implement federated_credential_flow and workload_identity_creds and add them to the environment_credential (#1319)

Author: simon-an

sdk/identity/examples/federated_credential.rs

@@ -0,0 +1,48 @@
+use azure_identity::{authority_hosts, federated_credentials_flow};
+use url::Url;
+
+use std::env;
+use std::error::Error;
+
+#[tokio::main]
+async fn main() -> Result<(), Box<dyn Error>> {
+    let client_id = env::var("CLIENT_ID").expect("Missing CLIENT_ID environment variable.");
+    let token = env::var("FEDERATED_TOKEN").expect("Missing FEDERATED_TOKEN environment variable.");
+    let tenant_id = env::var("TENANT_ID").expect("Missing TENANT_ID environment variable.");
+
+    let vault_name = std::env::args()
+        .nth(1)
+        .expect("please specify the vault name as first command line parameter");
+
+    let http_client = azure_core::new_http_client();
+    // This will give you the final token to use in authorization.
+    let token = federated_credentials_flow::perform(
+        http_client.clone(),
+        &client_id,
+        &token,
+        &["https://vault.azure.net/.default"],
+        &tenant_id,
+        authority_hosts::AZURE_PUBLIC_CLOUD.clone(),
+    )
+    .await
+    .expect("federated_credentials_flow failed");
+    println!("Non interactive authorization == {token:?}");
+
+    let url = Url::parse(&format!(
+        "https://{vault_name}.vault.azure.net/secrets?api-version=7.4"
+    ))?;
+
+    let resp = reqwest::Client::new()
+        .get(url)
+        .header(
+            "Authorization",
+            format!("Bearer {}", token.access_token().secret()),
+        )
+        .send()
+        .await?
+        .text()
+        .await?;
+
+    println!("\n\nresp {resp:?}");
+    Ok(())
+}

sdk/identity/src/federated_credentials_flow/login_response.rs

@@ -0,0 +1,62 @@
+use azure_core::auth::AccessToken;
+use serde::{de, Deserialize, Deserializer};
+use time::OffsetDateTime;
+
+#[derive(Debug, Clone, Deserialize)]
+struct _LoginResponse {
+    token_type: String,
+    expires_in: u64,
+    ext_expires_in: u64,
+    expires_on: Option<String>,
+    not_before: Option<String>,
+    resource: Option<String>,
+    access_token: String,
+}
+
+#[derive(Debug, Clone)]
+pub struct LoginResponse {
+    pub token_type: String,
+    pub expires_in: u64,
+    pub ext_expires_in: u64,
+    pub expires_on: Option<OffsetDateTime>,
+    pub not_before: Option<OffsetDateTime>,
+    pub resource: Option<String>,
+    pub access_token: AccessToken,
+}
+
+impl<'de> Deserialize<'de> for LoginResponse {
+    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
+    where
+        D: Deserializer<'de>,
+    {
+        let resp = _LoginResponse::deserialize(deserializer)?;
+        LoginResponse::from_base_response(resp).map_err(de::Error::custom)
+    }
+}
+
+impl LoginResponse {
+    pub fn access_token(&self) -> &AccessToken {
+        &self.access_token
+    }
+
+    fn from_base_response(r: _LoginResponse) -> Result<LoginResponse, std::num::ParseIntError> {
+        let expires_on: Option<OffsetDateTime> = r.expires_on.map(|d| {
+            OffsetDateTime::from_unix_timestamp(d.parse::<i64>().unwrap_or(0))
+                .unwrap_or(OffsetDateTime::UNIX_EPOCH)
+        });
+        let not_before: Option<OffsetDateTime> = r.not_before.map(|d| {
+            OffsetDateTime::from_unix_timestamp(d.parse::<i64>().unwrap_or(0))
+                .unwrap_or(OffsetDateTime::UNIX_EPOCH)
+        });
+
+        Ok(LoginResponse {
+            token_type: r.token_type,
+            expires_in: r.expires_in,
+            ext_expires_in: r.ext_expires_in,
+            expires_on,
+            not_before,
+            resource: r.resource,
+            access_token: AccessToken::new(r.access_token),
+        })
+    }
+}

