feat: add support for specifying aad token audience (Azure#49379)

* feat: add support for specifying aad token audience

* pr feedback

* more feedback

* handle case where audience has scope

Author: jorgerangel-msft

sdk/tables/Azure.Data.Tables/CHANGELOG.md

@@ -4,6 +4,8 @@
 
 ### Features Added
 
+- Added support for specifying the token credential's Microsoft Entra audience when creating a client.
+
 ### Breaking Changes
 
 ### Bugs Fixed

sdk/tables/Azure.Data.Tables/api/Azure.Data.Tables.net8.0.cs

@@ -7,6 +7,25 @@ public partial interface ITableEntity
         string RowKey { get; set; }
         System.DateTimeOffset? Timestamp { get; set; }
     }
+    [System.Runtime.InteropServices.StructLayoutAttribute(System.Runtime.InteropServices.LayoutKind.Sequential)]
+    public readonly partial struct TableAudience : System.IEquatable<Azure.Data.Tables.TableAudience>
+    {
+        private readonly object _dummy;
+        private readonly int _dummyPrimitive;
+        public TableAudience(string value) { throw null; }
+        public static Azure.Data.Tables.TableAudience AzureChina { get { throw null; } }
+        public static Azure.Data.Tables.TableAudience AzureGovernment { get { throw null; } }
+        public static Azure.Data.Tables.TableAudience AzurePublicCloud { get { throw null; } }
+        public bool Equals(Azure.Data.Tables.TableAudience other) { throw null; }
+        [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
+        public override bool Equals(object obj) { throw null; }
+        [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
+        public override int GetHashCode() { throw null; }
+        public static bool operator ==(Azure.Data.Tables.TableAudience left, Azure.Data.Tables.TableAudience right) { throw null; }
+        public static implicit operator Azure.Data.Tables.TableAudience (string value) { throw null; }
+        public static bool operator !=(Azure.Data.Tables.TableAudience left, Azure.Data.Tables.TableAudience right) { throw null; }
+        public override string ToString() { throw null; }
+    }
     public partial class TableClient
     {
         protected TableClient() { }
@@ -60,6 +79,7 @@ public TableClient(System.Uri endpoint, string tableName, Azure.Data.Tables.Tabl
     public partial class TableClientOptions : Azure.Core.ClientOptions
     {
         public TableClientOptions(Azure.Data.Tables.TableClientOptions.ServiceVersion serviceVersion = Azure.Data.Tables.TableClientOptions.ServiceVersion.V2020_12_06) { }
+        public Azure.Data.Tables.TableAudience? Audience { get { throw null; } set { } }
         public bool EnableTenantDiscovery { get { throw null; } set { } }
         public enum ServiceVersion
         {

sdk/tables/Azure.Data.Tables/api/Azure.Data.Tables.netstandard2.0.cs

@@ -7,6 +7,25 @@ public partial interface ITableEntity
         string RowKey { get; set; }
         System.DateTimeOffset? Timestamp { get; set; }
     }
+    [System.Runtime.InteropServices.StructLayoutAttribute(System.Runtime.InteropServices.LayoutKind.Sequential)]
+    public readonly partial struct TableAudience : System.IEquatable<Azure.Data.Tables.TableAudience>
+    {
+        private readonly object _dummy;
+        private readonly int _dummyPrimitive;
+        public TableAudience(string value) { throw null; }
+        public static Azure.Data.Tables.TableAudience AzureChina { get { throw null; } }
+        public static Azure.Data.Tables.TableAudience AzureGovernment { get { throw null; } }
+        public static Azure.Data.Tables.TableAudience AzurePublicCloud { get { throw null; } }
+        public bool Equals(Azure.Data.Tables.TableAudience other) { throw null; }
+        [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
+        public override bool Equals(object obj) { throw null; }
+        [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
+        public override int GetHashCode() { throw null; }
+        public static bool operator ==(Azure.Data.Tables.TableAudience left, Azure.Data.Tables.TableAudience right) { throw null; }
+        public static implicit operator Azure.Data.Tables.TableAudience (string value) { throw null; }
+        public static bool operator !=(Azure.Data.Tables.TableAudience left, Azure.Data.Tables.TableAudience right) { throw null; }
+        public override string ToString() { throw null; }
+    }
     public partial class TableClient
     {
         protected TableClient() { }
@@ -60,6 +79,7 @@ public TableClient(System.Uri endpoint, string tableName, Azure.Data.Tables.Tabl
     public partial class TableClientOptions : Azure.Core.ClientOptions
     {
         public TableClientOptions(Azure.Data.Tables.TableClientOptions.ServiceVersion serviceVersion = Azure.Data.Tables.TableClientOptions.ServiceVersion.V2020_12_06) { }
+        public Azure.Data.Tables.TableAudience? Audience { get { throw null; } set { } }
         public bool EnableTenantDiscovery { get { throw null; } set { } }
         public enum ServiceVersion
         {

