[AppConfig] Add support for specifying aad token audience (Azure#48176)

* feat: add support for aad token audience

* pr feedback

* update client remarks

* add live tests

* update assets.json

* update changelog.md

Author: jorgerangel-msft

sdk/appconfiguration/Azure.Data.AppConfiguration/CHANGELOG.md

@@ -4,6 +4,8 @@
 
 ### Features Added
 
+- Added support for specifying the token credential's Microsoft Entra audience when creating a client.
+
 ### Breaking Changes
 
 ### Bugs Fixed

sdk/appconfiguration/Azure.Data.AppConfiguration/api/Azure.Data.AppConfiguration.net8.0.cs

@@ -1,5 +1,24 @@
 namespace Azure.Data.AppConfiguration
 {
+    [System.Runtime.InteropServices.StructLayoutAttribute(System.Runtime.InteropServices.LayoutKind.Sequential)]
+    public readonly partial struct ConfigurationAudience : System.IEquatable<Azure.Data.AppConfiguration.ConfigurationAudience>
+    {
+        private readonly object _dummy;
+        private readonly int _dummyPrimitive;
+        public ConfigurationAudience(string value) { throw null; }
+        public static Azure.Data.AppConfiguration.ConfigurationAudience AzureChina { get { throw null; } }
+        public static Azure.Data.AppConfiguration.ConfigurationAudience AzureGovernment { get { throw null; } }
+        public static Azure.Data.AppConfiguration.ConfigurationAudience AzurePublicCloud { get { throw null; } }
+        public bool Equals(Azure.Data.AppConfiguration.ConfigurationAudience other) { throw null; }
+        [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
+        public override bool Equals(object obj) { throw null; }
+        [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
+        public override int GetHashCode() { throw null; }
+        public static bool operator ==(Azure.Data.AppConfiguration.ConfigurationAudience left, Azure.Data.AppConfiguration.ConfigurationAudience right) { throw null; }
+        public static implicit operator Azure.Data.AppConfiguration.ConfigurationAudience (string value) { throw null; }
+        public static bool operator !=(Azure.Data.AppConfiguration.ConfigurationAudience left, Azure.Data.AppConfiguration.ConfigurationAudience right) { throw null; }
+        public override string ToString() { throw null; }
+    }
     public partial class ConfigurationClient
     {
         protected ConfigurationClient() { }
@@ -74,6 +93,7 @@ public static partial class ConfigurationClientExtensions
     public partial class ConfigurationClientOptions : Azure.Core.ClientOptions
     {
         public ConfigurationClientOptions(Azure.Data.AppConfiguration.ConfigurationClientOptions.ServiceVersion version = Azure.Data.AppConfiguration.ConfigurationClientOptions.ServiceVersion.V2023_11_01) { }
+        public Azure.Data.AppConfiguration.ConfigurationAudience? Audience { get { throw null; } set { } }
         public enum ServiceVersion
         {
             V1_0 = 0,

sdk/appconfiguration/Azure.Data.AppConfiguration/api/Azure.Data.AppConfiguration.netstandard2.0.cs

@@ -1,5 +1,24 @@
 namespace Azure.Data.AppConfiguration
 {
+    [System.Runtime.InteropServices.StructLayoutAttribute(System.Runtime.InteropServices.LayoutKind.Sequential)]
+    public readonly partial struct ConfigurationAudience : System.IEquatable<Azure.Data.AppConfiguration.ConfigurationAudience>
+    {
+        private readonly object _dummy;
+        private readonly int _dummyPrimitive;
+        public ConfigurationAudience(string value) { throw null; }
+        public static Azure.Data.AppConfiguration.ConfigurationAudience AzureChina { get { throw null; } }
+        public static Azure.Data.AppConfiguration.ConfigurationAudience AzureGovernment { get { throw null; } }
+        public static Azure.Data.AppConfiguration.ConfigurationAudience AzurePublicCloud { get { throw null; } }
+        public bool Equals(Azure.Data.AppConfiguration.ConfigurationAudience other) { throw null; }
+        [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
+        public override bool Equals(object obj) { throw null; }
+        [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
+        public override int GetHashCode() { throw null; }
+        public static bool operator ==(Azure.Data.AppConfiguration.ConfigurationAudience left, Azure.Data.AppConfiguration.ConfigurationAudience right) { throw null; }
+        public static implicit operator Azure.Data.AppConfiguration.ConfigurationAudience (string value) { throw null; }
+        public static bool operator !=(Azure.Data.AppConfiguration.ConfigurationAudience left, Azure.Data.AppConfiguration.ConfigurationAudience right) { throw null; }
+        public override string ToString() { throw null; }
+    }
     public partial class ConfigurationClient
     {
         protected ConfigurationClient() { }
@@ -74,6 +93,7 @@ public static partial class ConfigurationClientExtensions
     public partial class ConfigurationClientOptions : Azure.Core.ClientOptions
     {
         public ConfigurationClientOptions(Azure.Data.AppConfiguration.ConfigurationClientOptions.ServiceVersion version = Azure.Data.AppConfiguration.ConfigurationClientOptions.ServiceVersion.V2023_11_01) { }
+        public Azure.Data.AppConfiguration.ConfigurationAudience? Audience { get { throw null; } set { } }
         public enum ServiceVersion
         {
             V1_0 = 0,

