Skip to content

Azure Identity Examples

Vinay Gera edited this page Aug 9, 2021 · 16 revisions

Table of contents

Authenticating with DefaultAzureCredential

This example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using the DefaultAzureCredential. There's also a compilable sample to create a Key Vault secret client you can copy-paste.

/**
 * The default credential first checks environment variables for configuration.
 * If environment configuration is incomplete, it will try managed identity.
 */
public void createDefaultAzureCredential() {
    DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder().build();

    // Azure SDK client builders accept the credential as a parameter
    SecretClient client = new SecretClientBuilder()
        .vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
        .credential(defaultCredential)
        .buildClient();
}

See more how to configure the DefaultAzureCredential on your workstation or Azure in Configure DefaultAzureCredential.

Authenticating a user assigned managed identity with DefaultAzureCredential

This example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using the DefaultAzureCredential, deployed to an Azure resource with a user assigned managed identity configured.

See more about how to configure a user assigned managed identity for an Azure resource in Enable managed identity for Azure resources.

/**
 * The default credential will use the user assigned managed identity with the specified client ID.
 */
public void createDefaultAzureCredentialForUserAssignedManagedIdentity() {
    DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder()
        .managedIdentityClientId("<MANAGED_IDENTITY_CLIENT_ID>")
        .build();

    // Azure SDK client builders accept the credential as a parameter
    SecretClient client = new SecretClientBuilder()
        .vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
        .credential(defaultCredential)
        .buildClient();
}

Authenticating a user in Azure Toolkit for IntelliJ with DefaultAzureCredential

This example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using the DefaultAzureCredential, on a workstation with IntelliJ IDEA installed, and the user has signed in with an Azure account to the Azure Toolkit for IntelliJ.

See more about how to configure your IntelliJ IDEA in Sign in Azure Toolkit for IntelliJ for IntelliJCredential.

/**
 * The default credential will use the KeePass database path to find the user account in IntelliJ on Windows.
 */
public void createDefaultAzureCredentialForIntelliJ() {
    DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder()
        // KeePass configuration required only for Windows. No configuration needed for Linux / Mac
        .intelliJKeePassDatabasePath("C:\\Users\\user\\AppData\\Roaming\\JetBrains\\IdeaIC2020.1\\c.kdbx")
        .build();

    // Azure SDK client builders accept the credential as a parameter
    SecretClient client = new SecretClientBuilder()
        .vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
        .credential(defaultCredential)
        .buildClient();
}

Authenticating a service principal with a client secret

This example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using the ClientSecretCredential. There's also a compilable sample to create a Key Vault secret client you can copy-paste.

See more about how to create a service principal and get these values in Creating a Service Principal with the Azure CL.

/**
 *  Authenticate with client secret.
 */
public void createClientSecretCredential() {
    ClientSecretCredential clientSecretCredential = new ClientSecretCredentialBuilder()
        .clientId("<YOUR_CLIENT_ID>")
        .clientSecret("<YOUR_CLIENT_SECRET>")
        .tenantId("<YOUR_TENANT_ID>")
        .build();

    // Azure SDK client builders accept the credential as a parameter
    SecretClient client = new SecretClientBuilder()
        .vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
        .credential(clientSecretCredential)
        .buildClient();
}

Authenticating a service principal with a client certificate

This example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using the ClientCertificateCredential. There's also a compilable sample to create a Key Vault secret client you can copy-paste.

See more about how to create a service principal and get these values in Creating a Service Principal with the Azure CL.

