Azure
diff --git a/‎sdk/core/src/auth.rs‎
Lines changed: 3 additions & 1 deletion b/‎sdk/core/src/auth.rs‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎sdk/data_cosmos/src/authorization_policy.rs‎
Lines changed: 1 addition & 1 deletion b/‎sdk/data_cosmos/src/authorization_policy.rs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎sdk/identity/README.md‎
Lines changed: 1 addition & 1 deletion b/‎sdk/identity/README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎sdk/identity/examples/azure_cli_credentials.rs‎
Lines changed: 3 additions & 1 deletion b/‎sdk/identity/examples/azure_cli_credentials.rs‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎sdk/identity/examples/client_certificate_credentials.rs‎
Lines changed: 19 additions & 17 deletions b/‎sdk/identity/examples/client_certificate_credentials.rs‎
Lines changed: 19 additions & 17 deletions
diff --git a/‎sdk/identity/examples/code_flow.rs‎
Lines changed: 1 addition & 1 deletion b/‎sdk/identity/examples/code_flow.rs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎sdk/identity/examples/code_flow_blob.rs‎
Lines changed: 3 additions & 1 deletion b/‎sdk/identity/examples/code_flow_blob.rs‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎sdk/identity/examples/default_credentials.rs‎
Lines changed: 2 additions & 2 deletions b/‎sdk/identity/examples/default_credentials.rs‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎sdk/identity/examples/environment_credentials.rs‎
Lines changed: 3 additions & 1 deletion b/‎sdk/identity/examples/environment_credentials.rs‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎sdk/identity/src/authorization_code_flow.rs‎
Lines changed: 5 additions & 3 deletions b/‎sdk/identity/src/authorization_code_flow.rs‎
Lines changed: 5 additions & 3 deletions
@@ -4,6 +4,8 @@ use serde::{Deserialize, Serialize};
 use std::{borrow::Cow, fmt::Debug};
 use time::OffsetDateTime;
 
+pub static DEFAULT_SCOPE_SUFFIX: &str = "/.default";
+
 #[derive(Clone, Deserialize, Serialize, Eq)]
 pub struct Secret(Cow<'static, str>);
 
@@ -83,7 +85,7 @@ impl AccessToken {
 #[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)]
 pub trait TokenCredential: Send + Sync + Debug {
     /// Gets a `AccessToken` for the specified resource
-    async fn get_token(&self, resource: &str) -> crate::Result<AccessToken>;
+    async fn get_token(&self, scopes: &[&str]) -> crate::Result<AccessToken>;
 
     /// Clear the credential's cache.
     async fn clear_cache(&self) -> crate::Result<()>;
 
@@ -165,7 +165,7 @@ async fn generate_authorization(
             "aad",
             Cow::Owned(
                 token_credential
-                    .get_token(&scope_from_url(url))
+                    .get_token(&[&scope_from_url(url)])
                     .await?
                     .token
                     .secret()
 
@@ -16,7 +16,7 @@ use std::error::Error;
 async fn main() -> Result<(), Box<dyn Error>> {
     let credential = DefaultAzureCredential::default();
     let response = credential
-        .get_token("https://management.azure.com")
+        .get_token(&["https://management.azure.com/.default"])
         .await?;
 
     let subscription_id = env::var("AZURE_SUBSCRIPTION_ID")?;
 
@@ -9,7 +9,9 @@ async fn main() -> Result<(), Box<dyn Error>> {
     println!("Azure cli subscription: {sub_id}");
 
     let creds = AzureCliCredential::new();
-    let res = creds.get_token("https://management.azure.com/").await?;
+    let res = creds
+        .get_token(&["https://management.azure.com/.default"])
+        .await?;
     println!("Azure cli response == {res:?}");
     // Let's enumerate the Azure storage accounts
     // in the subscription. Note: this way of calling the REST API
 
@@ -3,51 +3,53 @@
 /// authenticate the app. If you are using subject name validation for the app
 /// please make sure to set the `send_certificate_chain` option to true otherwise
 /// the authentication will fail.
-use azure_core::{auth::TokenCredential, base64};
+use azure_core::{
+    auth::{Secret, TokenCredential},
+    base64,
+};
 use azure_identity::{
     CertificateCredentialOptions, ClientCertificateCredential, DefaultAzureCredential,
 };
 use azure_security_keyvault::KeyvaultClient;
 use std::env::var;
 use url::Url;
 
-async fn get_certficate(vault_name: &str, certificate_name: &str) -> azure_core::Result<Vec<u8>> {
+async fn get_certficate(vault_name: &str, certificate_name: &str) -> azure_core::Result<Secret> {
     let creds = DefaultAzureCredential::default();
     let client = KeyvaultClient::new(
         format!("https://{}.vault.azure.net", vault_name).as_str(),
         std::sync::Arc::new(creds),
     )?
-    .secret_client();
-    let secret = client.get(certificate_name).await?;
-    let cert = base64::decode(secret.value)?;
-    Ok(cert)
+    .certificate_client();
+    let response = client.get(certificate_name).await?;
+    println!("GOT {response:#?}");
+    Ok(response.cer)
 }
 