sdk/appconfiguration/Azure.Data.AppConfiguration/assets.json

@@ -2,5 +2,5 @@
   "AssetsRepo": "Azure/azure-sdk-assets",
   "AssetsRepoPrefixPath": "net",
   "TagPrefix": "net/appconfiguration/Azure.Data.AppConfiguration",
-  "Tag": "net/appconfiguration/Azure.Data.AppConfiguration_dca2b5967f"
+  "Tag": "net/appconfiguration/Azure.Data.AppConfiguration_c0a9828a83"
 }

sdk/appconfiguration/Azure.Data.AppConfiguration/src/ConfigurationAudience.cs

@@ -0,0 +1,58 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.ComponentModel;
+
+namespace Azure.Data.AppConfiguration
+{
+    /// <summary> Cloud audiences available for AppConfiguration. </summary>
+    public readonly struct ConfigurationAudience : IEquatable<ConfigurationAudience>
+    {
+        private readonly string _value;
+        private const string AzureChinaValue = "https://appconfig.azure.cn";
+        private const string AzureGovernmentValue = "https://appconfig.azure.us";
+        private const string AzurePublicCloudValue = "https://appconfig.azure.com";
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ConfigurationAudience"/> object.
+        /// </summary>
+        /// <param name="value">The Microsoft Entra audience to use when forming authorization scopes.
+        /// For the App Configuration service, this value corresponds to a URL that identifies the Azure cloud where the resource is located.</param>
+        /// <exception cref="ArgumentNullException"> <paramref name="value"/> is null. </exception>
+        /// <remarks>Please use one of the constant members over creating a custom value unless you have special needs for doing so.</remarks>
+        public ConfigurationAudience(string value)
+        {
+            Argument.AssertNotNullOrEmpty(value, nameof(value));
+            _value = value;
+        }
+
+        /// <summary> Azure China. </summary>
+        public static ConfigurationAudience AzureChina { get; } = new ConfigurationAudience(AzureChinaValue);
+
+        /// <summary> Azure Government. </summary>
+        public static ConfigurationAudience AzureGovernment { get; } = new ConfigurationAudience(AzureGovernmentValue);
+
+        /// <summary> Azure Public Cloud. </summary>
+        public static ConfigurationAudience AzurePublicCloud { get; } = new ConfigurationAudience(AzurePublicCloudValue);
+
+        /// <summary> Determines if two <see cref="ConfigurationAudience"/> values are the same. </summary>
+        public static bool operator ==(ConfigurationAudience left, ConfigurationAudience right) => left.Equals(right);
+        /// <summary> Determines if two <see cref="ConfigurationAudience"/> values are not the same. </summary>
+        public static bool operator !=(ConfigurationAudience left, ConfigurationAudience right) => !left.Equals(right);
+        /// <summary> Converts a string to a <see cref="ConfigurationAudience"/>. </summary>
+        public static implicit operator ConfigurationAudience(string value) => new ConfigurationAudience(value);
+
+        /// <inheritdoc />
+        [EditorBrowsable(EditorBrowsableState.Never)]
+        public override bool Equals(object obj) => obj is ConfigurationAudience other && Equals(other);
+        /// <inheritdoc />
+        public bool Equals(ConfigurationAudience other) => string.Equals(_value, other._value, StringComparison.InvariantCultureIgnoreCase);
+
+        /// <inheritdoc />
+        [EditorBrowsable(EditorBrowsableState.Never)]
+        public override int GetHashCode() => _value?.GetHashCode() ?? 0;
+        /// <inheritdoc />
+        public override string ToString() => _value;
+    }
+}

sdk/appconfiguration/Azure.Data.AppConfiguration/src/ConfigurationClient.cs

@@ -10,6 +10,8 @@
 using Azure.Core;
 using Azure.Core.Pipeline;
 
+#pragma warning disable AZC0007
+
 namespace Azure.Data.AppConfiguration
 {
     /// <summary>
@@ -73,14 +75,17 @@ public ConfigurationClient(Uri endpoint, TokenCredential credential)
         /// <param name="endpoint">The <see cref="Uri"/> referencing the app configuration storage.</param>
         /// <param name="credential">The token credential used to sign requests.</param>
         /// <param name="options">Options that allow configuration of requests sent to the configuration store.</param>
+        /// <remarks> The <paramref name="credential"/>'s Microsoft Entra audience is configurable via the <see cref="ConfigurationClientOptions.Audience"/> property.
+        /// If no token audience is set, Azure Public Cloud is used. If using an Azure sovereign cloud, configure the audience accordingly.
+        /// </remarks>
         public ConfigurationClient(Uri endpoint, TokenCredential credential, ConfigurationClientOptions options)
         {
             Argument.AssertNotNull(endpoint, nameof(endpoint));
             Argument.AssertNotNull(credential, nameof(credential));
 
