Add Token Caching Support For Managed Identity (#30282)

eng/versioning/external_dependencies.txt

@@ -199,7 +199,7 @@ com.microsoft.azure:azure-mgmt-resources;1.3.0
 com.microsoft.azure:azure-mgmt-search;1.24.1
 com.microsoft.azure:azure-mgmt-storage;1.3.0
 com.microsoft.azure:azure-storage;8.0.0
-com.microsoft.azure:msal4j;1.12.0
+com.microsoft.azure:msal4j;1.13.0
 com.microsoft.azure:msal4j-persistence-extension;1.1.0
 com.sun.activation:jakarta.activation;1.2.2
 io.opentelemetry:opentelemetry-api;1.14.0

sdk/eventhubs/microsoft-azure-eventhubs-eph/pom.xml

@@ -64,7 +64,7 @@
     <dependency>
       <groupId>com.microsoft.azure</groupId>
       <artifactId>msal4j</artifactId>
-      <version>1.12.0</version> <!-- {x-version-update;com.microsoft.azure:msal4j;external_dependency} -->
+      <version>1.13.0</version> <!-- {x-version-update;com.microsoft.azure:msal4j;external_dependency} -->
       <scope>test</scope>
     </dependency>
     <dependency>

sdk/eventhubs/microsoft-azure-eventhubs-extensions/pom.xml

@@ -68,7 +68,7 @@
       <dependency>
         <groupId>com.microsoft.azure</groupId>
         <artifactId>msal4j</artifactId>
-        <version>1.12.0</version> <!-- {x-version-update;com.microsoft.azure:msal4j;external_dependency} -->
+        <version>1.13.0</version> <!-- {x-version-update;com.microsoft.azure:msal4j;external_dependency} -->
         <scope>test</scope>
       </dependency>
       <dependency>

sdk/eventhubs/microsoft-azure-eventhubs/pom.xml

@@ -77,7 +77,7 @@
     <dependency>
       <groupId>com.microsoft.azure</groupId>
       <artifactId>msal4j</artifactId>
-      <version>1.12.0</version> <!-- {x-version-update;com.microsoft.azure:msal4j;external_dependency} -->
+      <version>1.13.0</version> <!-- {x-version-update;com.microsoft.azure:msal4j;external_dependency} -->
       <scope>test</scope>
     </dependency>
     <dependency>

sdk/identity/azure-identity/CHANGELOG.md

@@ -1,17 +1,18 @@
 # Release History
 
-## 1.6.0-beta.1 (Unreleased)
+## 1.6.0-beta.1 (2022-08-12)
 
 ### Features Added
 
 - `EnvironmentCredential` will read the environment variable `AZURE_CLIENT_CERTIFICATE_PASSWORD` for a `pem`/`pfx` certificate specified by `AZURE_CLIENT_CERTIFICATE_PATH`. 
+-  Added support for in-memory token caching in `ManagedIdentityCredential`. 
 
 ### Breaking Changes
 - Removed `VisualStudioCodeCredential` from `DefaultAzureCredential` token chain. [Issue 27364](https://github.com/Azure/azure-sdk-for-java/issues/27364) tracks this.
 
-### Bugs Fixed
-
 ### Other Changes
+#### Dependency Updates
+- Upgraded `msal4j` from `1.12.0` to version `1.13.0`.
 
 ## 1.5.4 (2022-08-08)
 

sdk/identity/azure-identity/pom.xml

@@ -43,7 +43,7 @@
     <dependency>
       <groupId>com.microsoft.azure</groupId>
       <artifactId>msal4j</artifactId>
-      <version>1.12.0</version> <!-- {x-version-update;com.microsoft.azure:msal4j;external_dependency} -->
+      <version>1.13.0</version> <!-- {x-version-update;com.microsoft.azure:msal4j;external_dependency} -->
     </dependency>
     <dependency>
       <groupId>com.microsoft.azure</groupId>
@@ -122,7 +122,7 @@
           <rules>
             <bannedDependencies>
               <includes>
-                <include>com.microsoft.azure:msal4j:[1.12.0]</include> <!-- {x-include-update;com.microsoft.azure:msal4j;external_dependency} -->
+                <include>com.microsoft.azure:msal4j:[1.13.0]</include> <!-- {x-include-update;com.microsoft.azure:msal4j;external_dependency} -->
                 <include>com.microsoft.azure:msal4j-persistence-extension:[1.1.0]</include> <!-- {x-include-update;com.microsoft.azure:msal4j-persistence-extension;external_dependency} -->
                 <include>net.java.dev.jna:jna-platform:[5.6.0]</include> <!-- {x-include-update;net.java.dev.jna:jna-platform;external_dependency} -->
                 <include>org.linguafranca.pwdb:KeePassJava2:[2.1.4]</include> <!-- {x-include-update;org.linguafranca.pwdb:KeePassJava2;external_dependency} -->

sdk/identity/azure-identity/src/main/java/com/azure/identity/AksExchangeTokenCredential.java

