Add -FederatedToken on Connect-AzAccount (#16083)

* Add -FideratedID on Connect-AzAccount

* Update Az.Accounts.psd1

* Update ChangeLog.md

* Update docs

* Update doc and ready for release

* Update Az.Accounts.psd1

* Update Az.Accounts.psd1

* update doc

* update code according to feedback

Author: dingmeng-xue

src/Accounts/Accounts/Account/ConnectAzureRmAccount.cs

@@ -58,6 +58,7 @@ public class ConnectAzureRmAccountCommand : AzureContextModificationCmdlet, IMod
         public const string ServicePrincipalCertificateParameterSet= "ServicePrincipalCertificateWithSubscriptionId";
         public const string ServicePrincipalCertificateFileParameterSet = "ServicePrincipalCertificateFileWithSubscriptionId";
         public const string AccessTokenParameterSet = "AccessTokenWithSubscriptionId";
+        public const string ClientAssertionParameterSet = "ClientAssertionParameterSet";
         public const string ManagedServiceParameterSet = "ManagedServiceLogin";
         public const string MSIEndpointVariable = "MSI_ENDPOINT";
         public const string MSISecretVariable = "MSI_SECRET";
@@ -84,6 +85,8 @@ public class ConnectAzureRmAccountCommand : AzureContextModificationCmdlet, IMod
 
         [Parameter(ParameterSetName = ServicePrincipalCertificateParameterSet,
                     Mandatory = true, HelpMessage = "SPN")]
+        [Parameter(ParameterSetName = ClientAssertionParameterSet,
+                    Mandatory = true, HelpMessage = "SPN")]
         [Parameter(ParameterSetName = ServicePrincipalCertificateFileParameterSet,
                     Mandatory = true, HelpMessage = "SPN")]
         public string ApplicationId { get; set; }
@@ -94,6 +97,8 @@ public class ConnectAzureRmAccountCommand : AzureContextModificationCmdlet, IMod
                     Mandatory = false)]
         [Parameter(ParameterSetName = ServicePrincipalCertificateFileParameterSet,
                     Mandatory = false)]
+        [Parameter(ParameterSetName = ClientAssertionParameterSet,
+                    Mandatory = false)]
         public SwitchParameter ServicePrincipal { get; set; }
 
         [Parameter(ParameterSetName = UserParameterSet,
@@ -108,6 +113,8 @@ public class ConnectAzureRmAccountCommand : AzureContextModificationCmdlet, IMod
                     Mandatory = true, HelpMessage = "Tenant name or ID")]
         [Parameter(ParameterSetName = ServicePrincipalCertificateFileParameterSet,
                     Mandatory = true, HelpMessage = "Tenant name or ID")]
+        [Parameter(ParameterSetName = ClientAssertionParameterSet,
+                    Mandatory = true, HelpMessage = "Tenant name or ID")]
         [Parameter(ParameterSetName = ManagedServiceParameterSet,
                     Mandatory = false, HelpMessage = "Optional tenant name or ID")]
         [Alias("Domain", "TenantId")]
@@ -141,20 +148,7 @@ public class ConnectAzureRmAccountCommand : AzureContextModificationCmdlet, IMod
         public SwitchParameter Identity { get; set; }
 
         [Alias("SubscriptionName", "SubscriptionId")]
-        [Parameter(ParameterSetName = UserParameterSet,
-                    Mandatory = false, HelpMessage = "Subscription Name or ID", ValueFromPipeline = true)]
-        [Parameter(ParameterSetName = UserWithCredentialParameterSet,
-                    Mandatory = false, HelpMessage = "Subscription Name or ID", ValueFromPipeline = true)]
-        [Parameter(ParameterSetName = ServicePrincipalParameterSet,
-                    Mandatory = false, HelpMessage = "Subscription Name or ID", ValueFromPipeline = true)]
-        [Parameter(ParameterSetName = ServicePrincipalCertificateParameterSet,
-                    Mandatory = false, HelpMessage = "Subscription Name or ID", ValueFromPipeline = true)]
-        [Parameter(ParameterSetName = ServicePrincipalCertificateFileParameterSet,
-                    Mandatory = false, HelpMessage = "Subscription Name or ID", ValueFromPipeline = true)]
-        [Parameter(ParameterSetName = AccessTokenParameterSet,
-                    Mandatory = false, HelpMessage = "Subscription Name or ID", ValueFromPipeline = true)]
-        [Parameter(ParameterSetName = ManagedServiceParameterSet,
-                    Mandatory = false, HelpMessage = "Subscription Name or ID", ValueFromPipeline = true)]
+        [Parameter(Mandatory = false, HelpMessage = "Subscription Name or ID", ValueFromPipeline = true)]
         [ValidateNotNullOrEmpty]
         public string Subscription { get; set; }
 
