Persistence token cache for Mac & Linux with new MSAL ext

eng/versioning/external_dependencies.txt

@@ -59,6 +59,7 @@ com.microsoft.azure:azure-mgmt-resources;1.3.0
 com.microsoft.azure:azure-mgmt-storage;1.3.0
 com.microsoft.azure:azure-storage;8.0.0
 com.microsoft.azure:msal4j;1.3.0
+com.microsoft.azure:msal4j-persistence-extension;0.1
 com.sun.activation:jakarta.activation;1.2.1
 io.opentelemetry:opentelemetry-api;0.2.4
 io.opentelemetry:opentelemetry-sdk;0.2.4

eng/versioning/version_client.txt

@@ -20,6 +20,7 @@ com.azure:azure-cosmos-benchmark;4.0.1-beta.1;4.0.1-beta.1
 com.azure:azure-data-appconfiguration;1.1.1;1.2.0-beta.1
 com.azure:azure-e2e;1.0.0-beta.1;1.0.0-beta.1
 com.azure:azure-identity;1.0.4;1.1.0-beta.3
+com.azure:azure-identity-perf;1.0.0-beta.1;1.0.0-beta.1
 com.azure:azure-messaging-eventhubs;5.0.2;5.1.0-beta.1
 com.azure:azure-messaging-eventhubs-checkpointstore-blob;1.0.2;1.1.0-beta.1
 com.azure:azure-messaging-servicebus;7.0.0-beta.1;7.0.0-beta.2

sdk/identity/azure-identity/pom.xml

@@ -34,6 +34,11 @@
       <artifactId>msal4j</artifactId>
       <version>1.3.0</version> <!-- {x-version-update;com.microsoft.azure:msal4j;external_dependency} -->
     </dependency>
+    <dependency>
+      <groupId>com.microsoft.azure</groupId>
+      <artifactId>msal4j-persistence-extension</artifactId>
+      <version>0.1</version> <!-- {x-version-update;com.microsoft.azure:msal4j-persistence-extension;external_dependency} -->
+    </dependency>
     <dependency>
       <groupId>com.nimbusds</groupId>
       <artifactId>oauth2-oidc-sdk</artifactId>
@@ -122,6 +127,7 @@
                     <include>com.azure:*</include>
                     <include>com.nimbusds:oauth2-oidc-sdk</include>
                     <include>com.microsoft.azure:msal4j</include>
+                    <include>com.microsoft.azure:msal4j-persistence-extension</include>
                     <include>org.nanohttpd:nanohttpd</include>
                     <include>net.java.dev.jna</include>
                   </includes>

sdk/identity/azure-identity/src/main/java/com/azure/identity/AadCredentialBuilderBase.java

@@ -70,4 +70,31 @@ public T executorService(ExecutorService executorService) {
         this.identityClientOptions.setExecutorService(executorService);
         return (T) this;
     }
+
+    /**
+     * Sets whether to use an unprotected file specified by <code>cacheFileLocation()</code> instead of
+     * Gnome keyring on Linux. This is false by default.
+     *
+     * @param useUnprotectedFileOnLinux whether to use an unprotected file for cache storage.
+     *
+     * @return The updated T object.
+     */
+    @SuppressWarnings("unchecked")
+    public T useUnprotectedTokenCacheFileOnLinux(boolean useUnprotectedFileOnLinux) {
+        this.identityClientOptions.setUseUnprotectedTokenCacheFileOnLinux(useUnprotectedFileOnLinux);
+        return (T) this;
+    }
+
+    /**
+     * Disable using the shared token cache.
+     *
+     * @param disabled whether to disable using the shared token cache.
+     *
+     * @return The updated identity client options.
+     */
+    @SuppressWarnings("unchecked")
+    public T disableSharedTokenCache(boolean disabled) {
+        this.identityClientOptions.disableSharedTokenCache(disabled);
+        return (T) this;
+    }
 }

sdk/identity/azure-identity/src/main/java/com/azure/identity/ChainedTokenCredential.java

