Remove federated_credentials_flow (#2500)

Author: chlowell

sdk/identity/azure_identity/src/client_secret_credential.rs

@@ -1,9 +1,11 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-use crate::{credentials::cache::TokenCache, EntraIdTokenResponse};
-use crate::{EntraIdErrorResponse, TokenCredentialOptions};
-use azure_core::http::{Response, StatusCode};
+use crate::{
+    credentials::cache::TokenCache, deserialize, EntraIdErrorResponse, EntraIdTokenResponse,
+    TokenCredentialOptions,
+};
+use azure_core::http::StatusCode;
 use azure_core::Result;
 use azure_core::{
     credentials::{AccessToken, Secret, TokenCredential},
@@ -19,6 +21,8 @@ use std::{str, sync::Arc};
 use time::OffsetDateTime;
 use url::form_urlencoded;
 
+const CLIENT_SECRET_CREDENTIAL: &str = "ClientSecretCredential";
+
 /// Options for constructing a new [`ClientSecretCredential`].
 #[derive(Debug, Default)]
 pub struct ClientSecretCredentialOptions {
@@ -83,18 +87,24 @@ impl ClientSecretCredential {
 
         match res.status() {
             StatusCode::Ok => {
-                let token_response: EntraIdTokenResponse = deserialize(res).await?;
+                let token_response: EntraIdTokenResponse =
+                    deserialize(CLIENT_SECRET_CREDENTIAL, res).await?;
                 Ok(AccessToken::new(
                     token_response.access_token,
                     OffsetDateTime::now_utc() + Duration::from_secs(token_response.expires_in),
                 ))
             }
             _ => {
-                let error_response: EntraIdErrorResponse = deserialize(res).await?;
-                let mut message = "ClientSecretCredential authentication failed".to_string();
-                if !error_response.error_description.is_empty() {
-                    message = format!("{}: {}", message, error_response.error_description);
-                }
+                let error_response: EntraIdErrorResponse =
+                    deserialize(CLIENT_SECRET_CREDENTIAL, res).await?;
+                let message = if error_response.error_description.is_empty() {
+                    format!("{} authentication failed.", CLIENT_SECRET_CREDENTIAL)
+                } else {
+                    format!(
+                        "{} authentication failed. {}",
+                        CLIENT_SECRET_CREDENTIAL, error_response.error_description
+                    )
+                };
                 Err(Error::message(ErrorKind::Credential, message))
             }
         }
@@ -114,19 +124,6 @@ impl TokenCredential for ClientSecretCredential {
     }
 }
 
-async fn deserialize<T>(res: Response) -> Result<T>
-where
-    T: serde::de::DeserializeOwned,
-{
-    let t: T = res
-        .into_json_body()
-        .await
-        .with_context(ErrorKind::Credential, || {
-            "ClientSecretCredential authentication failed: invalid response"
-        })?;
-    Ok(t)
-}
-
 #[cfg(test)]
 mod tests {
     use super::*;

sdk/identity/azure_identity/src/credentials/client_assertion_credentials.rs

@@ -1,22 +1,34 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-use crate::{credentials::cache::TokenCache, federated_credentials_flow, TokenCredentialOptions};
+use crate::{
+    credentials::cache::TokenCache, deserialize, validate_not_empty, validate_tenant_id,
+    EntraIdErrorResponse, EntraIdTokenResponse, TokenCredentialOptions,
+};
 use azure_core::{
     credentials::{AccessToken, TokenCredential},
     error::{ErrorKind, ResultExt},
+    http::{
+        headers::{self, content_type},
+        Method, Request, StatusCode, Url,
+    },
+    Error,
 };
 use std::{fmt::Debug, str, sync::Arc, time::Duration};
 use time::OffsetDateTime;
+use url::form_urlencoded;
+
+const ASSERTION_TYPE: &str = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+const CLIENT_ASSERTION_CREDENTIAL: &str = "ClientAssertionCredential";
 
 /// Enables authentication of a Microsoft Entra service principal using a signed client assertion.
 #[derive(Debug)]
 pub struct ClientAssertionCredential<C> {
-    tenant_id: String,
     client_id: String,
+    endpoint: Url,
     assertion: C,
     cache: TokenCache,
-    options: ClientAssertionCredentialOptions,
+    options: TokenCredentialOptions,
 }
 
