Credentials get authority host from CloudConfiguration (#3115)

Author: chlowell

sdk/core/azure_core/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Release History
 
+## 0.30.0 (Unreleased)
+
+### Features Added
+
+### Breaking Changes
+
+- Removed `constants` module.
+
+### Bugs Fixed
+
+### Other Changes
+
 ## 0.29.1 (2025-10-06)
 
 ### Breaking Changes

sdk/core/azure_core/src/constants.rs

@@ -11,16 +11,13 @@
 mod macros;
 
 pub mod cloud;
-mod constants;
 pub mod credentials;
 pub mod error;
 pub mod hmac;
 pub mod http;
 #[cfg(feature = "test")]
 pub mod test;
 
-pub use constants::*;
-
 // Re-export modules in typespec_client_core such that azure_core-based crates don't need to reference it directly.
 pub use typespec_client_core::{
     async_runtime, base64, fmt, json, sleep, stream, time, Bytes, Error, Result, Uuid,

sdk/core/azure_core/src/lib.rs

@@ -6,6 +6,11 @@
 
 ### Breaking Changes
 
+- `ClientCertificateCredential::new()` takes `Option<ClientCertificateCredentialOptions>` instead of `impl Into<ClientCertificateCredentialOptions>`.
+- Credential constructors return an error when given a non-HTTPS authority host.
+- Renamed `ClientCertificateCredential::new()` parameter `client_certificate_pass` to `client_certificate_password`.
+- Replaced credential-specific `authority_host` options with `azure_core::cloud::CloudConfiguration` configured via `ClientOptions.cloud`.
+
 ### Bugs Fixed
 
 ### Other Changes

sdk/identity/azure_identity/CHANGELOG.md

@@ -40,11 +40,6 @@ pub struct ClientAssertionCredentialOptions {
     /// Add the wildcard value "*" to allow the credential to acquire tokens for any tenant in which the application is registered.
     pub additionally_allowed_tenants: Vec<String>,
 
-    /// The base URL for token requests.
-    ///
-    /// The default is `https://login.microsoftonline.com`.
-    pub authority_host: Option<String>,
-
     /// Should be set true only by applications authenticating in disconnected clouds, or private clouds such as Azure Stack.
     ///
     /// It determines whether the credential requests Microsoft Entra instance metadata
@@ -89,7 +84,7 @@ impl<C: ClientAssertion> ClientAssertionCredential<C> {
         validate_tenant_id(&tenant_id)?;
         validate_not_empty(&client_id, "no client ID specified")?;
         let options = options.unwrap_or_default();
-        let authority_host = get_authority_host(None, options.authority_host)?;
+        let authority_host = get_authority_host(None, options.client_options.cloud.as_deref())?;
         let endpoint = authority_host
             .join(&format!("/{tenant_id}/oauth2/v2.0/token"))
             .with_context_fn(ErrorKind::DataConversion, || {
@@ -98,7 +93,7 @@ impl<C: ClientAssertion> ClientAssertionCredential<C> {
         let pipeline = Pipeline::new(
             option_env!("CARGO_PKG_NAME"),
             option_env!("CARGO_PKG_VERSION"),
-            options.client_options.clone(),
+            options.client_options,
             Vec::default(),
             Vec::default(),
             None,
@@ -194,7 +189,6 @@ pub(crate) mod tests {
     use super::*;
     use crate::tests::*;
     use azure_core::{
-        authority_hosts::AZURE_PUBLIC_CLOUD,
         http::{
             headers::{self, content_type, Headers},
             Body, BufResponse, Method, Request, Transport,
@@ -207,12 +201,10 @@ pub(crate) mod tests {
 
     pub const FAKE_ASSERTION: &str = "fake assertion";
 