@@ -196,13 +190,7 @@ public class ConnectAzureRmAccountCommand : AzureContextModificationCmdlet, IMod
         [Parameter(Mandatory = false, HelpMessage = "Skips context population if no contexts are found.")]
         public SwitchParameter SkipContextPopulation { get; set; }
 
-        [Parameter(ParameterSetName = UserParameterSet, Mandatory = false, HelpMessage = "Max subscription number to populate contexts after login. Default is "+ DefaultMaxContextPopulationString + ". To populate all subscriptions to contexts, set to -1.")]
-        [Parameter(ParameterSetName = UserWithCredentialParameterSet, Mandatory = false, HelpMessage = "Max subscription number to populate contexts after login. Default is " + DefaultMaxContextPopulationString + ". To populate all subscriptions to contexts, set to -1.")]
-        [Parameter(ParameterSetName = ServicePrincipalParameterSet, Mandatory = false, HelpMessage = "Max subscription number to populate contexts after login. Default is " + DefaultMaxContextPopulationString + ". To populate all subscriptions to contexts, set to -1.")]
-        [Parameter(ParameterSetName = ServicePrincipalCertificateParameterSet, Mandatory = false, HelpMessage = "Max subscription number to populate contexts after login. Default is " + DefaultMaxContextPopulationString + ". To populate all subscriptions to contexts, set to -1.")]
-        [Parameter(ParameterSetName = ServicePrincipalCertificateFileParameterSet, Mandatory = false, HelpMessage = "Max subscription number to populate contexts after login. Default is " + DefaultMaxContextPopulationString + ". To populate all subscriptions to contexts, set to -1.")]
-        [Parameter(ParameterSetName = AccessTokenParameterSet, Mandatory = false, HelpMessage = "Max subscription number to populate contexts after login. Default is " + DefaultMaxContextPopulationString + ". To populate all subscriptions to contexts, set to -1.")]
-        [Parameter(ParameterSetName = ManagedServiceParameterSet, Mandatory = false, HelpMessage = "Max subscription number to populate contexts after login. Default is " + DefaultMaxContextPopulationString + ". To populate all subscriptions to contexts, set to -1.")]
+        [Parameter(Mandatory = false, HelpMessage = "Max subscription number to populate contexts after login. Default is "+ DefaultMaxContextPopulationString + ". To populate all subscriptions to contexts, set to -1.")]
         [PSDefaultValue(Help = DefaultMaxContextPopulationString, Value = DefaultMaxContextPopulation)]
         [ValidateRange(-1,int.MaxValue)]
         public int MaxContextPopulation { get; set; } = DefaultMaxContextPopulation;
@@ -226,6 +214,11 @@ public class ConnectAzureRmAccountCommand : AzureContextModificationCmdlet, IMod
         [Parameter(ParameterSetName = ServicePrincipalCertificateFileParameterSet, HelpMessage = "The password required to access the pkcs#12 certificate file.")]
         public SecureString CertificatePassword { get; set; }
 
+        [Parameter(ParameterSetName = ClientAssertionParameterSet, Mandatory = true, HelpMessage = "Specifies a token provided by another identity provider. The issuer and subject in this token must be first configured to be trusted by the ApplicationId.")]
+        [Alias("ClientAssertion")]
+        [ValidateNotNullOrEmpty]
+        public string FederatedToken { get; set; }
+
         protected override IAzureContext DefaultContext
         {
             get
@@ -315,6 +308,16 @@ public override void ExecuteCmdlet()
 
