add default identity provider as well

Author: ndyakov

authority_configuration.go

@@ -0,0 +1,59 @@
+package entraid
+
+import "fmt"
+
+const (
+	// AuthorityTypeDefault is the default authority type.
+	// This is used to specify the authority type when requesting a token.
+	AuthorityTypeDefault = "default"
+	// AuthorityTypeMultiTenant is the multi-tenant authority type.
+	// This is used to specify the multi-tenant authority type when requesting a token.
+	// This type of authority is used to authenticate the identity when requesting a token.
+	AuthorityTypeMultiTenant = "multi-tenant"
+	// AuthorityTypeCustom is the custom authority type.
+	// This is used to specify the custom authority type when requesting a token.
+	AuthorityTypeCustom = "custom"
+)
+
+// AuthorityConfiguration represents the authority configuration for the identity provider.
+// It is used to configure the authority type and authority URL when requesting a token.
+type AuthorityConfiguration struct {
+	// AuthorityType is the type of authority used to authenticate with the identity provider.
+	// This can be either "default", "multi-tenant", or "custom".
+	AuthorityType string
+
+	// Authority is the authority used to authenticate with the identity provider.
+	// This is typically the URL of the identity provider.
+	// For example, "https://login.microsoftonline.com/{tenantID}/v2.0"
+	Authority string
+
+	// TenantID is the tenant ID of the identity provider.
+	// This is used to identify the tenant when requesting a token.
+	// This is typically the ID of the Azure Active Directory tenant.
+	TenantID string
+}
+
+// getAuthority returns the authority URL based on the authority type.
+// The authority type can be either "default", "multi-tenant", or "custom".
+func (a AuthorityConfiguration) getAuthority() (string, error) {
+	if a.AuthorityType == "" {
+		a.AuthorityType = AuthorityTypeDefault
+	}
+
+	switch a.AuthorityType {
+	case AuthorityTypeDefault:
+		return "https://login.microsoftonline.com/common", nil
+	case AuthorityTypeMultiTenant:
+		if a.TenantID == "" {
+			return "", fmt.Errorf("tenant ID is required when using multi-tenant authority type")
+		}
+		return fmt.Sprintf("https://login.microsoftonline.com/%s", a.TenantID), nil
+	case AuthorityTypeCustom:
+		if a.Authority == "" {
+			return "", fmt.Errorf("authority is required when using custom authority type")
+		}
+		return a.Authority, nil
+	default:
+		return "", fmt.Errorf("invalid authority type: %s", a.AuthorityType)
+	}
+}

azure_default_identity_provider.go

@@ -0,0 +1,46 @@
+package entraid
+
+import (
+	"context"
+	"time"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+)
+
+// DefaultAzureIdentityProviderOptions represents the options for the DefaultAzureIdentityProvider.
+type DefaultAzureIdentityProviderOptions struct {
+	// Scopes is the list of scopes used to request a token from the identity provider.
+	AzureOptions *azidentity.DefaultAzureCredentialOptions
+	Scopes       []string
+}
+
+type DefaultAzureIdentityProvider struct {
+	options *azidentity.DefaultAzureCredentialOptions
+	scopes  []string
+}
+
+// NewDefaultAzureIdentityProvider creates a new DefaultAzureIdentityProvider.
+func NewDefaultAzureIdentityProvider(opts DefaultAzureIdentityProviderOptions) (*DefaultAzureIdentityProvider, error) {
+	if opts.Scopes == nil {
+		opts.Scopes = []string{RedisScopeDefault}
+	}
+
+	return &DefaultAzureIdentityProvider{options: opts.AzureOptions, scopes: opts.Scopes}, nil
+}
+
+// RequestToken requests a token from the Azure Default Identity provider.
+// It returns the token, the expiration time, and an error if any.
+func (a *DefaultAzureIdentityProvider) RequestToken() (string, time.Time, error) {
+	cred, err := azidentity.NewDefaultAzureCredential(a.options)
+	if err != nil {
+		return "", time.Time{}, err
+	}
+
+	token, err := cred.GetToken(context.TODO(), policy.TokenRequestOptions{Scopes: a.scopes})
+	if err != nil {
+		return "", time.Time{}, err
+	}
+
+	return token.Token, token.ExpiresOn.UTC(), nil
+}

confidential_identity_provider.go

@@ -3,79 +3,14 @@ package entraid
 import (
 	"context"
 	"crypto"
-	"errors"
+	"crypto/x509"
 	"fmt"
-	confidential "github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential"
-)
+	"time"
 
-import "crypto/x509"
-
-const (
-	// AuthorityTypeDefault is the default authority type.
-	// This is used to specify the authority type when requesting a token.
-	AuthorityTypeDefault = "default"
-	// AuthorityTypeMultiTenant is the multi-tenant authority type.
-	// This is used to specify the multi-tenant authority type when requesting a token.
-	// This type of authority is used to authenticate the identity when requesting a token.
-	AuthorityTypeMultiTenant = "multi-tenant"
-	// AuthorityTypeCustom is the custom authority type.
-	// This is used to specify the custom authority type when requesting a token.
-	AuthorityTypeCustom = "custom"
+	confidential "github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential"
 )
 
-type AuthorityConfiguration struct {
-	// AuthorityType is the type of authority used to authenticate with the identity provider.
-	// This can be either "default", "multi-tenant", or "custom".
-	AuthorityType string
-
-	// Authority is the authority used to authenticate with the identity provider.
-	// This is typically the URL of the identity provider.
-	// For example, "https://login.microsoftonline.com/{tenantID}/v2.0"
-	Authority string
-
-	// TenantID is the tenant ID of the identity provider.
-	// This is used to identify the tenant when requesting a token.
-	// This is typically the ID of the Azure Active Directory tenant.
-	TenantID string
-}
-
-func (a AuthorityConfiguration) GetAuthority() (string, error) {
-	if a.AuthorityType == "" {
-		a.AuthorityType = AuthorityTypeDefault
-	}
-
-	switch a.AuthorityType {
-	case AuthorityTypeDefault:
-		return "https://login.microsoftonline.com/common", nil
-	case AuthorityTypeMultiTenant:
-		if a.TenantID == "" {
-			return "", errors.New("tenant ID is required when using multi-tenant authority type")
-		}
-		return fmt.Sprintf("https://login.microsoftonline.com/%s", a.TenantID), nil
-	case AuthorityTypeCustom:
-		if a.Authority == "" {
-			return "", errors.New("authority is required when using custom authority type")
-		}
-		return a.Authority, nil
-	default:
-		return "", errors.New("invalid authority type")
-	}
-}
-
-type ConfidentialIdentityProvider struct {
-	// clientID is the client ID used to authenticate with the identity provider.
-	clientID string
-
-	// credential is the credential used to authenticate with the identity provider.
-	credential confidential.Credential
-
-	// scopes is the list of scopes used to request a token from the identity provider.
-	scopes []string
-
-	// client confidential is the client used to request a token from the identity provider.
-	client *confidential.Client
-}
-
+// ConfidentialIdentityProviderOptions represents the options for the confidential identity provider.
 type ConfidentialIdentityProviderOptions struct {
 	// ClientID is the client ID used to authenticate with the identity provider.
 	ClientID string
@@ -99,21 +34,42 @@ type ConfidentialIdentityProviderOptions struct {
 	Authority AuthorityConfiguration
 }
 
+// ConfidentialIdentityProvider represents a confidential identity provider.
+type ConfidentialIdentityProvider struct {
+	// clientID is the client ID used to authenticate with the identity provider.
+	clientID string
+
+	// credential is the credential used to authenticate with the identity provider.
+	credential confidential.Credential
+
+	// scopes is the list of scopes used to request a token from the identity provider.
+	scopes []string
+
+	// client confidential is the client used to request a token from the identity provider.
+	client *confidential.Client
+}
+
+// NewConfidentialIdentityProvider creates a new confidential identity provider.
+// It is used to configure the identity provider when requesting a token.
+// It is used to specify the client ID, tenant ID, and scopes for the identity.
+// It is also used to specify the type of credentials used to authenticate with the identity provider.
+// The credentials can be either a client secret or a client certificate.
+// The authority is used to authenticate with the identity provider.
 func NewConfidentialIdentityProvider(opts ConfidentialIdentityProviderOptions) (*ConfidentialIdentityProvider, error) {
 	var credential confidential.Credential
 	var authority string
 	var err error
 
 	if opts.ClientID == "" {
-		return nil, errors.New("client ID is required")
+		return nil, fmt.Errorf("client ID is required")
 	}
 
 	if opts.CredentialsType != ClientSecretCredentialType && opts.CredentialsType != ClientCertificateCredentialType {
-		return nil, errors.New("invalid credentials type")
+		return nil, fmt.Errorf("invalid credentials type")
 	}
 
 	// Get the authority from the authority configuration.
-	authority, err = opts.Authority.GetAuthority()
+	authority, err = opts.Authority.getAuthority()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get authority: %w", err)
 	}
@@ -122,7 +78,7 @@ func NewConfidentialIdentityProvider(opts ConfidentialIdentityProviderOptions) (
 	case ClientSecretCredentialType:
 		// ClientSecretCredentialType is the type of credentials that uses a client secret to authenticate.
 		if opts.ClientSecret == "" {
-			return nil, errors.New("client secret is required when using client secret credentials")
+			return nil, fmt.Errorf("client secret is required when using client secret credentials")
 		}
 
 		credential, err = confidential.NewCredFromSecret(opts.ClientSecret)
@@ -132,10 +88,10 @@ func NewConfidentialIdentityProvider(opts ConfidentialIdentityProviderOptions) (
 	case ClientCertificateCredentialType:
 		// ClientCertificateCredentialType is the type of credentials that uses a client certificate to authenticate.
 		if opts.ClientCert == nil {
-			return nil, errors.New("client certificate is required when using client certificate credentials")
+			return nil, fmt.Errorf("client certificate is required when using client certificate credentials")
 		}
 		if opts.ClientPrivateKey == nil {
-			return nil, errors.New("client private key is required when using client certificate credentials")
+			return nil, fmt.Errorf("client private key is required when using client certificate credentials")
 		}
 		credential, err = confidential.NewCredFromCert(opts.ClientCert, opts.ClientPrivateKey)
 		if err != nil {
@@ -160,15 +116,18 @@ func NewConfidentialIdentityProvider(opts ConfidentialIdentityProviderOptions) (
 	}, nil
 }
 
-func (c *ConfidentialIdentityProvider) RequestToken() (string, error) {
+// RequestToken requests a token from the identity provider.
+// It returns the token, the expiration time, and an error if any.
+// The token is used to authenticate the identity when requesting a token.
+func (c *ConfidentialIdentityProvider) RequestToken() (string, time.Time, error) {
 	if c.client == nil {
-		return "", errors.New("client is not initialized")
+		return "", time.Time{}, fmt.Errorf("client is not initialized")
 	}
 
 	result, err := c.client.AcquireTokenByCredential(context.TODO(), c.scopes)
 	if err != nil {
-		return "", fmt.Errorf("failed to acquire token: %w", err)
+		return "", time.Time{}, fmt.Errorf("failed to acquire token: %w", err)
 	}
 
-	return result.AccessToken, nil
+	return result.AccessToken, result.ExpiresOn.UTC(), nil
 }

credentials_provider.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"sync"
 
-	"github.com/redis/go-redis/v9/auth"
+	auth "github.com/redis/go-redis/v9/auth"
 )
 
 // entraidCredentialsProvider implements the auth.StreamingCredentialsProvider interface.

go.mod

@@ -4,6 +4,21 @@ go 1.18
 
 replace github.com/redis/go-redis/v9 => /Users/nedyalko.dyakov/go-redis/
 
-require github.com/redis/go-redis/v9 v9.7.1
+require (
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2
+	github.com/redis/go-redis/v9 v9.7.1
+)
 
-require github.com/AzureAD/microsoft-authentication-library-for-go v1.4.1 // indirect
+require (
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.1
+	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
+	golang.org/x/crypto v0.33.0 // indirect
+	golang.org/x/net v0.35.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/text v0.22.0 // indirect
+)

go.sum

@@ -1,5 +1,34 @@
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 h1:g0EZJwz7xkXQiZAI5xi9f3WWFYBlX1CPTrR+NDToRkQ=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0/go.mod h1:XCW7KnZet0Opnr7HccfUw1PLc4CjHqpcaxW8DHklNkQ=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2 h1:F0gBpfdPLGsw+nsgk6aqqkZS1jiixa5WwFe3fk/T3Ys=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2/go.mod h1:SqINnQ9lVVdRlyC8cd1lCI0SdX4n2paeABd2K8ggfnE=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY=
+github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.4.1 h1:8BKxhZZLX/WosEeoCvWysmKUscfa9v8LIPEEU0JjE2o=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.4.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
-github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
-github.com/redis/go-redis/v9 v9.7.1/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6 h1:IsMZxCuZqKuao2vNdfD82fjjgPLfyHLpR41Z88viRWs=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
+golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
+golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
+golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=