Merge pull request #201473 from Clare-Zheng82/0610-Add_REST_OAuth2_Client_Credential_authentication

PRMerger9 · web-flow · commit f372437269a6 · 2022-06-20T03:14:59.000-07:00
Add Use OAuth2 Client Credential authentication section to REST connector doc
diff --git a/articles/data-factory/connector-rest.md b/articles/data-factory/connector-rest.md
@@ -7,7 +7,7 @@ ms.service: data-factory
 ms.subservice: data-movement
 ms.custom: synapse
 ms.topic: conceptual
-ms.date: 06/07/2022
+ms.date: 06/13/2022
 ms.author: makromer
 ---
 
@@ -79,10 +79,17 @@ The following properties are supported for the REST linked service:
 | type | The **type** property must be set to **RestService**. | Yes |
 | url | The base URL of the REST service. | Yes |
 | enableServerCertificateValidation | Whether to validate server-side TLS/SSL certificate when connecting to the endpoint. | No<br /> (the default is **true**) |
-| authenticationType | Type of authentication used to connect to the REST service. Allowed values are **Anonymous**, **Basic**, **AadServicePrincipal**, and **ManagedServiceIdentity**. User-based OAuth isn't supported. You can additionally configure authentication headers in `authHeader` property. Refer to corresponding sections below on more properties and examples respectively.| Yes |
+| authenticationType | Type of authentication used to connect to the REST service. Allowed values are **Anonymous**, **Basic**, **AadServicePrincipal**, **OAuth2ClientCredential**, and **ManagedServiceIdentity**. You can additionally configure authentication headers in `authHeader` property. Refer to corresponding sections below on more properties and examples respectively.| Yes |
 | authHeaders | Additional HTTP request headers for authentication.<br/> For example, to use API key authentication, you can select authentication type as “Anonymous” and specify API key in the header. | No |
 | connectVia | The [Integration Runtime](concepts-integration-runtime.md) to use to connect to the data store. Learn more from [Prerequisites](#prerequisites) section. If not specified, this property uses the default Azure Integration Runtime. |No |
 
+For different authentication types, see the corresponding sections for details.
+- [Basic authentication](#use-basic-authentication)
+- [AAD service principal authentication](#use-aad-service-principal-authentication)
+- [OAuth2 Client Credential authentication](#use-oauth2-client-credential-authentication)
+- [User-assigned managed identity authentication](#use-user-assigned-managed-identity-authentication)
+- [Anonymous authentication](#using-authentication-headers)
+
 ### Use basic authentication
 
 Set the **authenticationType** property to **Basic**. In addition to the generic properties that are described in the preceding section, specify the following properties:
@@ -128,7 +135,7 @@ Set the **authenticationType** property to **AadServicePrincipal**. In addition
 | aadResourceId | Specify the AAD resource you are requesting for authorization, for example, `https://management.core.windows.net`.| Yes |
 | azureCloudType | For service principal authentication, specify the type of Azure cloud environment to which your AAD application is registered. <br/> Allowed values are **AzurePublic**, **AzureChina**, **AzureUsGovernment**, and **AzureGermany**. By default, the data factory's cloud environment is used. | No |
 
-**Example**
+**Example**                                                                          
 
 ```json
 {
@@ -153,6 +160,41 @@ Set the **authenticationType** property to **AadServicePrincipal**. In addition
     }
 }
 ```
+### Use OAuth2 Client Credential authentication
+
+Set the **authenticationType** property to **OAuth2ClientCredential**. In addition to the generic properties that are described in the preceding section, specify the following properties:
+
+| Property | Description | Required |
+|:--- |:--- |:--- |
+| tokenEndpoint| The token endpoint of the authorization server to acquire the access token. | Yes |
+| clientId | The client ID associated with your application. | Yes |
+| clientSecret| The client secret associated with your application. Mark this field as a **SecureString** type to store it securely in Data Factory. You can also [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md).  | Yes |
+| scope | The scope of the access required. It describes what kind of access will be requested. | No |
+| resource | The target service or resource to which the access will be requested. | No |
+
+**Example**
+
+```json
+{
+    "name": "RESTLinkedService",
+    "properties": {
+        "type": "RestService",
+        "typeProperties": {
+            "url": "<REST endpoint e.g. https://www.example.com/>",
+            "enableServerCertificateValidation": true,
+            "authenticationType": "OAuth2ClientCredential",
+            "clientId": "<client ID>",
+            "clientSecret": {
+                "type": "SecureString",
+                "value": "<client secret>"
+            },
+            "tokenEndpoint": "<token endpoint>",
+            "scope": "<scope>",
+            "resource": "<resource>"
+        }
+    }
+}
+```
 
 ### Use user-assigned managed identity authentication
 Set the **authenticationType** property to **ManagedServiceIdentity**. In addition to the generic properties that are described in the preceding section, specify the following properties:
@@ -827,78 +869,6 @@ The pagination rule syntax is the same as in Example 8 and should be set as belo
 