/**
 *  Authenticate with a client certificate.
 */
public void createClientCertificateCredential() {
    ClientCertificateCredential clientCertificateCredential = new ClientCertificateCredentialBuilder()
        .clientId("<YOUR_CLIENT_ID>")
        .pemCertificate("<PATH TO PEM CERTIFICATE>")
        // choose between either a PEM certificate or a PFX certificate
        //.pfxCertificate("<PATH TO PFX CERTIFICATE>", "PFX CERTIFICATE PASSWORD")
        .tenantId("<YOUR_TENANT_ID>")
        .build();

    // Azure SDK client builders accept the credential as a parameter
    SecretClient client = new SecretClientBuilder()
        .vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
        .credential(clientCertificateCredential)
        .buildClient();
}

Authenticating a user account with device code flow

This example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using the DeviceCodeCredential on an IoT device. There's also a compilable sample to create a Key Vault secret client you can copy-paste.

See more about how to configure an AAD application for device code flow in Enable applications for device code flow

/**
 * Authenticate with device code credential.
 */
public void createDeviceCodeCredential() {
    DeviceCodeCredential deviceCodeCredential = new DeviceCodeCredentialBuilder()
        .challengeConsumer(challenge -> {
            // lets user know of the challenge
            System.out.println(challenge.getMessage());
        })
        .build();

    // Azure SDK client builders accept the credential as a parameter
    SecretClient client = new SecretClientBuilder()
        .vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
        .credential(deviceCodeCredential)
        .buildClient();
}

Authenticating a user account with username and password

This example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using the UsernamePasswordCredential. The user must not have Multi-factor auth turned on. There's also a compilable sample to create a Key Vault secret client you can copy-paste.

/**
 * Authenticate with username, password.
 */
public void createUserNamePasswordCredential() {
    UsernamePasswordCredential usernamePasswordCredential = new UsernamePasswordCredentialBuilder()
        .clientId("<YOUR_CLIENT_ID>")
        .username("<YOUR_USERNAME>")
        .password("<YOUR_PASSWORD>")
        .build();

    // Azure SDK client builders accept the credential as a parameter
    SecretClient client = new SecretClientBuilder()
        .vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
        .credential(usernamePasswordCredential)
        .buildClient();
}

Authenticating a user account interactively in the browser

This example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using the InteractiveBrowserCredential. There's also a compilable sample to create a Key Vault secret client you can copy-paste.

See more about how to configure an AAD application for interactive browser authentication and listen on a port locally in Enable applications for interactive browser oauth 2 flow

/**
 * Authenticate interactively in the browser.
 */
public void createInteractiveBrowserCredential() {
    InteractiveBrowserCredential interactiveBrowserCredential = new InteractiveBrowserCredentialBuilder()
        .clientId("<YOUR CLIENT ID>")
        .redirectUrl("http://localhost:8765"). //The registered redirect URL of the public client application 
        .build();

    // Azure SDK client builders accept the credential as a parameter
    SecretClient client = new SecretClientBuilder()
        .vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
        .credential(interactiveBrowserCredential)
        .buildClient();
}

Authenticating a user account with auth code flow

This example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using the AuthorizationCodeCredential on a web application.

First, prompt the user to login at the URL documented at Microsoft identity platform and OAuth 2.0 authorization code flow. You will need the client id, tenant id, redirect URL, and the scopes your application plans to access.

Then create an API at the redirect URL with the following code to access the Key Vault service.

See more about how to configure an AAD application for oauth 2 auth code flow in Enable applications for oauth 2 auth code flow.

/**
 * Authenticate with authorization code.
 */
public void createAuthCodeCredential() {
    AuthorizationCodeCredential authCodeCredential = new AuthorizationCodeCredentialBuilder()
        .clientId("<YOUR CLIENT ID>")
        .authorizationCode("<AUTH CODE FROM QUERY PARAMETERS")
        .redirectUrl("<THE REDIRECT URL>")
        .build();
    // Azure SDK client builders accept the credential as a parameter
    SecretClient client = new SecretClientBuilder()
        .vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
        .credential(authCodeCredential)
        .buildClient();
}

Authenticating a user account with Azure CLI

This example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using the AzureCliCredential on a workstation with Azure CLI installed and signed in.

See more about how to configure Azure CLI in Sign in Azure CLI for AzureCliCredential.