sdk/identity/src/federated_credentials_flow/mod.rs

@@ -0,0 +1,93 @@
+//! Authorize using the OAuth 2.0 client credentials flow with federated credentials.
+//!
+//! ```no_run
+//! use azure_identity::{authority_hosts, federated_credentials_flow};
+//! use url::Url;
+//!
+//! use std::env;
+//! use std::error::Error;
+//!
+//! #[tokio::main]
+//! async fn main() -> Result<(), Box<dyn Error>> {
+//!     let client_id =
+//!         env::var("CLIENT_ID").expect("Missing CLIENT_ID environment variable.");
+//!     let token = env::var("FEDERATED_TOKEN").expect("Missing FEDERATED_TOKEN environment variable.");
+//!     let tenant_id = env::var("TENANT_ID").expect("Missing TENANT_ID environment variable.");
+//!     let subscription_id =
+//!         env::var("SUBSCRIPTION_ID").expect("Missing SUBSCRIPTION_ID environment variable.");
+//!
+//!     let http_client = azure_core::new_http_client();
+//!     // This will give you the final token to use in authorization.
+//!     let token = federated_credentials_flow::perform(
+//!         http_client.clone(),
+//!         &client_id,
+//!         &token,
+//!         &["https://management.azure.com/"],
+//!         &tenant_id,
+//!         authority_hosts::AZURE_PUBLIC_CLOUD.clone(),
+//!
+//!     )
+//!     .await?;
+//!     Ok(())
+//! }
+//! ```
+//!
+//! You can learn more about this authorization flow [here](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#third-case-access-token-request-with-a-federated-credential).
+
+mod login_response;
+
+use azure_core::Method;
+use azure_core::{
+    content_type,
+    error::{ErrorKind, ResultExt},
+    headers, HttpClient, Request,
+};
+use log::{debug, error};
+use login_response::LoginResponse;
+use std::sync::Arc;
+use url::{form_urlencoded, Url};
+
+/// Perform the client credentials flow
+#[allow(clippy::manual_async_fn)]
+#[fix_hidden_lifetime_bug::fix_hidden_lifetime_bug]
+pub async fn perform(
+    http_client: Arc<dyn HttpClient>,
+    client_id: &str,
+    client_assertion: &str,
+    scopes: &[&str],
+    tenant_id: &str,
+    host: &str,
+) -> azure_core::Result<LoginResponse> {
+    let encoded: String = form_urlencoded::Serializer::new(String::new())
+        .append_pair("client_id", client_id)
+        .append_pair("scope", &scopes.join(" "))
+        .append_pair(
+            "client_assertion_type",
+            "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+        )
+        .append_pair("client_assertion", client_assertion)
+        .append_pair("grant_type", "client_credentials")
+        .finish();
+
+    let url = Url::parse(&format!("{host}/{tenant_id}/oauth2/v2.0/token"))
+        .with_context(ErrorKind::DataConversion, || {
+            format!("The supplied tenant id could not be url encoded: {tenant_id}")
+        })?;
+
+    let mut req = Request::new(url, Method::Post);
+    req.insert_header(
+        headers::CONTENT_TYPE,
+        content_type::APPLICATION_X_WWW_FORM_URLENCODED,
+    );
+    req.set_body(encoded);
+    let rsp = http_client.execute_request(&req).await?;
+    let rsp_status = rsp.status();
+    debug!("rsp_status == {:?}", rsp_status);
+    let rsp_body = rsp.into_body().collect().await?;
+    if !rsp_status.is_success() {
+        let text = std::str::from_utf8(&rsp_body)?;
+        error!("rsp_body == {:?}", text);
+        return Err(ErrorKind::http_response_from_body(rsp_status, &rsp_body).into_error());
+    }
+    serde_json::from_slice(&rsp_body).map_kind(ErrorKind::DataConversion)
+}

sdk/identity/src/lib.rs

@@ -47,6 +47,7 @@ pub mod client_credentials_flow;
 #[cfg(feature = "development")]
 pub mod development;
 pub mod device_code_flow;
+pub mod federated_credentials_flow;
 mod oauth2_http_client;
 pub mod refresh_token;
 mod timeout;