             }
 
+            if(ClientAssertionParameterSet.Equals(ParameterSetName, StringComparison.OrdinalIgnoreCase))
+            {
+                string suppressWarningOrErrorValue = System.Environment.GetEnvironmentVariable(BreakingChangeAttributeHelper.SUPPRESS_ERROR_OR_WARNING_MESSAGE_ENV_VARIABLE_NAME);
+                bool.TryParse(suppressWarningOrErrorValue, out bool suppressWarningOrError);
+                if (!suppressWarningOrError)
+                {
+                    WriteWarning("The feature related to parameter name 'FederatedToken' is under preview.");
+                }
+            }
+
             var azureAccount = new AzureAccount();
 
             switch (ParameterSetName)
@@ -331,6 +334,9 @@ public override void ExecuteCmdlet()
                 case ServicePrincipalParameterSet:
                     azureAccount.Type = AzureAccount.AccountType.ServicePrincipal;
                     break;
+                case ClientAssertionParameterSet:
+                    azureAccount.Type = "ClientAssertion";
+                    break;
                 case ManagedServiceParameterSet:
                     azureAccount.Type = AzureAccount.AccountType.ManagedService;
                     azureAccount.Id = this.IsBound(nameof(AccountId)) ? AccountId : $"{Constants.DefaultMsiAccountIdPrefix}{DefaultManagedServicePort}";
@@ -417,6 +423,17 @@ public override void ExecuteCmdlet()
                     WriteWarning(string.Format(Resources.ServicePrincipalWarning, file, directory));
                 }
             }
+            if (azureAccount.Type == "ClientAssertion" && FederatedToken != null)
+            {
+                password = SecureStringExtensions.ConvertToSecureString(FederatedToken);
+                azureAccount.SetProperty("ClientAssertion", FederatedToken);
+                if (GetContextModificationScope() == ContextModificationScope.CurrentUser)
+                {
+                    var file = AzureSession.Instance.ARMProfileFile;
+                    var directory = AzureSession.Instance.ARMProfileDirectory;
+                    WriteWarning(string.Format(Resources.ClientAssertionWarning, file, directory));
+                }
+            }
 
             var resourceId = PreProcessAuthScope();
 

src/Accounts/Accounts/ChangeLog.md

@@ -19,6 +19,7 @@
 -->
 
 ## Upcoming Release
+* Added `-FederatedToken` on `Connect-AzAccount`
 * Updated Azure.Core from 1.19.0 to 1.20.0.
 
 ## Version 2.5.4

src/Accounts/Accounts/Properties/Resources.Designer.cs

@@ -426,6 +426,9 @@
   <data name="ServicePrincipalWarning" xml:space="preserve">
     <value>The provided service principal secret will be included in the '{0}' file found in the user profile ( {1} ). Please ensure that this directory has appropriate protections.</value>
   </data>
+  <data name="ClientAssertionWarning" xml:space="preserve">
+    <value>The provided client id and assertion will be included in the '{0}' file found in the user profile ( {1} ). Please ensure that this directory has appropriate protections.</value>
+  </data> 
   <data name="MSITenantDomainNotFound" xml:space="preserve">
     <value>Please ensure that the managed service identity found on this machine has proper permissions to the provided tenant domain.</value>
   </data>

src/Accounts/Accounts/Properties/Resources.resx

@@ -45,6 +45,14 @@ Connect-AzAccount [-Environment <String>] -CertificateThumbprint <String> -Appli
  [<CommonParameters>]
 ```
 
+### ClientAssertionParameterSet
+```
+Connect-AzAccount [-Environment <String>] -ApplicationId <String> [-ServicePrincipal] -Tenant <String>
+ [-Subscription <String>] [-ContextName <String>] [-SkipContextPopulation] [-MaxContextPopulation <Int32>]
+ [-Force] -FederatedToken <String> [-Scope <ContextModificationScope>]
+ [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
+```
+
 ### ServicePrincipalCertificateFileWithSubscriptionId
 ```
 Connect-AzAccount [-Environment <String>] -ApplicationId <String> [-ServicePrincipal] -Tenant <String>
@@ -302,7 +310,7 @@ Application ID of the service principal.
 
 ```yaml
 Type: System.String
-Parameter Sets: ServicePrincipalCertificateWithSubscriptionId, ServicePrincipalCertificateFileWithSubscriptionId
+Parameter Sets: ServicePrincipalCertificateWithSubscriptionId, ClientAssertionParameterSet, ServicePrincipalCertificateFileWithSubscriptionId
 Aliases:
 
 Required: True
@@ -440,6 +448,24 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -FederatedToken
+Specifies a token provided by another identity provider. The issuer and subject in this token must be first configured to be trusted by the ApplicationId.
+
+> [!CAUTION]
+> Federated tokens are a type of credential. You should take the appropriate security precautions to keep them confidential. Federated tokens also timeout and may prevent long running tasks from completing.
+
+```yaml
+Type: System.String
+Parameter Sets: ClientAssertionParameterSet
+Aliases: ClientAssertion
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -Force
 
 Overwrite the existing context with the same name without prompting.
@@ -571,7 +597,7 @@ Accept wildcard characters: False
 