@@ -33,6 +33,6 @@ public Mono<AccessToken> authenticate(TokenRequestContext request) {
                 + " 'AZURE_CLIENT_ID' environment variable or through the credential builder."
                 + " Please ensure client id is provided to authenticate via token exchange in AKS environment.")));
         }
-        return identityClient.authenticateWithExchangeToken(request);
+        return identityClient.authenticateWithManagedIdentityConfidentialClient(request);
     }
 }

sdk/identity/azure-identity/src/main/java/com/azure/identity/AppServiceMsiCredential.java

@@ -51,8 +51,6 @@ class AppServiceMsiCredential extends ManagedIdentityServiceCredential {
      * @return A publisher that emits an {@link AccessToken}.
      */
     public Mono<AccessToken> authenticate(TokenRequestContext request) {
-        return identityClient.authenticateToManagedIdentityEndpoint(identityEndpoint, identityHeader,
-            msiEndpoint, msiSecret,
-            request);
+        return identityClient.authenticateWithManagedIdentityConfidentialClient(request);
     }
 }

sdk/identity/azure-identity/src/main/java/com/azure/identity/ArcIdentityCredential.java

@@ -49,6 +49,6 @@ public Mono<AccessToken> authenticate(TokenRequestContext request) {
                     + "with the system assigned identity omit the client id when constructing the"
                     + " ManagedIdentityCredential.", null)));
         }
-        return identityClient.authenticateToArcManagedIdentityEndpoint(identityEndpoint, request);
+        return identityClient.authenticateWithManagedIdentityConfidentialClient(request);
     }
 }

sdk/identity/azure-identity/src/main/java/com/azure/identity/ManagedIdentityCredential.java

@@ -11,6 +11,8 @@
 import com.azure.core.util.logging.ClientLogger;
 import com.azure.identity.implementation.IdentityClientBuilder;
 import com.azure.identity.implementation.IdentityClientOptions;
+import com.azure.identity.implementation.ManagedIdentityParameters;
+import com.azure.identity.implementation.ManagedIdentityType;
 import com.azure.identity.implementation.util.LoggingUtil;
 import reactor.core.publisher.Mono;
 
@@ -48,7 +50,6 @@ public final class ManagedIdentityCredential implements TokenCredential {
         Configuration configuration = identityClientOptions.getConfiguration() == null
             ? Configuration.getGlobalConfiguration().clone() : identityClientOptions.getConfiguration();
 
-
         /*
          * Choose credential based on available environment variables in this order:
          *
@@ -62,18 +63,33 @@ public final class ManagedIdentityCredential implements TokenCredential {
          */
 
         if (configuration.contains(Configuration.PROPERTY_MSI_ENDPOINT)) {
-            managedIdentityServiceCredential = new AppServiceMsiCredential(clientId, clientBuilder.build());
+            managedIdentityServiceCredential = new AppServiceMsiCredential(clientId, clientBuilder
+                .identityClientOptions(updateIdentityClientOptions(ManagedIdentityType.APP_SERVICE,
+                    identityClientOptions, configuration))
+                .build());
         } else if (configuration.contains(Configuration.PROPERTY_IDENTITY_ENDPOINT)) {
             if (configuration.contains(Configuration.PROPERTY_IDENTITY_HEADER)) {
                 if (configuration.get(PROPERTY_IDENTITY_SERVER_THUMBPRINT) != null) {
-                    managedIdentityServiceCredential = new ServiceFabricMsiCredential(clientId, clientBuilder.build());
+                    managedIdentityServiceCredential = new ServiceFabricMsiCredential(clientId, clientBuilder
+                        .identityClientOptions(updateIdentityClientOptions(ManagedIdentityType.SERVICE_FABRIC,
+                            identityClientOptions, configuration))
+                        .build());
                 } else {
-                    managedIdentityServiceCredential = new AppServiceMsiCredential(clientId, clientBuilder.build());
+                    managedIdentityServiceCredential = new AppServiceMsiCredential(clientId, clientBuilder
+                        .identityClientOptions(updateIdentityClientOptions(ManagedIdentityType.APP_SERVICE,
+                            identityClientOptions, configuration))
+                        .build());
                 }
             } else if (configuration.get(PROPERTY_IMDS_ENDPOINT) != null) {
-                managedIdentityServiceCredential = new ArcIdentityCredential(clientId, clientBuilder.build());
+                managedIdentityServiceCredential = new ArcIdentityCredential(clientId, clientBuilder
+                    .identityClientOptions(updateIdentityClientOptions(ManagedIdentityType.ARC,
+                        identityClientOptions, configuration))
+                    .build());
             } else {
-                managedIdentityServiceCredential = new VirtualMachineMsiCredential(clientId, clientBuilder.build());
+                managedIdentityServiceCredential = new VirtualMachineMsiCredential(clientId, clientBuilder
+                    .identityClientOptions(updateIdentityClientOptions(ManagedIdentityType.VM,
+                        identityClientOptions, configuration))
+                    .build());
             }
         } else if (configuration.contains(Configuration.PROPERTY_AZURE_TENANT_ID)
                 && configuration.get(AZURE_FEDERATED_TOKEN_FILE) != null) {
@@ -83,13 +99,51 @@ public final class ManagedIdentityCredential implements TokenCredential {
             clientBuilder.tenantId(configuration.get(Configuration.PROPERTY_AZURE_TENANT_ID));
             clientBuilder.clientAssertionPath(configuration.get(AZURE_FEDERATED_TOKEN_FILE));
             clientBuilder.clientAssertionTimeout(Duration.ofMinutes(5));
-            managedIdentityServiceCredential = new AksExchangeTokenCredential(clientIdentifier, clientBuilder.build());
+            managedIdentityServiceCredential = new AksExchangeTokenCredential(clientIdentifier, clientBuilder
+                .identityClientOptions(updateIdentityClientOptions(ManagedIdentityType.AKS,
+                    identityClientOptions, configuration))
+                .build());
         } else {
-            managedIdentityServiceCredential = new VirtualMachineMsiCredential(clientId, clientBuilder.build());
+            managedIdentityServiceCredential = new VirtualMachineMsiCredential(clientId, clientBuilder
+                .identityClientOptions(updateIdentityClientOptions(ManagedIdentityType.VM,
+                    identityClientOptions, configuration))
+                .build());
         }
         LoggingUtil.logAvailableEnvironmentVariables(LOGGER, configuration);
     }
 
