Identity Updates Oct 2021 (#25098)

eng/jacoco-test-coverage/pom.xml

@@ -204,7 +204,7 @@
     <dependency>
       <groupId>com.azure</groupId>
       <artifactId>azure-identity</artifactId>
-      <version>1.5.0-beta.1</version> <!-- {x-version-update;com.azure:azure-identity;current} -->
+      <version>1.4.1</version> <!-- {x-version-update;com.azure:azure-identity;current} -->
     </dependency>
     <dependency>
       <groupId>com.azure</groupId>

eng/versioning/version_client.txt

@@ -88,7 +88,7 @@ com.azure:azure-data-tables;12.1.3;12.2.0-beta.1
 com.azure:azure-data-tables-perf;1.0.0-beta.1;1.0.0-beta.1
 com.azure:azure-digitaltwins-core;1.1.3;1.2.0-beta.1
 com.azure:azure-e2e;1.0.0-beta.1;1.0.0-beta.1
-com.azure:azure-identity;1.4.0;1.5.0-beta.1
+com.azure:azure-identity;1.4.0;1.4.1
 com.azure:azure-identity-perf;1.0.0-beta.1;1.0.0-beta.1
 com.azure:azure-iot-deviceupdate;1.0.0-beta.1;1.0.0-beta.2
 com.azure:azure-iot-modelsrepository;1.0.0-beta.1;1.0.0-beta.2

sdk/e2e/pom.xml

@@ -33,7 +33,7 @@
     <dependency>
       <groupId>com.azure</groupId>
       <artifactId>azure-identity</artifactId>
-      <version>1.5.0-beta.1</version> <!-- {x-version-update;com.azure:azure-identity;current} -->
+      <version>1.4.1</version> <!-- {x-version-update;com.azure:azure-identity;current} -->
     </dependency>
     <dependency>
       <groupId>com.azure</groupId>

sdk/identity/azure-identity-perf/pom.xml

@@ -27,7 +27,7 @@
     <dependency>
       <groupId>com.azure</groupId>
       <artifactId>azure-identity</artifactId>
-      <version>1.5.0-beta.1</version> <!-- {x-version-update;com.azure:azure-identity;current} -->
+      <version>1.4.1</version> <!-- {x-version-update;com.azure:azure-identity;current} -->
     </dependency>
     <dependency>
       <groupId>com.azure</groupId>

sdk/identity/azure-identity/CHANGELOG.md

@@ -1,14 +1,13 @@
 # Release History
 
-## 1.5.0-beta.1 (Unreleased)
-
-### Features Added
-
-### Breaking Changes
-
-### Bugs Fixed
+## 1.4.1 (2021-11-09)
 
 ### Other Changes
+#### Dependency Updates
+- Upgraded `azure-core` dependency to 1.22.0
+
+#### Behavioral Changes
+- The `ManagedIdentityCredential` reads value of AZURE_POD_IDENTITY_TOKEN_URL environment variable from AZURE_POD_IDENTITY_AUTHORITY_HOST now.
 
 ## 1.4.0 (2021-10-14)
 

sdk/identity/azure-identity/pom.xml

@@ -6,7 +6,7 @@
 
   <groupId>com.azure</groupId>
   <artifactId>azure-identity</artifactId>
-  <version>1.5.0-beta.1</version> <!-- {x-version-update;com.azure:azure-identity;current} -->
+  <version>1.4.1</version> <!-- {x-version-update;com.azure:azure-identity;current} -->
 
   <name>Microsoft Azure client library for Identity</name>
   <description>This module contains client library for Microsoft Azure Identity.</description>

sdk/identity/azure-identity/src/main/java/com/azure/identity/ManagedIdentityCredential.java

@@ -30,8 +30,9 @@ public final class ManagedIdentityCredential implements TokenCredential {
 
