78 строки
3.1 KiB
Go
78 строки
3.1 KiB
Go
//go:build go1.18
|
|
// +build go1.18
|
|
|
|
// Copyright (c) Microsoft Corporation. All rights reserved.
|
|
// Licensed under the MIT License.
|
|
|
|
package azidentity
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
|
|
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
|
|
"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
|
|
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential"
|
|
)
|
|
|
|
const credNameSecret = "ClientSecretCredential"
|
|
|
|
// ClientSecretCredentialOptions contains optional parameters for ClientSecretCredential.
|
|
type ClientSecretCredentialOptions struct {
|
|
azcore.ClientOptions
|
|
|
|
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
|
|
// Add the wildcard value "*" to allow the credential to acquire tokens for any tenant in which the
|
|
// application is registered.
|
|
AdditionallyAllowedTenants []string
|
|
|
|
// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
|
|
// private clouds such as Azure Stack. It determines whether the credential requests Microsoft Entra instance metadata
|
|
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
|
|
// the application responsible for ensuring the configured authority is valid and trustworthy.
|
|
DisableInstanceDiscovery bool
|
|
|
|
// Cache is a persistent cache the credential will use to store the tokens it acquires, making
|
|
// them available to other processes and credential instances. The default, zero value means the
|
|
// credential will store tokens in memory and not share them with any other credential instance.
|
|
Cache Cache
|
|
}
|
|
|
|
// ClientSecretCredential authenticates an application with a client secret.
|
|
type ClientSecretCredential struct {
|
|
client *confidentialClient
|
|
}
|
|
|
|
// NewClientSecretCredential constructs a ClientSecretCredential. Pass nil for options to accept defaults.
|
|
func NewClientSecretCredential(tenantID string, clientID string, clientSecret string, options *ClientSecretCredentialOptions) (*ClientSecretCredential, error) {
|
|
if options == nil {
|
|
options = &ClientSecretCredentialOptions{}
|
|
}
|
|
cred, err := confidential.NewCredFromSecret(clientSecret)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
msalOpts := confidentialClientOptions{
|
|
AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
|
|
Cache: options.Cache,
|
|
ClientOptions: options.ClientOptions,
|
|
DisableInstanceDiscovery: options.DisableInstanceDiscovery,
|
|
}
|
|
c, err := newConfidentialClient(tenantID, clientID, credNameSecret, cred, msalOpts)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &ClientSecretCredential{client: c}, nil
|
|
}
|
|
|
|
// GetToken requests an access token from Microsoft Entra ID. This method is called automatically by Azure SDK clients.
|
|
func (c *ClientSecretCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
|
var err error
|
|
ctx, endSpan := runtime.StartSpan(ctx, credNameSecret+"."+traceOpGetToken, c.client.azClient.Tracer(), nil)
|
|
defer func() { endSpan(err) }()
|
|
tk, err := c.client.GetToken(ctx, opts)
|
|
return tk, err
|
|
}
|
|
|
|
var _ azcore.TokenCredential = (*ClientSecretCredential)(nil)
|