 /// Options for constructing a new [`ClientAssertionCredential`].
@@ -68,59 +80,92 @@ impl<C: ClientAssertion> ClientAssertionCredential<C> {
         assertion: C,
         options: Option<ClientAssertionCredentialOptions>,
     ) -> azure_core::Result<Self> {
+        validate_tenant_id(&tenant_id)?;
+        validate_not_empty(&client_id, "no client ID specified")?;
+        let options = options.unwrap_or_default().credential_options;
+        let endpoint = options
+            .authority_host()?
+            .join(&format!("/{tenant_id}/oauth2/v2.0/token"))
+            .with_context(ErrorKind::DataConversion, || {
+                format!("tenant_id {tenant_id} could not be URL encoded")
+            })?;
         Ok(Self {
-            tenant_id,
             client_id,
             assertion,
+            endpoint,
             cache: TokenCache::new(),
-            options: options.unwrap_or_default(),
+            options,
         })
     }
 
-    async fn get_token(&self, scopes: &[&str]) -> azure_core::Result<AccessToken> {
-        let token = self.assertion.secret().await?;
-        let credential_options = &self.options.credential_options;
-        let res: AccessToken = federated_credentials_flow::authorize(
-            credential_options.http_client().clone(),
-            &self.client_id,
-            &token,
-            scopes,
-            &self.tenant_id,
-            &credential_options.authority_host()?,
-        )
-        .await
-        .map(|r| {
-            AccessToken::new(
-                r.access_token().clone(),
-                OffsetDateTime::now_utc() + Duration::from_secs(r.expires_in),
-            )
-        })
-        .context(ErrorKind::Credential, "request token error")?;
-        Ok(res)
+    async fn get_token_impl(&self, scopes: &[&str]) -> azure_core::Result<AccessToken> {
+        let mut req = Request::new(self.endpoint.clone(), Method::Post);
+        req.insert_header(
+            headers::CONTENT_TYPE,
+            content_type::APPLICATION_X_WWW_FORM_URLENCODED,
+        );
+        let assertion = self.assertion.secret().await?;
+        let encoded: String = form_urlencoded::Serializer::new(String::new())
+            .append_pair("client_assertion", assertion.as_str())
+            .append_pair("client_assertion_type", ASSERTION_TYPE)
+            .append_pair("client_id", self.client_id.as_str())
+            .append_pair("grant_type", "client_credentials")
+            .append_pair("scope", &scopes.join(" "))
+            .finish();
+        req.set_body(encoded);
+
+        let res = self.options.http_client.execute_request(&req).await?;
+
+        match res.status() {
+            StatusCode::Ok => {
+                let token_response: EntraIdTokenResponse =
+                    deserialize(CLIENT_ASSERTION_CREDENTIAL, res).await?;
+                Ok(AccessToken::new(
+                    token_response.access_token,
+                    OffsetDateTime::now_utc() + Duration::from_secs(token_response.expires_in),
+                ))
+            }
+            _ => {
+                let error_response: EntraIdErrorResponse =
+                    deserialize(CLIENT_ASSERTION_CREDENTIAL, res).await?;
+                let message = if error_response.error_description.is_empty() {
+                    format!("{} authentication failed.", CLIENT_ASSERTION_CREDENTIAL)
+                } else {
+                    format!(
+                        "{} authentication failed. {}",
+                        CLIENT_ASSERTION_CREDENTIAL, error_response.error_description
+                    )
+                };
+                Err(Error::message(ErrorKind::Credential, message))
+            }
+        }
     }
 }
 
 #[cfg_attr(target_arch = "wasm32", async_trait::async_trait(?Send))]
 #[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)]
 impl<C: ClientAssertion> TokenCredential for ClientAssertionCredential<C> {
     async fn get_token(&self, scopes: &[&str]) -> azure_core::Result<AccessToken> {
-        self.cache.get_token(scopes, self.get_token(scopes)).await
+        self.cache
+            .get_token(scopes, self.get_token_impl(scopes))
+            .await
     }
 }
 