@@ -19,7 +19,21 @@
  *
  * <p><strong>Sample: Construct a ChainedTokenCredential with silent username+password login tried first, then
  * interactive browser login as needed (e.g. when 2FA is turned on in the directory).</strong></p>
- * {@codesnippet com.azure.identity.credential.chainedtokencredential.construct}
+ * <pre>
+ * UsernamePasswordCredential usernamePasswordCredential = new UsernamePasswordCredentialBuilder&#40;&#41;
+ *     .clientId&#40;clientId&#41;
+ *     .username&#40;username&#41;
+ *     .password&#40;password&#41;
+ *     .build&#40;&#41;;
+ * InteractiveBrowserCredential interactiveBrowserCredential = new InteractiveBrowserCredentialBuilder&#40;&#41;
+ *     .clientId&#40;clientId&#41;
+ *     .port&#40;8765&#41;
+ *     .build&#40;&#41;;
+ * ChainedTokenCredential credential = new ChainedTokenCredentialBuilder&#40;&#41;
+ *     .addLast&#40;usernamePasswordCredential&#41;
+ *     .addLast&#40;interactiveBrowserCredential&#41;
+ *     .build&#40;&#41;;
+ * </pre>
  */
 @Immutable
 public class ChainedTokenCredential implements TokenCredential {

sdk/identity/azure-identity/src/main/java/com/azure/identity/ClientCertificateCredential.java

@@ -18,10 +18,23 @@
  * An AAD credential that acquires a token with a client certificate for an AAD application.
  *
  * <p><strong>Sample: Construct a simple ClientCertificateCredential</strong></p>
- * {@codesnippet com.azure.identity.credential.clientcertificatecredential.construct}
+ * <pre>
+ * ClientCertificateCredential credential1 = new ClientCertificateCredentialBuilder&#40;&#41;
+ *     .tenantId&#40;tenantId&#41;
+ *     .clientId&#40;clientId&#41;
+ *     .pemCertificate&#40;&quot;C:&#92;&#92;fakepath&#92;&#92;cert.pem&quot;&#41;
+ *     .build&#40;&#41;;
+ * </pre>
  *
  * <p><strong>Sample: Construct a ClientCertificateCredential behind a proxy</strong></p>
- * {@codesnippet com.azure.identity.credential.clientcertificatecredential.constructwithproxy}
+ * <pre>
+ * ClientCertificateCredential credential2 = new ClientCertificateCredentialBuilder&#40;&#41;
+ *     .tenantId&#40;tenantId&#41;
+ *     .clientId&#40;clientId&#41;
+ *     .pfxCertificate&#40;&quot;C:&#92;&#92;fakepath&#92;&#92;cert.pfx&quot;, &quot;P&#123;@literal @&#125;s$w0rd&quot;&#41;
+ *     .proxyOptions&#40;new ProxyOptions&#40;Type.HTTP, new InetSocketAddress&#40;&quot;10.21.32.43&quot;, 5465&#41;&#41;&#41;
+ *     .build&#40;&#41;;
+ * </pre>
  */
 @Immutable
 public class ClientCertificateCredential implements TokenCredential {

sdk/identity/azure-identity/src/main/java/com/azure/identity/ClientSecretCredential.java

@@ -18,10 +18,23 @@
  * An AAD credential that acquires a token with a client secret for an AAD application.
  *
  * <p><strong>Sample: Construct a simple ClientSecretCredential</strong></p>
- * {@codesnippet com.azure.identity.credential.clientsecretcredential.construct}
+ * <pre>
+ * ClientSecretCredential credential1 = new ClientSecretCredentialBuilder&#40;&#41;
+ *     .tenantId&#40;tenantId&#41;
+ *     .clientId&#40;clientId&#41;
+ *     .clientSecret&#40;clientSecret&#41;
+ *     .build&#40;&#41;;
+ * </pre>
  *
  * <p><strong>Sample: Construct a ClientSecretCredential behind a proxy</strong></p>
- * {@codesnippet com.azure.identity.credential.clientsecretcredential.constructwithproxy}
+ * <pre>
+ * ClientSecretCredential credential2 = new ClientSecretCredentialBuilder&#40;&#41;
+ *     .tenantId&#40;tenantId&#41;
+ *     .clientId&#40;clientId&#41;
+ *     .clientSecret&#40;clientSecret&#41;
+ *     .proxyOptions&#40;new ProxyOptions&#40;Type.HTTP, new InetSocketAddress&#40;&quot;10.21.32.43&quot;, 5465&#41;&#41;&#41;
+ *     .build&#40;&#41;;
+ * </pre>
  */
 @Immutable
 public class ClientSecretCredential implements TokenCredential {

sdk/identity/azure-identity/src/main/java/com/azure/identity/DefaultAzureCredential.java

