssertion} can be optionally specified on the * {@link OnBehalfOfCredentialBuilder}. Once this credential is created, it may be passed into the * builder of many of the Azure SDK for Java client builders as the 'credential' parameter.

* * *
 * TokenCredential onBehalfOfCredential = new OnBehalfOfCredentialBuilder().clientId("<app-client-ID>")
 *     .clientSecret("<app-Client-Secret>")
 *     .tenantId("<app-tenant-ID>")
 *     .userAssertion("<user-assertion>")
 *     .build();
 * 
* * * @see OnBehalfOfCredential */ public class OnBehalfOfCredentialBuilder extends AadCredentialBuilderBase { private static final ClientLogger LOGGER = new ClientLogger(OnBehalfOfCredentialBuilder.class); private static final String CLASS_NAME = OnBehalfOfCredentialBuilder.class.getSimpleName(); private String clientSecret; private String clientCertificatePath; private String clientCertificatePassword; private Supplier clientAssertionSupplier; /** * Constructs an instance of OnBehalfOfCredentialBuilder. */ public OnBehalfOfCredentialBuilder() { super(); } /** * Sets the client secret for the authentication. * @param clientSecret the secret value of the Microsoft Entra application. * @return An updated instance of this builder. */ public OnBehalfOfCredentialBuilder clientSecret(String clientSecret) { this.clientSecret = clientSecret; return this; } /** * Configures the persistent shared token cache options and enables the persistent token cache which is disabled * by default. If configured, the credential will store tokens in a cache persisted to the machine, protected to * the current user, which can be shared by other credentials and processes. * * @param tokenCachePersistenceOptions the token cache configuration options * @return An updated instance of this builder with the token cache options configured. */ public OnBehalfOfCredentialBuilder tokenCachePersistenceOptions(TokenCachePersistenceOptions tokenCachePersistenceOptions) { this.identityClientOptions.setTokenCacheOptions(tokenCachePersistenceOptions); return this; } /** * Sets the path of the PEM certificate for authenticating to Microsoft Entra ID. * * @param pemCertificatePath the PEM file containing the certificate * @return An updated instance of this builder. */ public OnBehalfOfCredentialBuilder pemCertificate(String pemCertificatePath) { this.clientCertificatePath = pemCertificatePath; return this; } /** * Sets the path and password of the PFX certificate for authenticating to Microsoft Entra ID. * * @param pfxCertificatePath the password protected PFX file containing the certificate * @return An updated instance of this builder. */ public OnBehalfOfCredentialBuilder pfxCertificate(String pfxCertificatePath) { this.clientCertificatePath = pfxCertificatePath; return this; } /** * Sets the password of the client certificate for authenticating to Microsoft Entra ID. * * @param clientCertificatePassword the password protecting the certificate * @return An updated instance of this builder. */ public OnBehalfOfCredentialBuilder clientCertificatePassword(String clientCertificatePassword) { this.clientCertificatePassword = clientCertificatePassword; return this; } /** * Specifies if the x5c claim (public key of the certificate) should be sent as part of the authentication request * and enable subject name / issuer based authentication. The default value is false. * * @param sendCertificateChain the flag to indicate if certificate chain should be sent as part of authentication * request. * @return An updated instance of this builder. */ public OnBehalfOfCredentialBuilder sendCertificateChain(boolean sendCertificateChain) { this.identityClientOptions.setIncludeX5c(sendCertificateChain); return this; } /** * Configure the User Assertion Scope to be used for OnBehalfOf Authentication request. * * @param userAssertion the user assertion access token to be used for On behalf Of authentication flow * @return An updated instance of this builder with the user assertion scope configured. */ public OnBehalfOfCredentialBuilder userAssertion(String userAssertion) { this.identityClientOptions.userAssertion(userAssertion); return this; } /** * Sets the supplier containing the logic to supply the client assertion when invoked. * * @param clientAssertionSupplier the supplier supplying client assertion. * @return An updated instance of this builder. */ public OnBehalfOfCredentialBuilder clientAssertion(Supplier clientAssertionSupplier) { this.clientAssertionSupplier = clientAssertionSupplier; return this; } /** * Creates a new {@link OnBehalfOfCredential} with the current configurations. * * @return a {@link OnBehalfOfCredential} with the current configurations. * @throws IllegalArgumentException if eiter both the client secret and certificate are configured or none of them * are configured. */ public OnBehalfOfCredential build() { ValidationUtil.validate(CLASS_NAME, LOGGER, "clientId", clientId, "tenantId", tenantId); if ((clientSecret == null && clientCertificatePath == null && clientAssertionSupplier == null) || (clientSecret != null && clientCertificatePath != null) || (clientSecret != null && clientAssertionSupplier != null) || (clientCertificatePath != null && clientAssertionSupplier != null)) { throw LOGGER.logExceptionAsWarning(new IllegalArgumentException("Exactly one of client secret, " + "client certificate path, or client assertion supplier must be provided " + "in OnBehalfOfCredentialBuilder.")); } return new OnBehalfOfCredential(clientId, tenantId, clientSecret, clientCertificatePath, clientCertificatePassword, clientAssertionSupplier, identityClientOptions); } }




© 2015 - 2025 Weber Informatics LLC | Privacy Policy