Implement AzurePipelinesCredential (Azure#43686)

Author: christothes

.vscode/cspell.json

@@ -92,11 +92,13 @@
     "kusto",
     "lucene",
     "mgmt",
+    "miscs",
     "msal",
     "Mtls",
     "northcentralus",
     "nunit",
     "odata",
+    "oidc",
     "onco",
     "opinsights",
     "otel",
@@ -134,8 +136,7 @@
     "vnet",
     "westcentralus",
     "westus",
-    "xunit",
-    "miscs"
+    "xunit"
   ],
   "overrides": [
     {
@@ -450,7 +451,7 @@
         "Twilio",
         "Vertica",
         "Xero",
-		    "Soql"
+        "Soql"
       ]
     },
     {
@@ -869,15 +870,15 @@
     {
       "filename": "**/sdk/paloaltonetworks/**/*",
       "words": [
-      	"armid",
-      	"cpus",
-      	"eastus",
-      	"cloudngfw",
-      	"fqdnlists",
-      	"isvtestuklegacy",
-      	"liftr",
-      	"liftrpantestplan",
-      	"msal",
+        "armid",
+        "cpus",
+        "eastus",
+        "cloudngfw",
+        "fqdnlists",
+        "isvtestuklegacy",
+        "liftr",
+        "liftrpantestplan",
+        "msal",
         "ngfw",
         "panrsid",
         "palo",
@@ -936,7 +937,7 @@
     {
       "filename": "**/sdk/qumulo/**/*",
       "words": [
-      	"qumulo"
+        "qumulo"
       ]
     },
     {
@@ -1337,7 +1338,7 @@
         "protobuf",
         "Ackable",
         "awps"
-        ]
+      ]
     },
     {
       "filename": "**/sdk/openai/**/*.cs",

sdk/identity/Azure.Identity/CHANGELOG.md

@@ -4,6 +4,7 @@
 
 ### Features Added
 - `ClientAssertionCredentialOptions` now supports `TokenCachePersistenceOptions` for configuring token cache persistence.
+- Added `AzurePipelinesCredential` for authenticating with Azure Pipelines service connections.
 
 ### Breaking Changes
 

sdk/identity/Azure.Identity/README.md

@@ -208,6 +208,7 @@ Not all credentials require this configuration. Credentials which authenticate t
 
 |Credential | Usage | Reference
 |-|-|-
+|`AzurePipelinesCredential`|Supports [Microsoft Entra Workload ID](https://learn.microsoft.com/azure/devops/pipelines/release/configure-workload-identity?view=azure-devops) on Azure Pipelines.| [example](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/samples/OtherCredentialSamples.md#AzurePipelinesCredential_example)
 |[`ClientAssertionCredential`][ref_ClientAssertionCredential]|Authenticates a service principal using a signed client assertion. |
 |[`ClientCertificateCredential`][ref_ClientCertificateCredential]|Authenticates a service principal using a certificate. | [Service principal authentication](https://learn.microsoft.com/entra/identity-platform/app-objects-and-service-principals)
 |[`ClientSecretCredential`][ref_ClientSecretCredential]|Authenticates a service principal using a secret. | [Service principal authentication](https://learn.microsoft.com/entra/identity-platform/app-objects-and-service-principals)

sdk/identity/Azure.Identity/api/Azure.Identity.netstandard2.0.cs

@@ -78,6 +78,20 @@ public AzureDeveloperCliCredentialOptions() { }
         public System.TimeSpan? ProcessTimeout { get { throw null; } set { } }
         public string TenantId { get { throw null; } set { } }
     }
+    public partial class AzurePipelinesCredential : Azure.Core.TokenCredential
+    {
+        protected AzurePipelinesCredential() { }
+        public AzurePipelinesCredential(string tenantId, string clientId, string serviceConnectionId, Azure.Identity.AzurePipelinesCredentialOptions options = null) { }
+        public override Azure.Core.AccessToken GetToken(Azure.Core.TokenRequestContext requestContext, System.Threading.CancellationToken cancellationToken) { throw null; }
+        public override System.Threading.Tasks.ValueTask<Azure.Core.AccessToken> GetTokenAsync(Azure.Core.TokenRequestContext requestContext, System.Threading.CancellationToken cancellationToken) { throw null; }
+    }
+    public partial class AzurePipelinesCredentialOptions : Azure.Identity.TokenCredentialOptions
+    {
+        public AzurePipelinesCredentialOptions() { }
+        public System.Collections.Generic.IList<string> AdditionallyAllowedTenants { get { throw null; } }
+        public bool DisableInstanceDiscovery { get { throw null; } set { } }
+        public Azure.Identity.TokenCachePersistenceOptions TokenCachePersistenceOptions { get { throw null; } set { } }
+    }
     public partial class AzurePowerShellCredential : Azure.Core.TokenCredential
     {
         public AzurePowerShellCredential() { }

sdk/identity/Azure.Identity/samples/OtherCredentialSamples.md

@@ -0,0 +1,18 @@
+# AzurePipelinesCredential Example
+
+This example demonstrates authenticating the `SecretClient` using the `AzurePipelinesCredential` in an Azure Pipelines environment with [service connections](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints).
+
+```C# Snippet:AzurePipelinesCredential_Example
+// Replace the following values with the actual values for the service connection.
+string clientId = "<service_connection_client_id>";
+string tenantId = "<service_connection_tenant_id>";
+string serviceConnectionId = "<service_connection_id>";
+
+// Construct the credential.
+var credential = new AzurePipelinesCredential(tenantId, clientId, serviceConnectionId);
+
+// Use the credential to authenticate with the Key Vault client.
+var client = new SecretClient(new Uri("https://keyvault-name.vault.azure.net/"), credential);
+```
+
+***Note:*** This credential is **not** included in the `DefaultAzureCredential` chain and must be used explicitly.

sdk/identity/Azure.Identity/src/Credentials/AzurePipelinesCredential.cs

@@ -0,0 +1,126 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using Azure.Core;
+using Azure.Core.Pipeline;
+using Microsoft.Identity.Client;
+
+namespace Azure.Identity
+{
+    /// <summary>
+    /// Credential which authenticates using an Azure Pipelines service connection.
+    /// </summary>
+    public class AzurePipelinesCredential : TokenCredential
+    {
+        internal readonly string[] AdditionallyAllowedTenantIds;
+        internal string TenantId { get; }
+        internal string ClientId { get; }
+        internal MsalConfidentialClient Client { get; }
+        internal CredentialPipeline Pipeline { get; }
+        internal TenantIdResolverBase TenantIdResolver { get; }
+        private const string OIDC_API_VERSION = "7.1";
+
+        /// <summary>
+        /// Protected constructor for mocking.
+        /// </summary>
+        protected AzurePipelinesCredential()
+        { }
+
+        /// <summary>
+        /// Creates a new instance of the <see cref="AzurePipelinesCredential"/>.
+        /// </summary>
+        /// <param name="tenantId">The tenant ID for the service connection.</param>
+        /// <param name="clientId">The client ID for the service connection.</param>
+        /// <param name="serviceConnectionId">The service connection ID, as found in the querystring's resourceId key.</param>
+        /// <param name="options">An instance of <see cref="AzurePipelinesCredentialOptions"/>.</param>
+        /// <exception cref="System.ArgumentNullException">When <paramref name="tenantId"/>, <paramref name="clientId"/>, or <paramref name="serviceConnectionId"/> is null.</exception>
+        public AzurePipelinesCredential(string tenantId, string clientId, string serviceConnectionId, AzurePipelinesCredentialOptions options = default)
+        {
+            Argument.AssertNotNull(serviceConnectionId, nameof(serviceConnectionId));
+            Argument.AssertNotNull(clientId, nameof(clientId));
+            Argument.AssertNotNull(tenantId, nameof(tenantId));
+
+            TenantId = Validations.ValidateTenantId(tenantId, nameof(tenantId));
+            ClientId = clientId;
+            Pipeline = options?.Pipeline ?? CredentialPipeline.GetInstance(options);
+
+            Func<CancellationToken, Task<string>> _assertionCallback = async (cancellationToken) =>
+            {
+                var message = CreateOidcRequestMessage(serviceConnectionId, options ?? new AzurePipelinesCredentialOptions());
+                await Pipeline.HttpPipeline.SendAsync(message, cancellationToken).ConfigureAwait(false);
+                return GetOidcTokenResponse(message);
+            };
+
+            Client = options?.MsalClient ?? new MsalConfidentialClient(Pipeline, tenantId, clientId, _assertionCallback, options);
+            TenantIdResolver = options?.TenantIdResolver ?? TenantIdResolverBase.Default;
+            AdditionallyAllowedTenantIds = TenantIdResolver.ResolveAddionallyAllowedTenantIds((options as ISupportsAdditionallyAllowedTenants)?.AdditionallyAllowedTenants);
+        }
+
+        /// <inheritdoc />
+        public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
+            => GetTokenCoreAsync(false, requestContext, cancellationToken).EnsureCompleted();
+
+        /// <inheritdoc />
+        public override async ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
+            => await GetTokenCoreAsync(true, requestContext, cancellationToken).ConfigureAwait(false);
+
+        internal async ValueTask<AccessToken> GetTokenCoreAsync(bool async, TokenRequestContext requestContext, CancellationToken cancellationToken)
+        {
+            using CredentialDiagnosticScope scope = Pipeline.StartGetTokenScope("AzurePipelinesCredential.GetToken", requestContext);
+
+            try
+            {
+                var tenantId = TenantIdResolver.Resolve(TenantId, requestContext, AdditionallyAllowedTenantIds);
+
+                AuthenticationResult result = await Client.AcquireTokenForClientAsync(requestContext.Scopes, tenantId, requestContext.Claims, requestContext.IsCaeEnabled, async, cancellationToken).ConfigureAwait(false);
+
+                return scope.Succeeded(new AccessToken(result.AccessToken, result.ExpiresOn));
+            }
+            catch (Exception e)
+            {
+                throw scope.FailWrapAndThrow(e);
+            }
+        }
+
+        internal HttpMessage CreateOidcRequestMessage(string serviceConnectionId, AzurePipelinesCredentialOptions options)
+        {
+            string CollectionUri = options.CollectionUri ?? throw new CredentialUnavailableException("AzurePipelinesCredential is not available: environment variable SYSTEM_TEAMFOUNDATIONCOLLECTIONURI is not set.");
+            string projectId = options.TeamProjectId ?? throw new CredentialUnavailableException("AzurePipelinesCredential is not available: environment variable SYSTEM_TEAMPROJECTID is not set.");
+            string planId = options.PlanId ?? throw new CredentialUnavailableException("AzurePipelinesCredential is not available: environment variable SYSTEM_PLANID is not set.");
+            string jobId = options.JobId ?? throw new CredentialUnavailableException("AzurePipelinesCredential is not available: environment variable SYSTEM_JOBID is not set.");
+            string systemToken = options.SystemAccessToken ?? throw new CredentialUnavailableException("AzurePipelinesCredential is not available: environment variable SYSTEM_ACCESSTOKEN is not set.");
+
+            var message = Pipeline.HttpPipeline.CreateMessage();
+
+            var requestUri = new Uri($"{CollectionUri}{projectId}/_apis/distributedtask/hubs/build/plans/{planId}/jobs/{jobId}/oidctoken?api-version={OIDC_API_VERSION}&serviceConnectionId={serviceConnectionId}");
+            message.Request.Uri.Reset(requestUri);
+            message.Request.Headers.SetValue(HttpHeader.Names.Authorization, $"Bearer {systemToken}");
+            message.Request.Headers.SetValue(HttpHeader.Names.ContentType, "application/json");
+            return message;
+        }
+
+        internal string GetOidcTokenResponse(HttpMessage message)
+        {
+            Utf8JsonReader reader = new Utf8JsonReader(message.Response.Content);
+            string oidcToken = null;
+            while (oidcToken is null && reader.Read())
+            {
+                if (reader.TokenType == JsonTokenType.PropertyName)
+                {
+                    switch (reader.GetString())
+                    {
+                        case "oidcToken":
+                            reader.Read();
+                            oidcToken = reader.GetString();
+                            break;
+                    }
+                }
+            }
+            return oidcToken ?? throw new AuthenticationFailedException("OIDC token not found in response.");
+        }
+    }
+}