sdk/identity/src/token_credentials/environment_credentials.rs

@@ -1,4 +1,4 @@
-use super::{ClientSecretCredential, TokenCredentialOptions};
+use super::{ClientSecretCredential, TokenCredentialOptions, WorkloadIdentityCredential};
 use azure_core::auth::{TokenCredential, TokenResponse};
 use azure_core::error::{Error, ErrorKind, ResultExt};
 use azure_core::HttpClient;
@@ -10,8 +10,13 @@ const AZURE_CLIENT_SECRET_ENV_KEY: &str = "AZURE_CLIENT_SECRET";
 const AZURE_USERNAME_ENV_KEY: &str = "AZURE_USERNAME";
 const AZURE_PASSWORD_ENV_KEY: &str = "AZURE_PASSWORD";
 const AZURE_CLIENT_CERTIFICATE_PATH_ENV_KEY: &str = "AZURE_CLIENT_CERTIFICATE_PATH";
+const AZURE_FEDERATED_TOKEN_FILE: &str = "AZURE_FEDERATED_TOKEN_FILE";
+const AZURE_FEDERATED_TOKEN: &str = "AZURE_FEDERATED_TOKEN";
+const AZURE_AUTHORITY_HOST: &str = "AZURE_AUTHORITY_HOST";
 
-/// Enables authentication to Azure Active Directory using client secret, or a username and password.
+/// Enables authentication with Workflows Identity if either AZURE_FEDERATED_TOKEN or AZURE_FEDERATED_TOKEN_FILE is set,
+/// otherwise enables authentication to Azure Active Directory using client secret, or a username and password.
+///
 ///
 /// Details configured in the following environment variables:
 ///
@@ -20,8 +25,10 @@ const AZURE_CLIENT_CERTIFICATE_PATH_ENV_KEY: &str = "AZURE_CLIENT_CERTIFICATE_PA
 /// | `AZURE_TENANT_ID`                   | The Azure Active Directory tenant(directory) ID. |
 /// | `AZURE_CLIENT_ID`                   | The client(application) ID of an App Registration in the tenant. |
 /// | `AZURE_CLIENT_SECRET`               | A client secret that was generated for the App Registration. |
+/// | `AZURE_FEDERATED_TOKEN_FILE`        | Path to an federated token file. Variable is present in pods with aks workload identities. |
+/// | `AZURE_AUTHORITY_HOST`              | Url for the identity provider to exchange to federated token for an access_token. Variable is present in pods with aks workload identities. |
 ///
-/// This credential ultimately uses a `ClientSecretCredential` to perform the authentication using
+/// This credential ultimately uses a or `WorkloadIdentityCredential` a`ClientSecretCredential` to perform the authentication using
 /// these details.
 /// Please consult the documentation of that class for more details.
 #[derive(Clone, Debug)]
@@ -67,22 +74,54 @@ impl TokenCredential for EnvironmentCredential {
         let username = std::env::var(AZURE_USERNAME_ENV_KEY);
         let password = std::env::var(AZURE_PASSWORD_ENV_KEY);
         let client_certificate_path = std::env::var(AZURE_CLIENT_CERTIFICATE_PATH_ENV_KEY);
+        let federated_token_file = std::env::var(AZURE_FEDERATED_TOKEN_FILE);
+        let federated_token = std::env::var(AZURE_FEDERATED_TOKEN);
+        let authority_host = std::env::var(AZURE_AUTHORITY_HOST);
+
+        let options: TokenCredentialOptions = if let Ok(authority_host) = authority_host {
+            TokenCredentialOptions::new(authority_host)
+        } else {
+            self.options.clone()
+        };
+
+        if let Ok(token) = federated_token {
+            let mut credential: WorkloadIdentityCredential = WorkloadIdentityCredential::new(
+                self.http_client.clone(),
+                tenant_id,
+                client_id,
+                token,
+            );
+            credential.set_options(options);
 