 #[tokio::main]
-async fn main() -> azure_core::Result<()> {
+async fn main() -> Result<(), Box<dyn std::error::Error>> {
+    env_logger::init();
+
     let client_id = var("CLIENT_ID").expect("Missing CLIENT_ID environment variable.");
     let tenant_id = var("TENANT_ID").expect("Missing TENANT_ID environment variable.");
     let subscription_id =
         var("SUBSCRIPTION_ID").expect("Missing SUBSCRIPTION_ID environment variable.");
 
-    let keyvault_uri = var("KEYVAULT_URI").expect("Missing KEYVAULT_URI environment variable.");
+    let keyvault_name = var("KEYVAULT_NAME").expect("Missing KEYVAULT_NAME environment variable.");
     let cert_name = var("CERT_NAME").expect("Missing CERT_NAME environment variable.");
-    let cert = get_certficate(&keyvault_uri, &cert_name).await?;
+    let cert = get_certficate(&keyvault_name, &cert_name).await?;
 
     let mut options = CertificateCredentialOptions::default();
     // set as true to to send certificate chain
     options.set_send_certificate_chain(true);
 
     // pass is empty by default when certificate is fetched from keyvault
-    let creds = ClientCertificateCredential::new(
-        tenant_id,
-        client_id,
-        base64::encode(cert),
-        String::new(),
-        options,
-    );
+    let creds =
+        ClientCertificateCredential::new(tenant_id, client_id, cert, String::new(), options);
 
-    let res = creds.get_token("https://management.azure.com/").await?;
+    let res = creds
+        .get_token(&["https://management.azure.com/.default"])
+        .await?;
     // Let's enumerate the Azure SQL Databases instances
     // in the subscription. Note: this way of calling the REST API
     // will be different (and easier) using other Azure Rust SDK
 
@@ -21,7 +21,7 @@ async fn main() -> Result<(), Box<dyn Error>> {
         Some(client_secret),
         &tenant_id,
         Url::parse("http://localhost:3003/redirect").unwrap(),
-        "https://management.azure.com/user_impersonation",
+        &["https://management.azure.com/user_impersonation"],
     );
 
     println!("c == {code_flow:?}");
 
@@ -30,7 +30,9 @@ async fn main() -> Result<(), Box<dyn Error>> {
         Some(client_secret),
         &tenant_id,
         Url::parse("http://localhost:3003/redirect").unwrap(),
-        &format!("https://{storage_account_name}.blob.core.windows.net/user_impersonation"),
+        &[&format!(
+            "https://{storage_account_name}.blob.core.windows.net/user_impersonation"
+        )],
     );
 
     println!("c == {c:?}");
 
@@ -9,11 +9,11 @@ async fn main() -> Result<(), Box<dyn Error>> {
 
     let sub_id = var("AZURE_SUBSCRIPTION_ID")?;
     let creds = DefaultAzureCredentialBuilder::new()
-        .exclude_azure_cli_credential() // disable using CLI for credentials (just as an example)
+        .exclude_environment_credential() // disable using environment variables for credentials (just as an example)
         .build();
 
     let res = creds
-        .get_token("https://management.azure.com/")
+        .get_token(&["https://management.azure.com/.default"])
         .await
         .unwrap();
     eprintln!("Azure token response == {res:?}");
 
@@ -7,7 +7,9 @@ use url::Url;
 async fn main() -> Result<(), Box<dyn Error>> {
     let sub_id = var("AZURE_SUBSCRIPTION_ID")?;
     let creds = EnvironmentCredential::default();
-    let res = creds.get_token("https://management.azure.com/").await?;
+    let res = creds
+        .get_token(&["https://management.azure.com/.default"])
+        .await?;
     eprintln!("Azure cli response == {res:?}");
     // Let's enumerate the Azure storage accounts
     // in the subscription. Note: this way of calling the REST API
 
@@ -7,7 +7,7 @@ use azure_core::{
     error::{ErrorKind, ResultExt},
     HttpClient, Url,
 };
-use oauth2::basic::BasicClient;
+use oauth2::{basic::BasicClient, Scope};
 use oauth2::{ClientId, ClientSecret};
 use std::sync::Arc;
 
@@ -20,7 +20,7 @@ pub fn start(
     client_secret: Option<ClientSecret>,
     tenant_id: &str,
     redirect_url: Url,
-    resource: &str,
+    scopes: &[&str],
 ) -> AuthorizationCodeFlow {
     let auth_url = oauth2::AuthUrl::from_url(
         Url::parse(&format!(
@@ -46,10 +46,12 @@ pub fn start(
     // Create a PKCE code verifier and SHA-256 encode it as a code challenge.
     let (pkce_code_challenge, pkce_code_verifier) = oauth2::PkceCodeChallenge::new_random_sha256();
 
+    let scopes = scopes.iter().map(|s| Scope::new(s.to_string()));
+
     // Generate the authorization URL to which we'll redirect the user.
     let (authorize_url, csrf_state) = client
         .authorize_url(oauth2::CsrfToken::new_random)
-        .add_extra_param("scope", resource)
+        .add_scopes(scopes)
         .set_pkce_challenge(pkce_code_challenge)
         .url();