+    private IdentityClientOptions updateIdentityClientOptions(ManagedIdentityType managedIdentityType,
+                                             IdentityClientOptions clientOptions, Configuration configuration) {
+        switch (managedIdentityType) {
+            case APP_SERVICE:
+                return clientOptions
+                    .setManagedIdentityType(ManagedIdentityType.APP_SERVICE)
+                    .setManagedIdentityParameters(new ManagedIdentityParameters()
+                        .setMsiEndpoint(configuration.get(Configuration.PROPERTY_MSI_ENDPOINT))
+                        .setMsiSecret(configuration.get(Configuration.PROPERTY_MSI_SECRET))
+                        .setIdentityEndpoint(configuration.get(Configuration.PROPERTY_IDENTITY_ENDPOINT))
+                        .setIdentityHeader(configuration.get(Configuration.PROPERTY_IDENTITY_HEADER)));
+            case SERVICE_FABRIC:
+                return clientOptions
+                    .setManagedIdentityType(ManagedIdentityType.SERVICE_FABRIC)
+                    .setManagedIdentityParameters(new ManagedIdentityParameters()
+                        .setIdentityServerThumbprint(configuration.get(PROPERTY_IDENTITY_SERVER_THUMBPRINT))
+                        .setIdentityEndpoint(configuration.get(Configuration.PROPERTY_IDENTITY_ENDPOINT))
+                        .setIdentityHeader(configuration.get(Configuration.PROPERTY_IDENTITY_HEADER)));
+            case ARC:
+                return clientOptions
+                    .setManagedIdentityType(ManagedIdentityType.ARC)
+                    .setManagedIdentityParameters(new ManagedIdentityParameters()
+                        .setIdentityEndpoint(configuration.get(Configuration.PROPERTY_IDENTITY_ENDPOINT)));
+            case VM:
+                return clientOptions.setManagedIdentityType(ManagedIdentityType.VM);
+            case AKS:
+                return clientOptions.setManagedIdentityType(ManagedIdentityType.AKS);
+            default:
+                return clientOptions;
+        }
+    }
+
     /**
      * Gets the client ID of user assigned or system assigned identity.
      * @return the client ID of user assigned or system assigned identity.

sdk/identity/azure-identity/src/main/java/com/azure/identity/ServiceFabricMsiCredential.java

@@ -49,7 +49,6 @@ class ServiceFabricMsiCredential extends ManagedIdentityServiceCredential {
      * @return A publisher that emits an {@link AccessToken}.
      */
     public Mono<AccessToken> authenticate(TokenRequestContext request) {
-        return identityClient.authenticateToServiceFabricManagedIdentityEndpoint(identityEndpoint, identityHeader,
-            identityServerThumbprint, request);
+        return identityClient.authenticateWithManagedIdentityConfidentialClient(request);
     }
 }

sdk/identity/azure-identity/src/main/java/com/azure/identity/VirtualMachineMsiCredential.java

@@ -31,6 +31,6 @@ class VirtualMachineMsiCredential extends ManagedIdentityServiceCredential {
      * @return A publisher that emits an {@link AccessToken}.
      */
     public Mono<AccessToken> authenticate(TokenRequestContext request) {
-        return identityClient.authenticateToIMDSEndpoint(request);
+        return identityClient.authenticateWithManagedIdentityConfidentialClient(request);
     }
 }