sdk/tables/Azure.Data.Tables/src/TableAudience.cs

@@ -0,0 +1,89 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.ComponentModel;
+
+namespace Azure.Data.Tables
+{
+    /// <summary> Cloud audiences available for Azure Tables. </summary>
+    public readonly struct TableAudience : IEquatable<TableAudience>
+    {
+        private readonly string _value;
+
+        private const string AzureChinaValue = "AzureChina";
+        private const string AzureGovernmentValue = "AzureGov";
+        private const string AzurePublicCloudValue = "AzurePublic";
+
+        private const string AzureStorageChinaValue = "https://storage.azure.cn";
+        private const string AzureStorageGovernmentValue = "https://storage.azure.us";
+        private const string AzureStoragePublicCloudValue = "https://storage.azure.com";
+        private const string AzureCosmosChinaValue = "https://cosmos.azure.cn";
+        private const string AzureCosmosGovernmentValue = "https://cosmos.azure.us";
+        private const string AzureCosmosPublicCloudValue = "https://cosmos.azure.com";
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="TableAudience"/> object.
+        /// </summary>
+        /// <param name="value">The Microsoft Entra audience to use when forming authorization scopes.
+        /// For the Azure Tables service, this value corresponds to a URL that identifies the Azure cloud where the resource is located.</param>
+        /// <exception cref="ArgumentNullException"> <paramref name="value"/> is null. </exception>
+        /// <remarks>Please use one of the constant members over creating a custom value unless you have special needs for doing so.</remarks>
+        public TableAudience(string value)
+        {
+            Argument.AssertNotNullOrEmpty(value, nameof(value));
+            _value = value;
+        }
+
+        /// <summary> The authorization audience used to authenticate with the Azure China cloud. </summary>
+        public static TableAudience AzureChina { get; } = new TableAudience(AzureChinaValue);
+
+        /// <summary> The authorization audience used to authenticate with the Azure Government cloud. </summary>
+        public static TableAudience AzureGovernment { get; } = new TableAudience(AzureGovernmentValue);
+
+        /// <summary> The authorization audience used to authenticate with the Azure Public cloud. </summary>
+        public static TableAudience AzurePublicCloud { get; } = new TableAudience(AzurePublicCloudValue);
+
+        /// <summary> Determines if two <see cref="TableAudience"/> values are the same. </summary>
+        public static bool operator ==(TableAudience left, TableAudience right) => left.Equals(right);
+        /// <summary> Determines if two <see cref="TableAudience"/> values are not the same. </summary>
+        public static bool operator !=(TableAudience left, TableAudience right) => !left.Equals(right);
+        /// <summary> Converts a string to a <see cref="TableAudience"/>. </summary>
+        public static implicit operator TableAudience(string value) => new TableAudience(value);
+
+        /// <inheritdoc />
+        [EditorBrowsable(EditorBrowsableState.Never)]
+        public override bool Equals(object obj) => obj is TableAudience other && Equals(other);
+        /// <inheritdoc />
+        public bool Equals(TableAudience other) => string.Equals(_value, other._value, StringComparison.InvariantCultureIgnoreCase);
+
+        /// <inheritdoc />
+        [EditorBrowsable(EditorBrowsableState.Never)]
+        public override int GetHashCode() => _value?.GetHashCode() ?? 0;
+        /// <inheritdoc />
+        public override string ToString() => _value;
+
+        internal string GetDefaultScope(bool isCosmosEndpoint)
+        {
+            var audience = _value switch
+            {
+                AzureChinaValue when isCosmosEndpoint => AzureCosmosChinaValue,
+                AzureGovernmentValue when isCosmosEndpoint => AzureCosmosGovernmentValue,
+                AzurePublicCloudValue when isCosmosEndpoint => AzureCosmosPublicCloudValue,
+                AzureChinaValue => AzureStorageChinaValue,
+                AzureGovernmentValue => AzureStorageGovernmentValue,
+                AzurePublicCloudValue => AzureStoragePublicCloudValue,
+                _ => _value
+            };
+
+            if (audience.EndsWith($"/{TableConstants.DefaultScope}", StringComparison.InvariantCultureIgnoreCase))
+            {
+                return audience;
+            }
+
+            return audience.EndsWith("/", StringComparison.InvariantCultureIgnoreCase)
+                ? $"{audience}{TableConstants.DefaultScope}"
+                : $"{audience}/{TableConstants.DefaultScope}";
+        }
+    }
+}

sdk/tables/Azure.Data.Tables/src/TableClient.cs

@@ -272,10 +272,11 @@ public TableClient(Uri endpoint, string tableName, TokenCredential tokenCredenti
             options ??= TableClientOptions.DefaultOptions;
 
             var perCallPolicies = _isCosmosEndpoint ? new[] { new CosmosPatchTransformPolicy() } : Array.Empty<HttpPipelinePolicy>();
-
+            var audienceScope = (options?.Audience ?? TableAudience.AzurePublicCloud)
+                .GetDefaultScope(_isCosmosEndpoint);
             var pipelineOptions = new HttpPipelineOptions(options)
             {
-                PerRetryPolicies = { new TableBearerTokenChallengeAuthorizationPolicy(tokenCredential, _isCosmosEndpoint ? TableConstants.CosmosScope : TableConstants.StorageScope, options.EnableTenantDiscovery) },
+                PerRetryPolicies = { new TableBearerTokenChallengeAuthorizationPolicy(tokenCredential, audienceScope, options.EnableTenantDiscovery) },
                 ResponseClassifier = new ResponseClassifier(),
                 RequestFailedDetailsParser = new TablesRequestFailedDetailsParser()
             };

sdk/tables/Azure.Data.Tables/src/TableClientOptions.cs

@@ -61,6 +61,12 @@ public enum ServiceVersion
 #pragma warning restore CA1707 // Identifiers should not contain underscores
         }
 