@@ -22,7 +22,6 @@
  */
 @Immutable
 public final class DefaultAzureCredential extends ChainedTokenCredential {
-
     /**
      * Creates default DefaultAzureCredential instance to use. This will use AZURE_CLIENT_ID,
      * AZURE_CLIENT_SECRET, and AZURE_TENANT_ID environment variables to create a

sdk/identity/azure-identity/src/main/java/com/azure/identity/DefaultAzureCredentialBuilder.java

@@ -120,8 +120,8 @@ private ArrayDeque<TokenCredential> getCredentialsChain() {
         }
 
         if (!excludeSharedTokenCacheCredential) {
-            output.add(new SharedTokenCacheCredential(null, null,
-                "04b07795-8ddb-461a-bbee-02f9e1bf7b46", identityClientOptions));
+            output.add(new SharedTokenCacheCredential(null, "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
+                    null, identityClientOptions));
         }
 
         if (!excludeAzureCliCredential) {

sdk/identity/azure-identity/src/main/java/com/azure/identity/KeyringItemSchema.java

@@ -0,0 +1,34 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.identity;
+
+/**
+ * An expandable enum for types of item schema in a Keyring.
+ */
+public final class KeyringItemSchema {
+    public static final KeyringItemSchema GENERIC_SECRET = new KeyringItemSchema("org.freedesktop.Secret.Generic");
+    public static final KeyringItemSchema NETWORK_PASSWORD = new KeyringItemSchema(
+            "org.gnome.keyring.NetworkPassword");
+    public static final KeyringItemSchema NOTE = new KeyringItemSchema("org.gnome.keyring.Note");
+
+    private final String value;
+
+    private KeyringItemSchema(String value) {
+        this.value = value;
+    }
+
+    /**
+     * Parses a String into a new Keyring schema.
+     * @param schema the full name of the schema
+     * @return the KeyringItemSchema enum representing this schema
+     */
+    public static KeyringItemSchema fromString(String schema) {
+        return new KeyringItemSchema(schema);
+    }
+
+    @Override
+    public String toString() {
+        return value;
+    }
+}

sdk/identity/azure-identity/src/main/java/com/azure/identity/SharedTokenCacheCredential.java

@@ -7,22 +7,11 @@
 import com.azure.core.credential.TokenCredential;
 import com.azure.core.credential.TokenRequestContext;
 import com.azure.core.util.Configuration;
+import com.azure.identity.implementation.IdentityClient;
+import com.azure.identity.implementation.IdentityClientBuilder;
 import com.azure.identity.implementation.IdentityClientOptions;
-import com.azure.identity.implementation.msalextensions.PersistentTokenCacheAccessAspect;
-import com.microsoft.aad.msal4j.IAccount;
-import com.microsoft.aad.msal4j.IAuthenticationResult;
-import com.microsoft.aad.msal4j.PublicClientApplication;
-import com.microsoft.aad.msal4j.SilentParameters;
 import reactor.core.publisher.Mono;
 
-import java.net.MalformedURLException;
-import java.time.ZoneOffset;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.concurrent.CompletableFuture;
-import java.util.stream.Collectors;
-
 /**
  * A credential provider that provides token credentials from the MSAL shared token cache.
  * Requires a username and client Id. If a username is not provided, then the
@@ -34,7 +23,7 @@ public class SharedTokenCacheCredential implements TokenCredential {
     private final String tenantId;
     private final IdentityClientOptions options;
 
-    private PublicClientApplication pubClient = null;
+    private final IdentityClient identityClient;
 