-    pub fn is_valid_request() -> impl Fn(&Request) -> azure_core::Result<()> {
-        let expected_url = format!(
-            "{}{}/oauth2/v2.0/token",
-            AZURE_PUBLIC_CLOUD.as_str(),
-            FAKE_TENANT_ID
-        );
+    pub fn is_valid_request(
+        expected_authority: String,
+    ) -> impl Fn(&Request) -> azure_core::Result<()> {
+        let expected_url = format!("{expected_authority}/oauth2/v2.0/token");
         move |req: &Request| {
             assert_eq!(Method::Post, req.method());
             assert_eq!(expected_url, req.url().to_string());
@@ -269,7 +261,9 @@ pub(crate) mod tests {
                     expected
                 )),
             )],
-            Some(Arc::new(is_valid_request())),
+            Some(Arc::new(is_valid_request(
+                FAKE_PUBLIC_CLOUD_AUTHORITY.to_string(),
+            ))),
         );
         let credential = ClientAssertionCredential::new(
             FAKE_TENANT_ID.to_string(),
@@ -300,15 +294,10 @@ pub(crate) mod tests {
     #[tokio::test]
     async fn get_token_success() {
         let mock = MockSts::new(
-            vec![BufResponse::from_bytes(
-                StatusCode::Ok,
-                Headers::default(),
-                Bytes::from(format!(
-                    r#"{{"access_token":"{}","expires_in":3600,"token_type":"Bearer"}}"#,
-                    FAKE_TOKEN
-                )),
-            )],
-            Some(Arc::new(is_valid_request())),
+            vec![token_response()],
+            Some(Arc::new(is_valid_request(
+                FAKE_PUBLIC_CLOUD_AUTHORITY.to_string(),
+            ))),
         );
         let credential = ClientAssertionCredential::new(
             FAKE_TENANT_ID.to_string(),
@@ -340,4 +329,33 @@ pub(crate) mod tests {
         assert_eq!(token.token.secret(), cached_token.token.secret());
         assert_eq!(token.expires_on, cached_token.expires_on);
     }
+
+    #[tokio::test]
+    async fn cloud_configuration() {
+        for (cloud, expected_authority) in cloud_configuration_cases() {
+            let mock = MockSts::new(
+                vec![token_response()],
+                Some(Arc::new(is_valid_request(expected_authority))),
+            );
+            let credential = ClientAssertionCredential::new(
+                FAKE_TENANT_ID.to_string(),
+                FAKE_CLIENT_ID.to_string(),
+                MockAssertion {},
+                Some(ClientAssertionCredentialOptions {
+                    client_options: ClientOptions {
+                        transport: Some(Transport::new(Arc::new(mock))),
+                        cloud: Some(Arc::new(cloud)),
+                        ..Default::default()
+                    },
+                    ..Default::default()
+                }),
+            )
+            .expect("valid credential");
+
+            credential
+                .get_token(LIVE_TEST_SCOPES, None)
+                .await
+                .expect("token");
+        }
+    }
 }

sdk/identity/azure_identity/src/client_assertion_credential.rs

@@ -36,11 +36,6 @@ const AZURE_CLIENT_SEND_CERTIFICATE_CHAIN_ENV_KEY: &str = "AZURE_CLIENT_SEND_CER
 /// requests to Azure Active Directory.
 #[derive(Clone, Debug)]
 pub struct ClientCertificateCredentialOptions {
-    /// The base URL for token requests.
-    ///
-    /// The default is `https://login.microsoftonline.com`.
-    pub authority_host: Option<String>,
-
     /// Options for the credential's HTTP pipeline.
     pub client_options: ClientOptions,
 
@@ -54,7 +49,6 @@ impl Default for ClientCertificateCredentialOptions {
             .map(|s| s == "1" || s.to_lowercase() == "true")
             .unwrap_or(false);
         Self {
-            authority_host: None,
             client_options: ClientOptions::default(),
             send_certificate_chain,
         }
@@ -69,8 +63,8 @@ impl Default for ClientCertificateCredentialOptions {
 #[derive(Debug)]
 pub struct ClientCertificateCredential {
     client_id: String,
-    client_certificate: Secret,
-    client_certificate_pass: Secret,
+    certificate: Secret,
+    password: Secret,
     endpoint: Url,
     pipeline: Pipeline,
     send_certificate_chain: bool,
@@ -83,16 +77,15 @@ impl ClientCertificateCredential {
         tenant_id: String,
         client_id: String,
         client_certificate: C,
-        client_certificate_pass: P,
-        options: impl Into<ClientCertificateCredentialOptions>,
+        client_certificate_password: P,
+        options: Option<ClientCertificateCredentialOptions>,
     ) -> azure_core::Result<Arc<ClientCertificateCredential>>
     where
         C: Into<Secret>,
         P: Into<Secret>,
     {
-        let options = options.into();
-
-        let authority_host = get_authority_host(None, options.authority_host)?;
+        let options = options.unwrap_or_default();
+        let authority_host = get_authority_host(None, options.client_options.cloud.as_deref())?;
         let endpoint = authority_host
             .join(&format!("/{tenant_id}/oauth2/v2.0/token"))
             .with_context_fn(ErrorKind::DataConversion, || {
@@ -110,8 +103,8 @@ impl ClientCertificateCredential {
 
         Ok(Arc::new(ClientCertificateCredential {
             client_id,
-            client_certificate: client_certificate.into(),
-            client_certificate_pass: client_certificate_pass.into(),
+            certificate: client_certificate.into(),
+            password: client_certificate_password.into(),
             endpoint,
             pipeline,
             send_certificate_chain: options.send_certificate_chain,
@@ -154,12 +147,12 @@ impl ClientCertificateCredential {
             ));
         };
 
-        let certificate = base64::decode(self.client_certificate.secret())
+        let certificate = base64::decode(self.certificate.secret())
             .map_err(|_| Error::with_message(ErrorKind::Credential, "Base64 decode failed"))?;
 
         let pkcs12_certificate = Pkcs12::from_der(&certificate)
             .map_err(openssl_error)?
-            .parse2(self.client_certificate_pass.secret())
+            .parse2(self.password.secret())
             .map_err(openssl_error)?;
 
         let Some(cert) = pkcs12_certificate.cert.as_ref() else {