+        /// <summary>
+        /// Gets or sets the Audience to use for authentication with Microsoft Entra.
+        /// The audience is not considered when using a shared key or connection string.
+        /// </summary>
+        public TableAudience? Audience { get; set; }
+
         internal static TableClientOptions DefaultOptions => new()
         {
             Diagnostics =

sdk/tables/Azure.Data.Tables/src/TableConstants.cs

@@ -7,9 +7,8 @@ internal static class TableConstants
     {
         internal const string LegacyCosmosTableDomain = ".table.cosmosdb.";
         internal const string CosmosTableDomain = ".table.cosmos.";
-        internal const string StorageScope = "https://storage.azure.com/.default";
-        internal const string CosmosScope = "https://cosmos.azure.com/.default";
         internal const string ReturnNoContent = "return-no-content";
+        internal const string DefaultScope = ".default";
 
         internal static class CompatSwitches
         {

sdk/tables/Azure.Data.Tables/src/TableServiceClient.cs

@@ -273,10 +273,11 @@ public TableServiceClient(Uri endpoint, TokenCredential tokenCredential, TableCl
             var perCallPolicies = _isCosmosEndpoint ? new[] { new CosmosPatchTransformPolicy() } : Array.Empty<HttpPipelinePolicy>();
             var endpointString = _endpoint.AbsoluteUri;
             string secondaryEndpoint = TableConnectionString.GetSecondaryUriFromPrimary(_endpoint)?.AbsoluteUri;
-
+            var audienceScope = (options?.Audience ?? TableAudience.AzurePublicCloud)
+                .GetDefaultScope(_isCosmosEndpoint);
             var pipelineOptions = new HttpPipelineOptions(options)
             {
-                PerRetryPolicies = { new TableBearerTokenChallengeAuthorizationPolicy(tokenCredential, _isCosmosEndpoint ? TableConstants.CosmosScope : TableConstants.StorageScope, options.EnableTenantDiscovery) },
+                PerRetryPolicies = { new TableBearerTokenChallengeAuthorizationPolicy(tokenCredential, audienceScope, options.EnableTenantDiscovery) },
                 ResponseClassifier = new ResponseClassifier(),
                 RequestFailedDetailsParser = new TablesRequestFailedDetailsParser()
             };

sdk/tables/Azure.Data.Tables/tests/TableAudienceTests.cs

@@ -0,0 +1,46 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using NUnit.Framework;
+using System.Collections.Generic;
+
+namespace Azure.Data.Tables.Tests
+{
+    public class TableAudienceTests
+    {
+        // This test validates that the token audience scope is correctly parsed
+        [TestCaseSource(nameof(GetDefaultScopeTestCases))]
+        public void TestGetDefaultScope(
+            TableAudience? audience,
+            bool isCosmosEndpoint,
+            string expectedScope)
+        {
+            audience ??= TableAudience.AzurePublicCloud;
+            var defaultScope = audience.Value.GetDefaultScope(isCosmosEndpoint);
+            Assert.AreEqual(expectedScope, defaultScope);
+        }
+
+        public static IEnumerable<TestCaseData> GetDefaultScopeTestCases
+        {
+            get
+            {
+                // cosmos audience
+                yield return new TestCaseData(TableAudience.AzurePublicCloud, true, "https://cosmos.azure.com/.default");
+                yield return new TestCaseData(TableAudience.AzureChina, true, "https://cosmos.azure.cn/.default");
+                yield return new TestCaseData(TableAudience.AzureGovernment, true, "https://cosmos.azure.us/.default");
+                // storage audience
+                yield return new TestCaseData(TableAudience.AzurePublicCloud, false, "https://storage.azure.com/.default");
+                yield return new TestCaseData(TableAudience.AzureChina, false, "https://storage.azure.cn/.default");
+                yield return new TestCaseData(TableAudience.AzureGovernment, false, "https://storage.azure.us/.default");
+                // default audience with cosmos endpoint should be public cloud
+                yield return new TestCaseData(null, true, "https://cosmos.azure.com/.default");
+                // default audience with storage endpoint should be public cloud
+                yield return new TestCaseData(null, false, "https://storage.azure.com/.default");
+                // custom audience
+                yield return new TestCaseData(new TableAudience("my.custom.audience"), false, "my.custom.audience/.default");
+                yield return new TestCaseData(new TableAudience("my.custom.audience/"), false, "my.custom.audience/.default");
+                yield return new TestCaseData(new TableAudience("my.custom.audience/.default"), false, "my.custom.audience/.default");
+            }
+        }
+    }
+}