             _endpoint = endpoint;
             _syncTokenPolicy = new SyncTokenPolicy();
-            _pipeline = CreatePipeline(options, new BearerTokenAuthenticationPolicy(credential, GetDefaultScope(endpoint)), _syncTokenPolicy);
+            _pipeline = CreatePipeline(options, new BearerTokenAuthenticationPolicy(credential, options.GetDefaultScope(endpoint)), _syncTokenPolicy);
             _apiVersion = options.Version;
 
             ClientDiagnostics = new ClientDiagnostics(options, true);
@@ -142,9 +147,6 @@ private static HttpPipeline CreatePipeline(ConfigurationClientOptions options, H
                 new ResponseClassifier());
         }
 
-        private static string GetDefaultScope(Uri uri)
-            => $"{uri.GetComponents(UriComponents.SchemeAndServer, UriFormat.SafeUnescaped)}/.default";
-
         /// <summary>
         /// Creates a <see cref="ConfigurationSetting"/> if the setting, uniquely identified by key and label, does not already exist in the configuration store.
         /// </summary>

sdk/appconfiguration/Azure.Data.AppConfiguration/src/ConfigurationClientOptions.cs

@@ -13,6 +13,10 @@ namespace Azure.Data.AppConfiguration
     public partial class ConfigurationClientOptions : ClientOptions
     {
         private const ServiceVersion LatestVersion = ServiceVersion.V2023_11_01;
+        private const string AzConfigUsGovCloudHostName = "azconfig.azure.us";
+        private const string AzConfigChinaCloudHostName = "azconfig.azure.cn";
+        private const string AppConfigUsGovCloudHostName = "appconfig.azure.us";
+        private const string AppConfigChinaCloudHostName = "appconfig.azure.cn";
 
         /// <summary>
         /// The versions of the App Configuration service supported by this client library.
@@ -36,6 +40,12 @@ public enum ServiceVersion
             V2023_11_01 = 2
         }
 
+        /// <summary>
+        /// Gets or sets the Audience to use for authentication with Microsoft Entra. The audience is not considered when using a shared key.
+        /// </summary>
+        /// <value>If <c>null</c>, <see cref="ConfigurationAudience.AzurePublicCloud" /> will be assumed.</value>
+        public ConfigurationAudience? Audience { get; set; }
+
         internal string Version { get; }
 
         /// <summary>
@@ -58,5 +68,23 @@ public ConfigurationClientOptions(ServiceVersion version = LatestVersion)
             };
             this.ConfigureLogging();
         }
+
+        internal string GetDefaultScope(Uri uri)
+        {
+            if (string.IsNullOrEmpty(Audience?.ToString()))
+            {
+                string host = uri.GetComponents(UriComponents.Host, UriFormat.SafeUnescaped);
+                return host switch
+                {
+                    _ when host.EndsWith(AzConfigUsGovCloudHostName, StringComparison.InvariantCultureIgnoreCase) || host.EndsWith(AppConfigUsGovCloudHostName, StringComparison.InvariantCultureIgnoreCase)
+                        => $"{ConfigurationAudience.AzureGovernment}/.default",
+                    _ when host.EndsWith(AzConfigChinaCloudHostName, StringComparison.InvariantCultureIgnoreCase) || host.EndsWith(AppConfigChinaCloudHostName, StringComparison.InvariantCultureIgnoreCase)
+                        => $"{ConfigurationAudience.AzureChina}/.default",
+                    _ => $"{ConfigurationAudience.AzurePublicCloud}/.default"
+                };
+            }
+
+            return $"{Audience}/.default";
+        }
     }
 }

sdk/appconfiguration/Azure.Data.AppConfiguration/tests/AppConfigurationTestEnvironment.cs

@@ -1,7 +1,9 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using System;
 using Azure.Core.TestFramework;
+using Azure.Identity;
 
 namespace Azure.Data.AppConfiguration
 {
@@ -10,5 +12,27 @@ public class AppConfigurationTestEnvironment : TestEnvironment
         public string ConnectionString => GetRecordedVariable("APPCONFIGURATION_CONNECTION_STRING", options => options.HasSecretConnectionStringParameter("secret", SanitizedValue.Base64));
         public string Endpoint => GetRecordedVariable("APPCONFIGURATION_ENDPOINT_STRING");
         public string SecretId => GetRecordedVariable("KEYVAULT_SECRET_URL");
+
+        public ConfigurationAudience GetAudience()
+        {
+            Uri authorityHost = new(AuthorityHostUrl);
+
+            if (authorityHost == AzureAuthorityHosts.AzurePublicCloud)
+            {
+                return ConfigurationAudience.AzurePublicCloud;
+            }
+
+            if (authorityHost == AzureAuthorityHosts.AzureChina)
+            {
+                return ConfigurationAudience.AzureChina;
+            }
+
+            if (authorityHost == AzureAuthorityHosts.AzureGovernment)
+            {
+                return ConfigurationAudience.AzureGovernment;
+            }
+
+            throw new NotSupportedException($"Cloud for authority host {authorityHost} is not supported.");
+        }
     }
 }