     /**
      * Creates an instance of the Shared Token Cache Credential Provider.
@@ -64,86 +53,18 @@ public class SharedTokenCacheCredential implements TokenCredential {
             this.tenantId = tenantId;
         }
         this.options = identityClientOptions;
+        this.identityClient = new IdentityClientBuilder()
+                .tenantId(this.tenantId)
+                .clientId(this.clientId)
+                .identityClientOptions(identityClientOptions)
+                .build();
     }
 
     /**
      * Gets token from shared token cache
      * */
     @Override
     public Mono<AccessToken> getToken(TokenRequestContext request) {
-        String authorityUrl = options.getAuthorityHost().replaceAll("/+$", "") + "/" + tenantId + "/";
-        // Initialize here so that the constructor doesn't throw
-        if (pubClient == null) {
-            try {
-                PersistentTokenCacheAccessAspect accessAspect = new PersistentTokenCacheAccessAspect();
-                PublicClientApplication.Builder applicationBuilder =  PublicClientApplication.builder(this.clientId);
-                if (options.getExecutorService() != null) {
-                    applicationBuilder.executorService(options.getExecutorService());
-                }
-
-                pubClient = applicationBuilder
-                    .authority(authorityUrl)
-                    .setTokenCacheAccessAspect(accessAspect)
-                    .build();
-            } catch (Exception e) {
-                return Mono.error(e);
-            }
-        }
-
-        // find if the Public Client app with the requested username exists
-        return Mono.fromFuture(pubClient.getAccounts())
-            .flatMap(set -> {
-                IAccount requestedAccount;
-                Map<String, IAccount> accounts = new HashMap<>(); // home account id -> account
-
-                for (IAccount cached : set) {
-                    if (username == null || username.equals(cached.username())) {
-                        if (!accounts.containsKey(cached.homeAccountId())) { // only put the first one
-                            accounts.put(cached.homeAccountId(), cached);
-                        }
-                    }
-                }
-
-                if (accounts.size() == 0) {
-                    if (username == null) {
-                        return Mono.error(new RuntimeException("No accounts were discovered in the shared token cache."
-                            + " To fix, authenticate through tooling supporting azure developer sign on."));
-                    } else {
-                        return Mono.error(new RuntimeException(String.format("User account '%s' was not found in the "
-                            + "shared token cache. Discovered Accounts: [ '%s' ]", username, set.stream()
-                            .map(IAccount::username).distinct().collect(Collectors.joining(", ")))));
-                    }
-                } else if (accounts.size() > 1) {
-                    if (username == null) {
-                        return Mono.error(new RuntimeException("Multiple accounts were discovered in the shared token "
-                            + "cache. To fix, set the AZURE_USERNAME and AZURE_TENANT_ID environment variable to the "
-                            + "preferred username, or specify it when constructing SharedTokenCacheCredential."));
-                    } else {
-                        return Mono.error(new RuntimeException("Multiple entries for the user account " + username
-                            + " were found in the shared token cache. This is not currently supported by the"
-                            + " SharedTokenCacheCredential."));
-                    }
-                } else {
-                    requestedAccount = accounts.values().iterator().next();
-                }
-
-                // if it does, then request the token
-                SilentParameters params = SilentParameters.builder(
-                        new HashSet<>(request.getScopes()), requestedAccount)
-                    .authorityUrl(authorityUrl)
-                    .build();
-
-                CompletableFuture<IAuthenticationResult> future;
-                try {
-                    future = pubClient.acquireTokenSilently(params);
-                    return Mono.fromFuture(() -> future).map(result ->
-                        new AccessToken(result.accessToken(),
-                            result.expiresOnDate().toInstant().atOffset(ZoneOffset.UTC)));
-
-                } catch (MalformedURLException e) {
-                    e.printStackTrace();
-                    return Mono.error(new RuntimeException("Token was not found"));
-                }
-            });
+        return identityClient.authenticateWithSharedTokenCache(request, username);
     }
 }

sdk/identity/azure-identity/src/main/java/com/azure/identity/SharedTokenCacheCredentialBuilder.java

@@ -11,7 +11,6 @@
 public class SharedTokenCacheCredentialBuilder extends AadCredentialBuilderBase<SharedTokenCacheCredentialBuilder> {
     private String username;
 
-
     /**
      * Sets the username for the account.
      *