azure-sdk-for-java icon indicating copy to clipboard operation
azure-sdk-for-java copied to clipboard
verified publisher icon Azure

[FEATURE REQ] Authenticating a service principal with a federation token

Open nv-sankalpk opened this issue 2 years ago • 1 comments

Authenticating a service principal with a federation token Azure CLI has a way to authenticate to the service principal using the federation token, but I do not see any ClientFederationTokenBuilder class similar to ClientSecretCredentialBuilder and ClientCertificateCredentialBuilder. az login --service-principal -u <client_id> -t <tenant_id> --federated-token <identity_Token>

Can you please add the support for authenticating Service Principal using federation in Azure Java SDK.

nv-sankalpk avatar Oct 06 '23 11:10 nv-sankalpk

Thanks for filing this request, @nv-sankalpk. @g2vinay @billwert could you please take a look as a potential improvement for next semester

joshfree avatar Oct 10 '23 16:10 joshfree

@nv-sankalpk

Can you describe, the use case you're looking for ?

How do you intend to use ClientFederationTokenCredential ? What logic does this credential use to get a token and return it ?

g2vinay avatar Jul 29 '24 17:07 g2vinay

@g2vinay

I am not the original poster, but I subscribed to updates here out of interest for my own use case. Rather than fetching a token, I believe this request is to allow a token to be passed externally in via the CLI to authenticate, like the az login example that @nv-sankalpk provided. Since the token is passed in as input there would not be a need to fetch one.

In my specific case, I would like to configure an Azure DevOps pipeline to use the jarsigner utility with the Azure KeyVault JCA to digitally sign JAR files. Instead of copying the client id/secret into pipeline variables, I would like to use the new workload identity federation feature to authenticate without storing sensitive credentials.

In my .NET applications I can do this by getting the token from the pipeline and passing as an option to AzureSignTool, but a similar option does not exist here that I can use for the Azure KeyVault JCA.

MrWellington avatar Jul 29 '24 19:07 MrWellington

@nv-sankalpk and @MrWellington

The Azure Identity offers, Azure CLI credential which fetches a token on behalf of the logged in user/service principal. On your end, if you ensure, you're logged in to the Azure CLI. Azure CLI credential can be used to fetch the token.

Further, for this use case, you can try OnBehalfOfCredential

The OnBehalfOfTokenCredential class in Azure Identity SDK is designed for scenarios where you have an existing token (such as an identity token from a federated identity provider) and you need to exchange it for an access token that can be used to call Azure services.

Code Sample:


TokenCredential onBehalfOfCredential = new OnBehalfOfCredentialBuilder()
     .clientId("<app-client-ID>")
     .clientSecret("<app-Client-Secret>")
     .tenantId("<app-tenant-ID>")
     .userAssertion("<federated-token>")
     .build();

g2vinay avatar Aug 14 '24 18:08 g2vinay