 
     /**
-     * Creates an instance of the ManagedIdentityCredential.
-     * @param clientId the client id of user assigned or system assigned identity
+     * Creates an instance of the ManagedIdentityCredential with the client ID of a
+     * user-assigned identity, or app registration (when working with AKS pod-identity).
+     * @param clientId the client id of user assigned or app registration (when working with AKS pod-identity).
      * @param identityClientOptions the options for configuring the identity client.
      */
     ManagedIdentityCredential(String clientId, IdentityClientOptions identityClientOptions) {

sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java

@@ -15,7 +15,6 @@
 import com.azure.core.http.policy.HttpPipelinePolicy;
 import com.azure.core.http.policy.HttpPolicyProviders;
 import com.azure.core.http.policy.RetryPolicy;
-import com.azure.core.util.Configuration;
 import com.azure.core.util.CoreUtils;
 import com.azure.core.util.logging.ClientLogger;
 import com.azure.core.util.serializer.JacksonAdapter;
@@ -339,6 +338,11 @@ public Mono<MsalToken> authenticateWithIntelliJ(TokenRequestContext request) {
         try {
             IntelliJCacheAccessor cacheAccessor = new IntelliJCacheAccessor(options.getIntelliJKeePassDatabasePath());
             IntelliJAuthMethodDetails authDetails = cacheAccessor.getAuthDetailsIfAvailable();
+            if (authDetails == null) {
+                return Mono.error(logger.logExceptionAsError(
+                    new CredentialUnavailableException("IntelliJ Authentication not available."
+                        + " Please log in with Azure Tools for IntelliJ plugin in the IDE.")));
+            }
             String authType = authDetails.getAuthMethod();
             if (authType.equalsIgnoreCase("SP")) {
                 Map<String, String> spDetails = cacheAccessor
@@ -396,9 +400,9 @@ public Mono<MsalToken> authenticateWithIntelliJ(TokenRequestContext request) {
                 logger.verbose("IntelliJ Authentication = > Only Service Principal and Device Code Authentication"
                     + " schemes are currently supported via IntelliJ Credential currently. Please ensure you used one"
                     + " of those schemes from Azure Tools for IntelliJ plugin.");
-                throw logger.logExceptionAsError(new CredentialUnavailableException(
+                return Mono.error(logger.logExceptionAsError(new CredentialUnavailableException(
                     "IntelliJ Authentication not available."
-                    + " Please login with Azure Tools for IntelliJ plugin in the IDE."));
+                    + " Please login with Azure Tools for IntelliJ plugin in the IDE.")));
             }
         } catch (IOException e) {
             return Mono.error(e);
@@ -1288,9 +1292,8 @@ public Mono<AccessToken> authenticateToIMDSEndpoint(TokenRequestContext request)
             return Mono.error(exception);
         }
 
-        String endpoint = Configuration.getGlobalConfiguration().get(
-            Configuration.PROPERTY_AZURE_POD_IDENTITY_TOKEN_URL,
-            IdentityConstants.DEFAULT_IMDS_ENDPOINT);
+        String endpoint = options.getImdsAuthorityHost().replaceAll("/+$", "")
+            + "/" + IdentityConstants.DEFAULT_IMDS_TOKENPATH;
 
         return checkIMDSAvailable(endpoint).flatMap(available -> Mono.fromCallable(() -> {
             int retry = 1;

sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClientOptions.java

@@ -10,6 +10,7 @@
 import com.azure.identity.AzureAuthorityHosts;
 import com.azure.identity.AuthenticationRecord;
 import com.azure.identity.TokenCachePersistenceOptions;
+import com.azure.identity.implementation.util.IdentityConstants;
 import com.azure.identity.implementation.util.ValidationUtil;
 import com.microsoft.aad.msal4j.UserAssertion;
 
@@ -24,8 +25,10 @@
 public final class IdentityClientOptions {
     private static final int MAX_RETRY_DEFAULT_LIMIT = 3;
     public static final String AZURE_IDENTITY_DISABLE_MULTI_TENANT_AUTH = "AZURE_IDENTITY_DISABLE_MULTITENANTAUTH";
+    public static final String AZURE_POD_IDENTITY_AUTHORITY_HOST = "AZURE_POD_IDENTITY_AUTHORITY_HOST";
 
     private String authorityHost;
+    private String imdsAuthorityHost;
     private int maxRetry;
     private Function<Duration, Duration> retryTimeout;
     private ProxyOptions proxyOptions;
@@ -71,6 +74,13 @@ public IdentityClientOptions setAuthorityHost(String authorityHost) {
         return this;
     }
 