/**
 * Authenticate with Azure CLI.
 */
public void createAzureCliCredential() {
    AzureCliCredential cliCredential = new AzureCliCredentialBuilder().build();

    // Azure SDK client builders accept the credential as a parameter
    SecretClient client = new SecretClientBuilder()
        .vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
        .credential(cliCredential)
        .buildClient();
}

Authenticating a user account with IntelliJ IDEA

This example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using the IntelliJCredential on a workstation with IntelliJ IDEA installed, and the user has signed in with an Azure account.

See more about how to configure your IntelliJ IDEA in Sign in Azure Toolkit for IntelliJ for IntelliJCredential.

/**
 * Authenticate with IntelliJ IDEA.
 */
public void createIntelliJCredential() {
    IntelliJCredential intelliJCredential = new IntelliJCredentialBuilder()
        // KeePass configuration required only for Windows. No configuration needed for Linux / Mac
        .keePassDatabasePath("C:\\Users\\user\\AppData\\Roaming\\JetBrains\\IdeaIC2020.1\\c.kdbx")
        .build();

    // Azure SDK client builders accept the credential as a parameter
    SecretClient client = new SecretClientBuilder()
        .vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
        .credential(intelliJCredential)
        .buildClient();
}

Authenticating a user account with Visual Studio Code

This example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using the VisualStudioCodeCredential on a workstation with Visual Studio Code installed, and the user has signed in with an Azure account.

See more about how to configure your Visual Studio Code in Sign in Visual Studio Code Azure Account Extension for VisualStudioCodeCredential

/**
 * Authenticate with Visual Studio Code.
 */
public void createVisualStudioCodeCredential() {
    VisualStudioCodeCredential visualStudioCodeCredential = new VisualStudioCodeCredentialBuilder().build();

    // Azure SDK client builders accept the credential as a parameter
    SecretClient client = new SecretClientBuilder()
        .vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
        .credential(visualStudioCodeCredential)
        .buildClient();
}

Authenticating in Azure with managed identity

This examples demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using the ManagedIdentityCredential in a virtual machine, app service, function app, cloud shell, or AKS environment on Azure, with system assigned, or user assigned managed identity enabled.

see more about how to configure your Azure resource for managed identity in Enable managed identity for Azure resources

/**
 * Authenticate with a managed identity.
 */
public void createManagedIdentityCredential() {
    ManagedIdentityCredential managedIdentityCredential = new ManagedIdentityCredentialBuilder()
        .clientId("<USER ASSIGNED MANAGED IDENTITY CLIENT ID>") // only required for user assigned
        .build();

    // Azure SDK client builders accept the credential as a parameter
    SecretClient client = new SecretClientBuilder()
        .vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
        .credential(managedIdentityCredential)
        .buildClient();
}

Chaining credentials

The ChainedTokenCredential class provides the ability to link together multiple credential instances to be tried sequentially when authenticating. The following example demonstrates creating a credential which will attempt to authenticate using managed identity, and fall back to certificate authentication if a managed identity is unavailable in the current environment. This example authenticates an EventHubClient from the azure-eventhubs client library using the ChainedTokenCredential. There's also a compilable sample to create a Key Vault secret client you can copy-paste.

/**
 * Authenticate with chained credentials.
 */
public void createChainedCredential() {
    ManagedIdentityCredential managedIdentityCredential = new ManagedIdentityCredentialBuilder()
        .clientId("<YOUR_CLIENT_ID>")
        .build();

    ClientSecretCredential secondServicePrincipal = new ClientSecretCredentialBuilder()
        .clientId("<YOUR_CLIENT_ID>")
        .clientSecret("<YOUR_CLIENT_SECRET>")
        .tenantId("<YOUR_TENANT_ID>")
        .build();

    // when an access token is requested, the chain will try each
    // credential in order, stopping when one provides a token
    ChainedTokenCredential credentialChain = new ChainedTokenCredentialBuilder()
        .addLast(managedIdentityCredential)
        .addLast(secondServicePrincipal)
        .build();

