All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.azure.identity.ClientCertificateCredential Maven / Gradle / Ivy

The newest version!
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.

package com.azure.identity;

import com.azure.core.annotation.Immutable;
import com.azure.core.credential.AccessToken;
import com.azure.core.credential.TokenCredential;
import com.azure.core.credential.TokenRequestContext;
import com.azure.core.util.logging.ClientLogger;
import com.azure.identity.implementation.IdentityClient;
import com.azure.identity.implementation.IdentityClientBuilder;
import com.azure.identity.implementation.IdentityClientOptions;
import com.azure.identity.implementation.IdentitySyncClient;
import com.azure.identity.implementation.util.LoggingUtil;
import reactor.core.publisher.Mono;

import java.io.ByteArrayInputStream;
import java.util.Objects;

/**
 * 

The ClientCertificateCredential acquires a token via service principal authentication. It is a type of * authentication in Azure that enables a non-interactive login to * Microsoft Entra ID, allowing * an application or service to authenticate itself with Azure resources. * A Service Principal is essentially an identity created for an application in Microsoft Entra ID that can be used to * authenticate with Azure resources. It's like a "user identity" for the application or service, and it provides * a way for the application to authenticate itself with Azure resources without needing to use a user's credentials. * Microsoft Entra ID allows users * to register service principals which can be used as an identity for authentication. * A client certificate associated with the registered service principal is used as the password when authenticating * the service principal. * The ClientCertificateCredential acquires an access token with a client certificate for a service principal/registered * Microsoft Entra application. The tenantId, clientId and clientCertificate of the service principal are required for this * credential to acquire an access token. It can be used both in Azure hosted and local development environments for * authentication. For more information refer to the * conceptual knowledge and configuration * details.

* *

As a pre-requisite, a service principal is required to use this authentication mechanism. If you don't have a * service principal, refer to * create a service principal with Azure CLI. *

* *

Sample: Construct a simple ClientCertificateCredential

* *

The following code sample demonstrates the creation of a {@link com.azure.identity.ClientCertificateCredential}, * using the {@link com.azure.identity.ClientCertificateCredentialBuilder} to configure it. The {@code tenantId}, * {@code clientId} and {@code certificate} parameters are required to create * {@link com.azure.identity.ClientCertificateCredential}. Once this credential is created, it may be passed into the * builder of many of the Azure SDK for Java client builders as the 'credential' parameter.

* * *
 * TokenCredential clientCertificateCredential = new ClientCertificateCredentialBuilder().tenantId(tenantId)
 *     .clientId(clientId)
 *     .pemCertificate("<PATH-TO-PEM-CERTIFICATE>")
 *     .build();
 * 
* * *

Sample: Construct a ClientCertificateCredential using {@link ByteArrayInputStream}

* *

The following code sample demonstrates the creation of a {@link com.azure.identity.ClientCertificateCredential}, * using the {@link com.azure.identity.ClientCertificateCredentialBuilder} to configure it. The {@code tenantId}, * {@code clientId} and {@code certificate} parameters are required to create * {@link com.azure.identity.ClientSecretCredential}. The {@code certificate} in this example is configured as * a {@link ByteArrayInputStream}. This is helpful if the certificate is available in memory via a cert store.

* * *
 * ByteArrayInputStream certificateStream = new ByteArrayInputStream(certificateBytes);
 * TokenCredential certificateCredentialWithStream = new ClientCertificateCredentialBuilder().tenantId(tenantId)
 *     .clientId(clientId)
 *     .pemCertificate(certificateStream)
 *     .build();
 * 
* * *

Sample: Construct a ClientCertificateCredential behind a proxy

* *

The following code sample demonstrates the creation of a {@link com.azure.identity.ClientCertificateCredential}, * using the {@link com.azure.identity.ClientCertificateCredentialBuilder} to configure it. The {@code tenantId}, * {@code clientId} and {@code certificate} parameters are required to create * {@link com.azure.identity.ClientSecretCredential}. THe {@code proxyOptions} can be optionally configured to target * a proxy. Once this credential is created, it may be passed into the builder of many of the Azure SDK for Java * client builders as the 'credential' parameter.

* * *
 * TokenCredential certificateCredential = new ClientCertificateCredentialBuilder().tenantId(tenantId)
 *     .clientId(clientId)
 *     .pfxCertificate("<PATH-TO-PFX-CERTIFICATE>", "P@s$w0rd")
 *     .proxyOptions(new ProxyOptions(Type.HTTP, new InetSocketAddress("10.21.32.43", 5465)))
 *     .build();
 * 
* * * @see com.azure.identity * @see ClientCertificateCredentialBuilder */ @Immutable public class ClientCertificateCredential implements TokenCredential { private static final ClientLogger LOGGER = new ClientLogger(ClientCertificateCredential.class); private final IdentityClient identityClient; private final IdentitySyncClient identitySyncClient; /** * Creates a ClientCertificateCredential with default identity client options. * @param tenantId the tenant ID of the application * @param clientId the client ID of the application * @param certificatePath the PEM file or PFX file containing the certificate * @param certificate the PEM or PFX certificate * @param certificatePassword the password protecting the PFX file * @param identityClientOptions the options to configure the identity client */ ClientCertificateCredential(String tenantId, String clientId, String certificatePath, byte[] certificate, String certificatePassword, IdentityClientOptions identityClientOptions) { Objects.requireNonNull(certificatePath == null ? certificate : certificatePath, "'certificate' and 'certificatePath' cannot both be null."); IdentityClientBuilder builder = new IdentityClientBuilder().tenantId(tenantId) .clientId(clientId) .certificatePath(certificatePath) .certificate(certificate) .certificatePassword(certificatePassword) .identityClientOptions(identityClientOptions); identityClient = builder.build(); identitySyncClient = builder.buildSyncClient(); } @Override public Mono getToken(TokenRequestContext request) { return identityClient.authenticateWithConfidentialClientCache(request) .onErrorResume(t -> Mono.empty()) .switchIfEmpty(Mono.defer(() -> identityClient.authenticateWithConfidentialClient(request))) .doOnNext(token -> LoggingUtil.logTokenSuccess(LOGGER, request)) .doOnError( error -> LoggingUtil.logTokenError(LOGGER, identityClient.getIdentityClientOptions(), request, error)); } @Override public AccessToken getTokenSync(TokenRequestContext request) { try { AccessToken token = identitySyncClient.authenticateWithConfidentialClientCache(request); if (token != null) { LoggingUtil.logTokenSuccess(LOGGER, request); return token; } } catch (Exception e) { } try { AccessToken token = identitySyncClient.authenticateWithConfidentialClient(request); LoggingUtil.logTokenSuccess(LOGGER, request); return token; } catch (Exception e) { LoggingUtil.logTokenError(LOGGER, identityClient.getIdentityClientOptions(), request, e); throw e; } } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy