Add Azure spiffe oidc auth profile (#3797)

Signed-off-by: Jonathan Collinge <[email protected]>

Author: jjcollinge

common/authentication/aws/x509.go

@@ -143,7 +143,7 @@ func (a *x509) Close() error {
 
 func (a *x509) getCertPEM(ctx context.Context) error {
 	// retrieve svid from spiffe context
-	svid, ok := spiffecontext.From(ctx)
+	svid, ok := spiffecontext.X509From(ctx)
 	if !ok {
 		return errors.New("no SVID found in context")
 	}

common/authentication/aws/x509_test.go

@@ -117,7 +117,7 @@ func TestGetX509Client(t *testing.T) {
 			require.NoError(t, err)
 
 			// inject the SVID source into the context
-			ctx = spiffecontext.With(ctx, s)
+			ctx = spiffecontext.WithX509(ctx, s.X509SVIDSource())
 			session, err := mockAWS.createOrRefreshSession(ctx)
 
 			require.NoError(t, err)

common/authentication/azure/auth.go

@@ -139,6 +139,17 @@ func (s EnvironmentSettings) addWorkloadIdentityProvider(creds *[]azcore.TokenCr
 	}
 }
 
+func (s EnvironmentSettings) addSpiffeWorkloadIdentityProvider(creds *[]azcore.TokenCredential, errs *[]error) {
+	if c, e := s.GetSpiffeWorkloadIdentity(); e == nil {
+		cred, err := c.GetTokenCredential()
+		if err == nil {
+			*creds = append(*creds, cred)
+		} else {
+			*errs = append(*errs, err)
+		}
+	}
+}
+
 func (s EnvironmentSettings) addManagedIdentityProvider(timeout time.Duration, creds *[]azcore.TokenCredential, errs *[]error) {
 	c := s.GetMSI()
 	msiCred, err := c.GetTokenCredential()
@@ -172,6 +183,8 @@ func (s EnvironmentSettings) addProviderByAuthMethodName(authMethod string, cred
 		s.addClientCertificateProvider(creds, errs)
 	case "workloadidentity", "wi":
 		s.addWorkloadIdentityProvider(creds, errs)
+	case "spiffeworkloadidentity", "spiffe":
+		s.addSpiffeWorkloadIdentityProvider(creds, errs)
 	case "managedidentity", "mi":
 		s.addManagedIdentityProvider(1*time.Second, creds, errs)
 	case "commandlineinterface", "cli":
@@ -180,22 +193,23 @@ func (s EnvironmentSettings) addProviderByAuthMethodName(authMethod string, cred
 }
 
 func getAzureAuthMethods() []string {
-	return []string{"clientcredentials", "creds", "clientcertificate", "cert", "workloadidentity", "wi", "managedidentity", "mi", "commandlineinterface", "cli", "none"}
+	return []string{"clientcredentials", "creds", "clientcertificate", "cert", "workloadidentity", "wi", "spiffeworkloadidentity", "spiffe", "managedidentity", "mi", "commandlineinterface", "cli", "none"}
 }
 
 // GetTokenCredential returns an azcore.TokenCredential retrieved from the order specified via
 // the azureAuthMethods component metadata property which denotes a comma-separated list of auth methods to try in order.
 // The possible values contained are (case-insensitive):
-// ServicePrincipal, Certificate, WorkloadIdentity, ManagedIdentity, CLI
+// ServicePrincipal, Certificate, WorkloadIdentity, SPIFFEWorkloadIdentity, ManagedIdentity, CLI
 // The string "None" can be used to disable Azure authentication.
 //
 // If the azureAuthMethods property is not present, the following order is used (which with the exception of step 5
 // matches the DefaultAzureCredential order):
 // 1. Client credentials
 // 2. Client certificate
 // 3. Workload identity
-// 4. MSI (we use a timeout of 1 second when no compatible managed identity implementation is available)
-// 5. Azure CLI
+// 4. SPIFFE workload identity
+// 5. MSI (we use a timeout of 1 second when no compatible managed identity implementation is available)
+// 6. Azure CLI
 func (s EnvironmentSettings) GetTokenCredential() (azcore.TokenCredential, error) {
 	// Create a chain
 	var creds []azcore.TokenCredential
@@ -212,10 +226,13 @@ func (s EnvironmentSettings) GetTokenCredential() (azcore.TokenCredential, error
 		// 3. Workload identity
 		s.addWorkloadIdentityProvider(&creds, &errs)
 
-		// 4. MSI with timeout of 1 second (same as DefaultAzureCredential)
+		// 4. SPIFFE workload identity
+		s.addSpiffeWorkloadIdentityProvider(&creds, &errs)
+
+		// 5. MSI with timeout of 1 second (same as DefaultAzureCredential)
 		s.addManagedIdentityProvider(1*time.Second, &creds, &errs)
 
-		// 5. AzureCLICredential
+		// 6. AzureCLICredential
 		// We omit this if running in a cloud environment
 		if !isCloudServiceWithManagedIdentity() {
 			s.addCLIProvider(30*time.Second, &creds, &errs)

common/authentication/azure/spiffe.go

@@ -0,0 +1,92 @@
+/*
+Copyright 2025 The Dapr Authors
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azure
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/spiffe/go-spiffe/v2/svid/jwtsvid"
+
+	spiffecontext "github.com/dapr/kit/crypto/spiffe/context"
+)
+
+const (
+	//nolint:gosec
+	AzureADTokenExchangeAudience = "api://AzureADTokenExchange"
+)
+
+// SpiffeWorkloadIdentityConfig provides the options to get a bearer authorizer using SPIFFE-based workload identity.
+type SpiffeWorkloadIdentityConfig struct {
+	TenantID   string
+	ClientID   string
+	AzureCloud *cloud.Configuration
+}
+
+// GetTokenCredential returns the azcore.TokenCredential object using a SPIFFE JWT token.
+func (c SpiffeWorkloadIdentityConfig) GetTokenCredential() (azcore.TokenCredential, error) {
+	if c.TenantID == "" || c.ClientID == "" {
+		return nil, errors.New("parameters clientId and tenantId must be present for SPIFFE workload identity")
+	}
+
+	var opts *azidentity.ClientAssertionCredentialOptions
+	if c.AzureCloud != nil {
+		opts = &azidentity.ClientAssertionCredentialOptions{
+			ClientOptions: azcore.ClientOptions{
+				Cloud: *c.AzureCloud,
+			},
+		}
+	}
+
+	// Create a token provider function that retrieves the JWT from SPIFFE context
+	tokenProvider := func(ctx context.Context) (string, error) {
+		tknSource, ok := spiffecontext.JWTFrom(ctx)
+		if !ok {
+			return "", errors.New("failed to get JWT SVID source from context")
+		}
+		jwt, err := tknSource.FetchJWTSVID(ctx, jwtsvid.Params{
+			Audience: AzureADTokenExchangeAudience,
+		})
+		if err != nil {
+			return "", fmt.Errorf("failed to get JWT SVID: %w", err)
+		}
+		return jwt.Marshal(), nil
+	}
+
+	return azidentity.NewClientAssertionCredential(c.TenantID, c.ClientID, tokenProvider, opts)
+}
+
+// GetSpiffeWorkloadIdentity creates a config object from the available SPIFFE workload identity credentials.
+// An error is returned if required credentials are not available.
+func (s EnvironmentSettings) GetSpiffeWorkloadIdentity() (config SpiffeWorkloadIdentityConfig, err error) {
+	azureCloud, err := s.GetAzureEnvironment()
+	if err != nil {
+		return config, err
+	}
+
+	config.ClientID, _ = s.GetEnvironment("ClientID")
+	config.TenantID, _ = s.GetEnvironment("TenantID")
+
+	if config.ClientID == "" || config.TenantID == "" {
+		return config, errors.New("parameters clientId and tenantId must be present for SPIFFE workload identity")
+	}
+
+	config.AzureCloud = azureCloud
+
+	return config, nil
+}

common/component/azure/blobstorage/client.go

@@ -161,7 +161,6 @@ func (opts *ContainerClientOpts) InitContainerClient(azEnvSettings azauth.Enviro
 		if err != nil {
 			return nil, fmt.Errorf("cannot init blob storage container client with shared key: %w", err)
 		}
-
 	// Use Azure AD as fallback
 	default:
 		credential, tokenErr := azEnvSettings.GetTokenCredential()

state/azure/blobstorage/v2/metadata.yaml

@@ -19,6 +19,23 @@ builtinAuthenticationProfiles:
         sensitive: false
         description: "The storage account name"
         example: '"mystorageaccount"'
+  - name: "azuread.spiffe"
+    metadata:
+      - name: accountName
+        required: true
+        sensitive: false
+        description: "The storage account name"
+        example: '"mystorageaccount"'
+      - name: tenantId
+        required: true
+        sensitive: false
+        description: "The Azure AD tenant ID"
+        example: '"00000000-0000-0000-0000-000000000000"'
+      - name: clientId
+        required: true
+        sensitive: false
+        description: "The Azure AD client ID (application ID)"
+        example: '"00000000-0000-0000-0000-000000000000"'
 authenticationProfiles:
   - title: "Connection string"
     description: "Authenticate using a connection string."