 ```yaml
 Type: System.Management.Automation.SwitchParameter
-Parameter Sets: ServicePrincipalCertificateWithSubscriptionId, ServicePrincipalCertificateFileWithSubscriptionId
+Parameter Sets: ServicePrincipalCertificateWithSubscriptionId, ClientAssertionParameterSet, ServicePrincipalCertificateFileWithSubscriptionId
 Aliases:
 
 Required: False
@@ -651,7 +677,7 @@ Accept wildcard characters: False
 
 ```yaml
 Type: System.String
-Parameter Sets: ServicePrincipalWithSubscriptionId, ServicePrincipalCertificateWithSubscriptionId, ServicePrincipalCertificateFileWithSubscriptionId
+Parameter Sets: ServicePrincipalWithSubscriptionId, ServicePrincipalCertificateWithSubscriptionId, ClientAssertionParameterSet, ServicePrincipalCertificateFileWithSubscriptionId
 Aliases: Domain, TenantId
 
 Required: True

src/Accounts/Accounts/help/Connect-AzAccount.md

@@ -0,0 +1,48 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
+using System.Security;
+
+namespace Microsoft.Azure.Commands.Common.Authentication
+{
+    /// <summary>
+    /// The parameters for application client. See https://aka.ms/msal-net-client-assertion
+    /// </summary>
+    public class ClientAssertionParameters : AuthenticationParameters
+    {
+        /// <summary>
+        /// Client ID (also known as App ID) of the application as registered in the application registration portal
+        /// </summary>
+        public string ClientId { get; set; }
+
+        /// <summary>
+        /// The client assertion used to prove the identity of the application to Azure AD. This is a Base-64 encoded JWT.
+        /// </summary>
+        public SecureString ClientAssertion { get; set; }
+
+        public ClientAssertionParameters(
+            PowerShellTokenCacheProvider tokenCacheProvider,
+            IAzureEnvironment environment,
+            IAzureTokenCache tokenCache,
+            string tenantId,
+            string resourceId,
+            string clientId,
+            SecureString clientAssertion) : base(tokenCacheProvider, environment, tokenCache, tenantId, resourceId)
+        {
+            this.ClientId = clientId;
+            this.ClientAssertion = clientAssertion;
+        }
+    }
+}

src/Accounts/Authentication/Authentication/Parameters/ClientAssertionParameters.cs

@@ -380,6 +380,7 @@ public ServiceClientCredentials GetServiceClientCredentials(IAzureContext contex
                     case AzureAccount.AccountType.ManagedService:
                     case AzureAccount.AccountType.User:
                     case AzureAccount.AccountType.ServicePrincipal:
+                    case "ClientAssertion":
                         token = Authenticate(context.Account, context.Environment, tenant, null, ShowDialog.Never, null, context.Environment.GetTokenAudience(targetEndpoint));
                         break;
                     default:
@@ -565,6 +566,9 @@ private AuthenticationParameters GetAuthenticationParameters(
                     return new ManagedServiceIdentityParameters(tokenCacheProvider, environment, tokenCache, tenant, resourceId, account);
                 case AzureAccount.AccountType.AccessToken:
                     return new AccessTokenParameters(tokenCacheProvider, environment, tokenCache, tenant, resourceId, account);
+                case "ClientAssertion":
+                    password = password ?? ConvertToSecureString(account.GetProperty("ClientAssertion"));
+                    return new ClientAssertionParameters(tokenCacheProvider, environment, tokenCache, tenant, resourceId, account.Id, password);
                 default:
                     return null;
             }