+    /**
+     * @return the AKS Pod Authority endpoint to acquire tokens.
+     */
+    public String getImdsAuthorityHost() {
+        return imdsAuthorityHost;
+    }
+
     /**
      * @return the max number of retries when an authentication request fails.
      */
@@ -395,6 +405,8 @@ public Configuration getConfiguration() {
     private IdentityClientOptions loadFromConfiugration(Configuration configuration) {
         authorityHost = configuration.get(Configuration.PROPERTY_AZURE_AUTHORITY_HOST,
             AzureAuthorityHosts.AZURE_PUBLIC_CLOUD);
+        imdsAuthorityHost = configuration.get(AZURE_POD_IDENTITY_AUTHORITY_HOST,
+            IdentityConstants.DEFAULT_IMDS_ENDPOINT);
         ValidationUtil.validateAuthHost(getClass().getSimpleName(), authorityHost);
         cp1Disabled = configuration.get(Configuration.PROPERTY_AZURE_IDENTITY_DISABLE_CP1, false);
         multiTenantAuthDisabled = configuration

sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IntelliJCacheAccessor.java

@@ -46,8 +46,6 @@
 public class IntelliJCacheAccessor {
     private final ClientLogger logger = new ClientLogger(IntelliJCacheAccessor.class);
     private final String keePassDatabasePath;
-    private static final String INTELLIJ_CREDENTIAL_NOT_AVAILABLE_ERROR = "IntelliJ Authentication not available."
-              + " Please log in with Azure Tools for IntelliJ plugin in the IDE.";
     private static final byte[] CRYPTO_KEY = new byte[] {0x50, 0x72, 0x6f, 0x78, 0x79, 0x20, 0x43, 0x6f, 0x6e, 0x66,
         0x69, 0x67, 0x20, 0x53, 0x65, 0x63};
 
@@ -248,26 +246,22 @@ public IntelliJAuthMethodDetails getAuthDetailsIfAvailable() throws IOException
             }
         }
         if (authFile == null || !authFile.exists()) {
-            throw logger.logExceptionAsError(
-                    new CredentialUnavailableException(INTELLIJ_CREDENTIAL_NOT_AVAILABLE_ERROR));
+            return null;
         }
 
         IntelliJAuthMethodDetails authMethodDetails = parseAuthMethodDetails(authFile);
 
         String authType = authMethodDetails.getAuthMethod();
         if (CoreUtils.isNullOrEmpty(authType)) {
-            throw logger.logExceptionAsError(
-                    new CredentialUnavailableException(INTELLIJ_CREDENTIAL_NOT_AVAILABLE_ERROR));
+            return null;
         }
         if (authType.equalsIgnoreCase("SP")) {
             if (CoreUtils.isNullOrEmpty(authMethodDetails.getCredFilePath())) {
-                throw logger.logExceptionAsError(
-                        new CredentialUnavailableException(INTELLIJ_CREDENTIAL_NOT_AVAILABLE_ERROR));
+                return null;
             }
         } else if (authType.equalsIgnoreCase("DC")) {
             if (CoreUtils.isNullOrEmpty(authMethodDetails.getAccountEmail())) {
-                throw logger.logExceptionAsError(
-                        new CredentialUnavailableException(INTELLIJ_CREDENTIAL_NOT_AVAILABLE_ERROR));
+                return null;
             }
         }
         return authMethodDetails;

sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/util/IdentityConstants.java

@@ -12,5 +12,7 @@ public class IdentityConstants {
     /**
      * The default IMDS authentication endpoint.
      */
-    public static final String DEFAULT_IMDS_ENDPOINT = "http://169.254.169.254/metadata/identity/oauth2/token";
+    public static final String DEFAULT_IMDS_ENDPOINT = "http://169.254.169.254";
+
+    public static final String DEFAULT_IMDS_TOKENPATH = "/metadata/identity/oauth2/token";
 }

sdk/identity/azure-identity/src/test/java/com/azure/identity/ManagedIdentityCredentialTest.java

@@ -101,7 +101,8 @@ public void testArcUserAssigned() throws Exception {
 
 
         // test
-        ManagedIdentityCredential credential = new ManagedIdentityCredentialBuilder().clientId(CLIENT_ID).build();
+        ManagedIdentityCredential credential = new ManagedIdentityCredentialBuilder()
+            .configuration(configuration).clientId(CLIENT_ID).build();
         StepVerifier.create(credential.getToken(request))
             .expectErrorMatches(t -> t instanceof ClientAuthenticationException)
             .verify();

sdk/identity/pom.xml

@@ -20,7 +20,7 @@
         <dependency>
           <groupId>com.azure</groupId>
           <artifactId>azure-identity</artifactId>
-          <version>1.5.0-beta.1</version> <!-- {x-version-update;com.azure:azure-identity;current} -->
+          <version>1.4.1</version> <!-- {x-version-update;com.azure:azure-identity;current} -->
         </dependency>
       </dependencies>