-        if let Ok(client_secret) = client_secret {
+            return credential.get_token(resource).await;
+        } else if let Ok(file) = federated_token_file {
+            let token = std::fs::read_to_string(file.clone())
+                .with_context(ErrorKind::Credential, || {
+                    format!("failed to read federated token from file {}", file.as_str())
+                })?;
+            let mut credential: WorkloadIdentityCredential = WorkloadIdentityCredential::new(
+                self.http_client.clone(),
+                tenant_id,
+                client_id,
+                token,
+            );
+            credential.set_options(options);
+
+            return credential.get_token(resource).await;
+        } else if let Ok(client_secret) = client_secret {
             let credential = ClientSecretCredential::new(
                 self.http_client.clone(),
                 tenant_id,
                 client_id,
                 client_secret,
-                self.options.clone(),
+                options,
             );
             return credential.get_token(resource).await;
         } else if username.is_ok() && password.is_ok() {
             // Could use multiple if-let with #![feature(let_chains)] once stabilised - see https://github.com/rust-lang/rust/issues/53667
             // TODO: username & password credential
         } else if let Ok(_path) = client_certificate_path {
             // TODO: client certificate credential
-            todo!()
         }
 
         Err(Error::message(

sdk/identity/src/token_credentials/mod.rs

@@ -13,6 +13,7 @@ mod client_secret_credentials;
 mod default_credentials;
 mod environment_credentials;
 mod imds_managed_identity_credentials;
+mod workload_identity_credentials;
 
 pub use auto_refreshing_credentials::*;
 pub use azure_cli_credentials::*;
@@ -22,3 +23,4 @@ pub use client_secret_credentials::*;
 pub use default_credentials::*;
 pub use environment_credentials::*;
 pub use imds_managed_identity_credentials::*;
+pub use workload_identity_credentials::*;

sdk/identity/src/token_credentials/workload_identity_credentials.rs

@@ -0,0 +1,68 @@
+use azure_core::auth::{AccessToken, TokenCredential, TokenResponse};
+use azure_core::error::{ErrorKind, ResultExt};
+use azure_core::HttpClient;
+use std::str;
+use std::sync::Arc;
+use std::time::Duration;
+use time::OffsetDateTime;
+
+use crate::{federated_credentials_flow, TokenCredentialOptions};
+
+/// Enables authentication to Azure Active Directory using a client secret that was generated for an App Registration.
+///
+/// More information on how to configure a client secret can be found here:
+/// <https://docs.microsoft.com/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application>
+pub struct WorkloadIdentityCredential {
+    http_client: Arc<dyn HttpClient>,
+    tenant_id: String,
+    client_id: String,
+    token: String,
+    options: TokenCredentialOptions,
+}
+
+impl WorkloadIdentityCredential {
+    /// Create a new `WorkloadIdentityCredential`
+    pub fn new(
+        http_client: Arc<dyn HttpClient>,
+        tenant_id: String,
+        client_id: String,
+        token: String,
+    ) -> Self {
+        Self {
+            http_client,
+            tenant_id,
+            client_id,
+            token,
+            options: TokenCredentialOptions::default(),
+        }
+    }
+
+    /// set TokenCredentialOptions
+    pub fn set_options(&mut self, options: TokenCredentialOptions) {
+        self.options = options;
+    }
+}
+
+#[cfg_attr(target_arch = "wasm32", async_trait::async_trait(?Send))]
+#[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)]
+impl TokenCredential for WorkloadIdentityCredential {
+    async fn get_token(&self, resource: &str) -> azure_core::Result<TokenResponse> {
+        let res: TokenResponse = federated_credentials_flow::perform(
+            self.http_client.clone(),
+            &self.client_id,
+            &self.token,
+            &[&format!("{resource}/.default")],
+            &self.tenant_id,
+            self.options.authority_host(),
+        )
+        .await
+        .map(|r| {
+            TokenResponse::new(
+                AccessToken::new(r.access_token().secret().to_owned()),
+                OffsetDateTime::now_utc() + Duration::from_secs(r.expires_in),
+            )
+        })
+        .context(ErrorKind::Credential, "request token error")?;
+        Ok(res)
+    }
+}