sdk/identity/Azure.Identity/src/Credentials/AzurePipelinesCredentialOptions.cs

@@ -0,0 +1,52 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+
+namespace Azure.Identity
+{
+    /// <summary>
+    /// Options used to configure the <see cref="AzurePipelinesCredential"/>.
+    /// </summary>
+    public class AzurePipelinesCredentialOptions : TokenCredentialOptions, ISupportsDisableInstanceDiscovery, ISupportsAdditionallyAllowedTenants, ISupportsTokenCachePersistenceOptions
+    {
+        internal CredentialPipeline Pipeline { get; set; }
+
+        internal MsalConfidentialClient MsalClient { get; set; }
+
+        /// <summary>
+        /// The security token used by the running build.
+        /// </summary>
+        internal string SystemAccessToken { get; set; } = Environment.GetEnvironmentVariable("SYSTEM_ACCESSTOKEN");
+
+        /// <summary>
+        /// The URI of the TFS collection or Azure DevOps organization.
+        /// </summary>
+        internal string CollectionUri { get; set; } = Environment.GetEnvironmentVariable("SYSTEM_TEAMFOUNDATIONCOLLECTIONURI");
+
+        /// <summary>
+        /// A unique identifier for a single attempt of a single job. The value is unique to the current pipeline.
+        /// </summary>
+        internal string JobId { get; set; } = Environment.GetEnvironmentVariable("SYSTEM_JOBID");
+
+        /// <summary>
+        /// A string-based identifier for a single pipeline run.
+        /// </summary>
+        internal string PlanId { get; set; } = Environment.GetEnvironmentVariable("SYSTEM_PLANID");
+
+        /// <summary>
+        /// The ID of the project that this build belongs to.
+        /// </summary>
+        internal string TeamProjectId { get; set; } = Environment.GetEnvironmentVariable("SYSTEM_TEAMPROJECTID");
+
+        /// <inheritdoc/>
+        public IList<string> AdditionallyAllowedTenants { get; internal set; } = new List<string>();
+
+        /// <inheritdoc/>
+        public bool DisableInstanceDiscovery { get; set; }
+
+        /// <inheritdoc/>
+        public TokenCachePersistenceOptions TokenCachePersistenceOptions { get; set; }
+    }
+}

sdk/identity/Azure.Identity/src/Credentials/ClientAssertionCredential.cs

@@ -18,12 +18,10 @@ namespace Azure.Identity
     public class ClientAssertionCredential : TokenCredential
     {
         internal readonly string[] AdditionallyAllowedTenantIds;
-
         internal string TenantId { get; }
         internal string ClientId { get; }
         internal MsalConfidentialClient Client { get; }
         internal CredentialPipeline Pipeline { get; }
-        internal bool AllowMultiTenantAuthentication { get; }
         internal TenantIdResolverBase TenantIdResolver { get; }
 
         /// <summary>
@@ -46,8 +44,8 @@ public ClientAssertionCredential(string tenantId, string clientId, Func<Cancella
             TenantId = Validations.ValidateTenantId(tenantId, nameof(tenantId));
             ClientId = clientId;
 
-            Client = options?.MsalClient ?? new MsalConfidentialClient(options?.Pipeline ?? CredentialPipeline.GetInstance(options), tenantId, clientId, assertionCallback, options);
-            Pipeline = options?.Pipeline ?? options?.Pipeline ?? CredentialPipeline.GetInstance(options);
+            Pipeline = options?.Pipeline ?? CredentialPipeline.GetInstance(options);
+            Client = options?.MsalClient ?? new MsalConfidentialClient(Pipeline, tenantId, clientId, assertionCallback, options);
             TenantIdResolver = options?.TenantIdResolver ?? TenantIdResolverBase.Default;
             AdditionallyAllowedTenantIds = TenantIdResolver.ResolveAddionallyAllowedTenantIds((options as ISupportsAdditionallyAllowedTenants)?.AdditionallyAllowedTenants);
         }