    // Azure SDK client builders accept the credential as a parameter
    SecretClient client = new SecretClientBuilder()
        .vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
        .credential(credentialChain)
        .buildClient();
}

Authenticating With Azure Stack using Azure Identity

Determine the Azure Authority Host for Azure Stack

If you don't know the Azure Authority Host of your Azure Stack, follow the instructions here:

In powershell run this command or have your Azure Stack Administrator run this command:

Get-AzEnvironment -Name <Name-of-Azure-Stack-Instance>

The output will be in the following format:

Name Resource-Manager-Url ActiveDirectory-Authority
---- -------------------- ------------------------- 
<Name> <Resource-Manager-Url> <ActiveDirectory-Authority>

The ActiveDirectory Authority in the output will be your Azure Authoirty Host

Determine the Tenant Id for Azure Stack

If the Identity provider of your Azure Stack is Azure Active Directory (Azure AD) then contact your Azure Stack Administrator to find out your tenant Id. else, if the Identity provider of your Azure Stack is Active Directory Federation Services (AD FS) then your tenant id is adfs.

Authentication example

Code Setup

In the Code Setup below, we use the Azure Identity client library to connect to the Azure Key Vault hosted in Azure Stack and then create a secret in the Key Vault.

public static void main(String[] args) {

    String vaultUrl = "<Vault-URL-Of-KeyVault-Instance-In-AzureStack";
   
    ClientSecretCredential credential = new ClientSecretCredentialBuilder()
                                        .authorityHost("Azure Stack Authority Host From Previous Step")
                                        .tenantId("Tenant Id from previous step")
                                        .clientSecret("Your-Service-Principal-Client-Secret")
                                        .clientId("Your-Service-Principal-Client-Id")
                                        .build();

    SecretClient secretClient = new SecretClientBuilder()
                                        .vaultUrl(vaultUrl)
                                        .credential(credential)
                                        .buildClient();

    KeyVaultSecret secret = secretClient.setSecret("DummySecret", "DummyValue");

    System.out.println(String.format("Successfully created the secret with name %s and value %s",
            secret.getName(), secret.getValue()));

}

Authenticating With MSAL As Token Credential

As an end-user, it is possible for you to create your custom TokenCredential implementation that directly utilizes the MSAL clients and returns an AccessToken. This can be useful if you're looking to bypass the Identity library and utilize MSAL directly for Authentication in Azure SDKs as TokenCredential.

Code Setup

In the Code Setup below, we use the Msal4j library to retrieve an AccessToken as a TokenCredential.

    TokenCredential credential = tokenRequestContext -> {
        return Mono.defer(() -> {
            String authorityUrl = AzureAuthorityHosts.AZURE_PUBLIC_CLOUD + "/" + "<YOUR-TENANT>";
            PublicClientApplication.Builder publicClientApplicationBuilder = PublicClientApplication.builder("YOUR-CLIENT-ID");

            try {
                publicClientApplicationBuilder = publicClientApplicationBuilder.authority(authorityUrl);
            } catch (MalformedURLException e) {
                return Mono.error(e);
            }

            PublicClientApplication application = publicClientApplicationBuilder.build();
            UserNamePasswordParameters.UserNamePasswordParametersBuilder userNamePasswordParametersBuilder =
                    UserNamePasswordParameters.builder(new HashSet<>(tokenRequestContext.getScopes()),
                            "Your-Username", "Your-Password".toCharArray());

            return Mono.fromFuture(application.acquireToken(userNamePasswordParametersBuilder.build()));
        }).map(result -> new AccessToken(result.accessToken(),
                OffsetDateTime.ofInstant(result.expiresOnDate().toInstant(), ZoneOffset.UTC)));
    AccessToken accessToken = credential.getToken(new TokenRequestContext().addScopes("Your-Azure-Service-Scope")).block();
Clone this wiki locally