 :::image type="content" source="media/connector-rest/pagination-rule-example-9.png" alt-text="Screenshot showing setting the pagination rule for Example 9."::: 
 
-
-## Use OAuth
-This section describes how to use a solution template to copy data from REST connector into Azure Data Lake Storage in JSON format using OAuth. 
-
-### About the solution template
-
-The template contains two activities:
-- **Web** activity retrieves the bearer token and then pass it to subsequent Copy activity as authorization.
-- **Copy** activity copies data from REST to Azure Data Lake Storage.
-
-The template defines two parameters:
-- **SinkContainer** is the root folder path where the data is copied to in your Azure Data Lake Storage. 
-- **SinkDirectory** is the directory path under the root where the data is copied to in your Azure Data Lake Storage. 
-
-### How to use this solution template
-
-1. Go to the **Copy from REST or HTTP using OAuth** template. Create a new connection for Source Connection. 
-    :::image type="content" source="media/solution-template-copy-from-rest-or-http-using-oauth/source-connection.png" alt-text="Create new connections":::
-
-    Below are key steps for new linked service (REST) settings:
-    
-     1. Under **Base URL**, specify the url parameter for your own source REST service. 
-     2. For **Authentication type**, choose *Anonymous*.
-        :::image type="content" source="media/solution-template-copy-from-rest-or-http-using-oauth/new-rest-connection.png" alt-text="New REST connection":::
-
-2. Create a new connection for Destination Connection.  
-    :::image type="content" source="media/solution-template-copy-from-rest-or-http-using-oauth/destination-connection.png" alt-text="New Gen2 connection":::
-
-3. Select **Use this template**.
-    :::image type="content" source="media/solution-template-copy-from-rest-or-http-using-oauth/use-this-template.png" alt-text="Use this template":::
-
-4. You would see the pipeline created as shown in the following example:
-    :::image type="content" source="media/solution-template-copy-from-rest-or-http-using-oauth/pipeline.png" alt-text="Screenshot shows the pipeline created from the template.":::
-
-5. Select **Web** activity. In **Settings**, specify the corresponding **URL**, **Method**, **Headers**, and **Body** to retrieve OAuth bearer token from the login API of the service that you want to copy data from. The placeholder in the template showcases a sample of Azure Active Directory (AAD) OAuth. Note AAD authentication is natively supported by REST connector, here is just an example for OAuth flow. 
-
-    | Property | Description |
-    |:--- |:--- |
-    | URL |Specify the url to retrieve OAuth bearer token from. for example, in the sample here it's https://login.microsoftonline.com/microsoft.onmicrosoft.com/oauth2/token |
-    | Method | The HTTP method. Allowed values are **Post** and **Get**. | 
-    | Headers | Header is user-defined, which references one header name in the HTTP request. | 
-    | Body | The body for the HTTP request. | 
-
-    :::image type="content" source="media/solution-template-copy-from-rest-or-http-using-oauth/web-settings.png" alt-text="Pipeline":::
-
-6. In **Copy data** activity, select *Source* tab, you could see that the bearer token (access_token)  retrieved from previous step would be passed to Copy data activity as **Authorization** under Additional headers. Confirm settings for following properties before starting a pipeline run.
-
-    | Property | Description |
-    |:--- |:--- |
-    | Request method | The HTTP method. Allowed values are **Get** (default) and **Post**. | 
-    | Additional headers | Additional HTTP request headers.| 
-
-   :::image type="content" source="media/solution-template-copy-from-rest-or-http-using-oauth/copy-data-settings.png" alt-text="Copy source Authentication":::
-
-7. Select **Debug**, enter the **Parameters**, and then select **Finish**.
-   :::image type="content" source="media/solution-template-copy-from-rest-or-http-using-oauth/pipeline-run.png" alt-text="Pipeline run"::: 
-
-8. When the pipeline run completes successfully, you would see the result similar to the following example:
-   :::image type="content" source="media/solution-template-copy-from-rest-or-http-using-oauth/run-result.png" alt-text="Pipeline run result"::: 
-
-9. Click the "Output" icon of WebActivity in **Actions** column, you would see the access_token returned by the service.
-
-   :::image type="content" source="media/solution-template-copy-from-rest-or-http-using-oauth/token-output.png" alt-text="Token output"::: 
-
-10. Click the "Input" icon of CopyActivity in **Actions** column, you would see the access_token retrieved by WebActivity is passed to CopyActivity for authentication. 
-
-    :::image type="content" source="media/solution-template-copy-from-rest-or-http-using-oauth/token-input.png" alt-text="Token input":::
-        
-    >[!CAUTION] 
-    >To avoid token being logged in plain text, enable "Secure output" in Web activity and "Secure input" in Copy activity.
-
-
 ## Export JSON response as-is
 
 You can use this REST connector to export REST API JSON response as-is to various file-based stores. To achieve such schema-agnostic copy, skip the "structure" (also called *schema*) section in dataset and schema mapping in copy activity.
