Azure.Identity Improvements for Java (June - October 2021)

[joshfree]

Azure.Identity June - October 2021 Releases

June Release Cycle - Start Early Feature Design for Nickel Beta-1

Design: Beta-1 Features

1. Feature: Support Tenant Id Challenges / Hints tenant-hint.md

   • Support Key Vaults across multiple tenants
   • Address common issues when customers use VS/VSCode credentials with multiple credentials signed in

2. Feature: Add support for Managed Identity regional AAD authentication endpoints #20027
   - The [guidance] from the Azure IAM wiki for service teams using MI is to authenticate using a regional endpoint (e.g. https://eastus2euap.login.microsoft.com). However, the MSAL example given in the wiki uses APIs that are not currently exposed/used by [MsalConfidentialClient], namely WithAuthority(Uri, bool) and WithInstanceDicoveryMetadata(string).
   - Today, when using the regional AAD endpoint with Azure.Identity (using a [ClientCertificateCredential]), we see an error Application error - the login request was malformed and could not be matched with an existing authentication endpoint or instance. The error goes away when using a global endpoint (https://login.microsoftonline.com/).

3. Feature: Support overriding MSI_ENDPOINT for dev-time debugging for the Azure Kubernetes Service team #670
   - The Bridge to Kubernetes enables a user to natively debug one microservice on their local machine when "bridged" to other microservices running in Kubernetes. AKS is looking for an environment variable that can be overridden to specify a custom managed identity endpoint. This is required so that when the user's locally running code tries to call the managed identity endpoint for a token, they are able to intercept it and redirect the call to the cluster so that the token can be fetched from the endpoint on the cluster.

4. Feature: Allow Pre-populated account name in browser during interactive login #16983

   • Draft C# PR: https://github.com/azure/azure-sdk-fornet/pull/21082

5. Nickel Community Feature Requests related to StaticTokenCredential / token helper methods

• Feature: Expose Credential type for DefaultAzureCredential and ChainedTokenCredential
  - Enables users know which credential type is being used. #8948
• Feature: Add new StaticTokenCredential type (prototype PR)
  - Encapsulate an AAD credential with a prefetched token for an AAD application.
• Request: Add support for fetching an access token from a refresh token
• Request: provide the functionality of building a token credential from (a: existing credential, b: tenant id) for refresh token based credentials: InteractiveBrowserCredential and DeviceCodeCredential, VisualStudioCodeCredential (request)
• Request: provide the functionality of setting tenant id for AzureCliCredential (request)
• Request: provide a valid token in VisualStudioCodeCredentialBuilder without tenant id, use this token we can list the tenants (request)
• Request: provide the functionality of listing cached account(azure environment, tenant id, user name, client id) for SharedTokenCacheCredential (request)

July Release Cycle - Beta-1 Feature Development

Code: Beta-1 Features

1. Support Tenant Id Challenges / Hints
2. Add support for Managed Identity regional AAD authentication endpoints
3. MSI_ENDPOINT override via an API for the AKS team
4. Allow Pre-populated account name in browser during interactive login

Design: Beta-2 Features

1. Feature: Add On-Behalf-Of (OBO) Auth Flow for the Microsoft Graph Team tracking issue

   • The OAuth 2.0 On-Behalf-Of flow (OBO) serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate the delegated user identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from the Microsoft identity platform, on behalf of the user.
   • Prototype: Implement both StaticTokenCredential and OnBehalfOfCredential for java jongio/azidext#41

2. Feature: Create AzureApplicationCredential for the MS Graph Team #20364

August Release Cycle - Beta-2 Feature Development

Code: Beta-2 Features

1. Create AzureApplicationCredential
2. Community Feature Requests related to StaticTokenCredential / Token convenience methods

September Release Cycle - Beta-3 Features

1. On-Behalf-Of (OBO) Auth Flow Support
2. Support exchanging k8s token to AAD token Support exchanging k8s token to AAD token azure-sdk-for-net#21939
3. Nickel Community Feature Requests related to StaticTokenCredential / token helper methods #22361

October Release Cycle - GA Release

1. Final Review of README.md / Quick Starts / Samples / Documentation for cross-language consistency
   • Emphases on updating sections for new features and champion scenarios

November Release Cycle - Buffer

Related Work Items

• .NET - Azure.Identity Improvements for .NET (June - October 2021) azure-sdk-for-net#19404
• Java - Azure.Identity Improvements for Java (June - October 2021) #19734
• Python - Azure.Identity Improvements for Python (June - October 2021) azure-sdk-for-python#17217
• JS - Azure.Identity Improvements for JavaScript (June - October 2021) azure-sdk-for-js#14210