 #[cfg(test)]
 pub(crate) mod tests {
-    use std::collections::HashMap;
-
     use super::*;
     use crate::tests::*;
     use azure_core::{
         authority_hosts::AZURE_PUBLIC_CLOUD,
         http::{
-            headers::{self, content_type},
-            Body, Method, Request,
+            headers::{self, content_type, Headers},
+            Body, Method, Request, Response,
         },
+        Bytes,
     };
+    use std::{collections::HashMap, time::SystemTime};
+    use time::UtcOffset;
     use url::form_urlencoded;
 
     pub const FAKE_ASSERTION: &str = "fake assertion";
@@ -140,10 +185,7 @@ pub(crate) mod tests {
             );
             let expected_params = [
                 ("client_assertion", FAKE_ASSERTION),
-                (
-                    "client_assertion_type",
-                    "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
-                ),
+                ("client_assertion_type", ASSERTION_TYPE),
                 ("client_id", FAKE_CLIENT_ID),
                 ("grant_type", "client_credentials"),
                 ("scope", &LIVE_TEST_SCOPES.join(" ")),
@@ -166,4 +208,96 @@ pub(crate) mod tests {
             Ok(())
         }
     }
+
+    #[derive(Debug)]
+    struct MockAssertion {}
+
+    #[cfg_attr(target_arch = "wasm32", async_trait::async_trait(?Send))]
+    #[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)]
+    impl ClientAssertion for MockAssertion {
+        async fn secret(&self) -> azure_core::Result<String> {
+            Ok(FAKE_ASSERTION.to_string())
+        }
+    }
+
+    #[tokio::test]
+    async fn get_token_error() {
+        let expected = "error description from the response";
+        let mock = MockSts::new(
+            vec![Response::from_bytes(
+                StatusCode::BadRequest,
+                Headers::default(),
+                Bytes::from(format!(
+                    r#"{{"error":"invalid_request","error_description":"{}","error_codes":[50027],"timestamp":"2025-04-18 16:04:37Z","trace_id":"...","correlation_id":"...","error_uri":"https://login.microsoftonline.com/error?code=50027"}}"#,
+                    expected
+                )),
+            )],
+            Some(Arc::new(is_valid_request())),
+        );
+        let credential = ClientAssertionCredential::new(
+            FAKE_TENANT_ID.to_string(),
+            FAKE_CLIENT_ID.to_string(),
+            MockAssertion {},
+            Some(ClientAssertionCredentialOptions {
+                credential_options: TokenCredentialOptions {
+                    http_client: Arc::new(mock),
+                    ..Default::default()
+                },
+                ..Default::default()
+            }),
+        )
+        .expect("valid credential");
+
+        let error = credential
+            .get_token(LIVE_TEST_SCOPES)
+            .await
+            .expect_err("authentication error");
+        assert!(matches!(error.kind(), ErrorKind::Credential));
+        assert!(
+            error.to_string().contains(expected),
+            "expected error description from the response, got '{}'",
+            error
+        );
+    }
+
+    #[tokio::test]
+    async fn get_token_success() {
+        let mock = MockSts::new(
+            vec![Response::from_bytes(
+                StatusCode::Ok,
+                Headers::default(),
+                Bytes::from(format!(
+                    r#"{{"access_token":"{}","expires_in":3600,"token_type":"Bearer"}}"#,
+                    FAKE_TOKEN
+                )),
+            )],
+            Some(Arc::new(is_valid_request())),
+        );
+        let credential = ClientAssertionCredential::new(
+            FAKE_TENANT_ID.to_string(),
+            FAKE_CLIENT_ID.to_string(),
+            MockAssertion {},
+            Some(ClientAssertionCredentialOptions {
+                credential_options: TokenCredentialOptions {
+                    http_client: Arc::new(mock),
+                    ..Default::default()
+                },
+                ..Default::default()
+            }),
+        )
+        .expect("valid credential");
+
+        let token = credential.get_token(LIVE_TEST_SCOPES).await.expect("token");
+        assert_eq!(FAKE_TOKEN, token.token.secret());
+        assert!(token.expires_on > SystemTime::now());
+        assert_eq!(UtcOffset::UTC, token.expires_on.offset());
+
+        // MockSts will return an error if the credential sends another request
+        let cached_token = credential
+            .get_token(LIVE_TEST_SCOPES)
+            .await
+            .expect("cached token");
+        assert_eq!(token.token.secret(), cached_token.token.secret());
+        assert_eq!(token.expires_on, cached_token.expires_on);
+    }
 }