com.azure.identity.ClientSecretCredential Maven / Gradle / Ivy
Show all versions of azure-identity Show documentation
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.
package com.azure.identity;
import com.azure.core.annotation.Immutable;
import com.azure.core.credential.AccessToken;
import com.azure.core.credential.TokenCredential;
import com.azure.core.credential.TokenRequestContext;
import com.azure.core.util.logging.ClientLogger;
import com.azure.identity.implementation.IdentityClient;
import com.azure.identity.implementation.IdentityClientBuilder;
import com.azure.identity.implementation.IdentityClientOptions;
import com.azure.identity.implementation.IdentitySyncClient;
import com.azure.identity.implementation.util.LoggingUtil;
import reactor.core.publisher.Mono;
import java.util.Objects;
/**
* The ClientSecretCredential acquires a token via service principal authentication. It is a type of authentication
* in Azure that enables a non-interactive login to
* Microsoft Entra ID, allowing an
* application or service to authenticate itself with Azure resources.
* A Service Principal is essentially an identity created for an application in Microsoft Entra ID that can be used to
* authenticate with Azure resources. It's like a "user identity" for the application or service, and it provides
* a way for the application to authenticate itself with Azure resources without needing to use a user's credentials.
* Microsoft Entra ID allows users to
* register service principals which can be used as an identity for authentication.
* A client secret associated with the registered service principal is used as the password when authenticating the
* service principal.
* The ClientSecretCredential acquires an access token with a client secret for a service principal/registered
* Microsoft Entra application. The tenantId, clientId and clientSecret of the service principal are required for this credential
* to acquire an access token. It can be used both in Azure hosted and local development environments for
* authentication. For more information refer to the
* conceptual knowledge and configuration
* details.
*
* As a pre-requisite, a service principal is required to use this authentication mechanism. If you don't have
* a service principal, refer to
* create a service principal with Azure CLI.
*
*
* Sample: Construct a simple ClientSecretCredential
*
* The following code sample demonstrates the creation of a {@link com.azure.identity.ClientSecretCredential},
* using the {@link com.azure.identity.ClientSecretCredentialBuilder} to configure it. The {@code tenantId},
* {@code clientId} and {@code clientSecret} parameters are required to create
* {@link com.azure.identity.ClientSecretCredential} .Once this credential is created, it may be passed into the
* builder of many of the Azure SDK for Java client builders as the 'credential' parameter.
*
*
*
* TokenCredential clientSecretCredential = new ClientSecretCredentialBuilder().tenantId(tenantId)
* .clientId(clientId)
* .clientSecret(clientSecret)
* .build();
*
*
*
* Sample: Construct a ClientSecretCredential behind a proxy
*
* The following code sample demonstrates the creation of a {@link com.azure.identity.ClientSecretCredential},
* using the {@link com.azure.identity.ClientSecretCredentialBuilder} to configure it. The {@code tenantId},
* {@code clientId} and {@code clientSecret} parameters are required to create
* {@link com.azure.identity.ClientSecretCredential}. The {@code proxyOptions} can be optionally configured to target
* a proxy. Once this credential is created, it may be passed into the builder of many of the Azure SDK for Java
* client builders as the 'credential' parameter.
*
*
*
* TokenCredential secretCredential = new ClientSecretCredentialBuilder().tenantId(tenantId)
* .clientId(clientId)
* .clientSecret(clientSecret)
* .proxyOptions(new ProxyOptions(Type.HTTP, new InetSocketAddress("10.21.32.43", 5465)))
* .build();
*
*
*
* @see com.azure.identity
* @see ClientSecretCredentialBuilder
*/
@Immutable
public class ClientSecretCredential implements TokenCredential {
private static final ClientLogger LOGGER = new ClientLogger(ClientSecretCredential.class);
private final IdentityClient identityClient;
private final IdentitySyncClient identitySyncClient;
/**
* Creates a ClientSecretCredential with the given identity client options.
*
* @param tenantId the tenant ID of the application
* @param clientId the client ID of the application
* @param clientSecret the secret value of the Microsoft Entra application.
* @param identityClientOptions the options for configuring the identity client
*/
ClientSecretCredential(String tenantId, String clientId, String clientSecret,
IdentityClientOptions identityClientOptions) {
Objects.requireNonNull(clientSecret, "'clientSecret' cannot be null.");
Objects.requireNonNull(identityClientOptions, "'identityClientOptions' cannot be null.");
IdentityClientBuilder builder = new IdentityClientBuilder().tenantId(tenantId)
.clientId(clientId)
.clientSecret(clientSecret)
.identityClientOptions(identityClientOptions);
identityClient = builder.build();
identitySyncClient = builder.buildSyncClient();
}
@Override
public Mono getToken(TokenRequestContext request) {
return identityClient.authenticateWithConfidentialClientCache(request)
.onErrorResume(t -> Mono.empty())
.switchIfEmpty(Mono.defer(() -> identityClient.authenticateWithConfidentialClient(request)))
.doOnNext(token -> LoggingUtil.logTokenSuccess(LOGGER, request))
.doOnError(
error -> LoggingUtil.logTokenError(LOGGER, identityClient.getIdentityClientOptions(), request, error));
}
@Override
public AccessToken getTokenSync(TokenRequestContext request) {
try {
AccessToken token = identitySyncClient.authenticateWithConfidentialClientCache(request);
if (token != null) {
LoggingUtil.logTokenSuccess(LOGGER, request);
return token;
}
} catch (Exception e) {
}
try {
AccessToken token = identitySyncClient.authenticateWithConfidentialClient(request);
LoggingUtil.logTokenSuccess(LOGGER, request);
return token;
} catch (Exception e) {
LoggingUtil.logTokenError(LOGGER, identityClient.getIdentityClientOptions(), request, e);
throw e;
}
}
}