Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Identity] Migration guide (v1 to v2) #17796

Merged
merged 54 commits into from
Oct 7, 2021
Merged
Show file tree
Hide file tree
Changes from 49 commits
Commits
Show all changes
54 commits
Select commit Hold shift + click to select a range
142ab9f
[Identity] Migration guide
sadasant Sep 22, 2021
f1621e5
Apply suggestions from code review
sadasant Sep 23, 2021
e147c61
reference in the README and fixed links
sadasant Sep 23, 2021
b1787a4
Apply suggestions from code review
sadasant Sep 24, 2021
51a6ab1
Feedback by Ramya, and other small polishes
sadasant Sep 26, 2021
d047db6
removed the service fabric note
sadasant Sep 27, 2021
a81cbd4
Separated the changelog entries from the migration guide, and moved t…
sadasant Sep 28, 2021
8eb3514
packages to v2
sadasant Sep 28, 2021
76bc732
fixed bad link -- though these Troubleshooting links wont work until …
sadasant Sep 28, 2021
b29691e
Mentioning the lack of Service Fabric support
sadasant Sep 28, 2021
3ec4a1a
improvements after thorough reading
sadasant Sep 30, 2021
743b030
Update sdk/identity/identity/migration-v1-v2.md
sadasant Sep 30, 2021
d5b2833
improved the CHANGELOG and the migration guide
sadasant Oct 1, 2021
f287566
using the caret
sadasant Oct 1, 2021
c155661
all seems good now
sadasant Oct 1, 2021
0b0c3c3
Merge remote-tracking branch 'Azure/main' into identity/fix17490-migr…
sadasant Oct 1, 2021
80d69ef
Update CHANGELOG.md
sadasant Oct 1, 2021
eb3fcaa
Update CHANGELOG.md
sadasant Oct 1, 2021
379cf6c
Small changes around RegionalAuthority
sadasant Oct 1, 2021
04e92bc
Apply suggestions from code review
sadasant Oct 1, 2021
c3544dc
Apply suggestions from code review
sadasant Oct 5, 2021
4a72cbd
addressed more of the feedback
sadasant Oct 5, 2021
b629b42
Removed references to RegionalAuthorities
sadasant Oct 5, 2021
122b12c
Merge remote-tracking branch 'Azure/main' into identity/fix17490-migr…
sadasant Oct 5, 2021
2f11a8e
moved network change out of breaking changes
sadasant Oct 5, 2021
7e68757
Apply suggestions from code review
sadasant Oct 5, 2021
d74d9ad
[Identity] Disabling regional authority support (#18026)
sadasant Oct 5, 2021
6ba4af3
[ai-form-recognizer] Merge 4.0.0-beta.1 (#18036)
witemple-msft Oct 5, 2021
a07af57
Post release automated changes for keyvault releases (#18034)
azure-sdk Oct 5, 2021
0e677fe
[Schema Registry] Update changelog (#18041)
deyaaeldeen Oct 5, 2021
d39e8a5
[Azure Monitor OpenTelemetry Exporter]Update changelog for 1.0.0-beta…
hectorhdzg Oct 5, 2021
24a742f
fix sample on readme (#18022)
KarishmaGhiya Oct 5, 2021
a56111b
[EventGrid] Update System Events, Prepare for Release (#17977)
ellismg Oct 5, 2021
8031ba2
Handle multiple segments in service directory path (#18015)
azure-sdk Oct 5, 2021
5b3ec12
Post release automated changes for azure-service-bus (#18045)
azure-sdk Oct 5, 2021
ea2ae83
[Synapse Artifacts] Re generate for October Release (#17981)
joheredi Oct 5, 2021
9c80f49
Revert change back (#18040)
azure-sdk Oct 5, 2021
c7f4926
[Schema Registry] Edit readme (#18048)
deyaaeldeen Oct 5, 2021
23b90ad
Re-enable api extractor when building abort-controller (#17986)
ramya-rao-a Oct 5, 2021
3f2fee6
[Synapse Spark] Regenerate with latest release tag package-spark-2020…
joheredi Oct 5, 2021
b577126
Post release automated changes for schemaregistry releases (#18051)
azure-sdk Oct 5, 2021
a7a4375
Reduce test scope for test-utils pipeline (#18046)
praveenkuttappan Oct 5, 2021
82d4e3b
Post release automated changes for eventgrid releases (#18050)
azure-sdk Oct 5, 2021
d915f79
[Schema Registry] Post release automation (#18052)
deyaaeldeen Oct 6, 2021
df59bdf
[Identity] Caught up with POD Identity fix added on 1.5.1 (#18054)
sadasant Oct 6, 2021
342a87d
remaining feedback from Ramya
sadasant Oct 6, 2021
566dbb1
Merge remote-tracking branch 'Azure/main' into identity/fix17490-migr…
sadasant Oct 6, 2021
a92fcbb
removed references to the troubleshooting guide
sadasant Oct 7, 2021
71ef6f4
Update sdk/identity/identity/CHANGELOG.md
sadasant Oct 7, 2021
577fee9
added a placeholder for the Troubleshooting.md file
sadasant Oct 7, 2021
09e533d
Update sdk/identity/identity/CHANGELOG.md
sadasant Oct 7, 2021
5d53ae0
last references to Identity 2.0.0-beta.7
sadasant Oct 7, 2021
5f6d035
Merge remote-tracking branch 'Azure/main' into identity/fix17490-migr…
sadasant Oct 7, 2021
4e9b5e2
Fixed 2.0.0-beta.7 reference in monitor-query perf tests
sadasant Oct 7, 2021
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion sdk/identity/identity-cache-persistence/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@
"sideEffects": false,
"dependencies": {
"@azure/core-auth": "^1.3.0",
"@azure/identity": "^2.0.0-beta.7",
"@azure/identity": "^2.0.0",
"@azure/msal-node": "^1.3.0",
"@azure/msal-node-extensions": "1.0.0-alpha.9",
"keytar": "^7.6.0",
Expand Down
2 changes: 1 addition & 1 deletion sdk/identity/identity-vscode/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@
"homepage": "https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/identity/identity-vscode/README.md",
"sideEffects": false,
"dependencies": {
"@azure/identity": "^2.0.0-beta.7",
"@azure/identity": "^2.0.0",
"keytar": "^7.6.0",
"tslib": "^2.2.0"
},
Expand Down
106 changes: 102 additions & 4 deletions sdk/identity/identity/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,24 +1,122 @@
# Release History

## 2.0.0-beta.7 (Unreleased)
## 2.0.0 (2021-10-12)

After multiple beta releases over the past year, we're proud to announce the general availability of version 2 of the `@azure/identity` package. This version includes the best parts of v1, plus several improvements.

This changelog entry showcases the changes that have been made from version 1 of this package. See the [v1-to-v2 migration guide](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/migration-v1-v2.md) for details on how to upgrade your application to use the version 2 of `@azure/identity`.

### Features Added

### Breaking Changes
#### Plugin API

Identity v2 provides a top-level `useIdentityPlugin` function, which allows using two new plugin packages:

- [@azure/identity-vscode](https://www.npmjs.com/package/@azure/identity-vscode), which provides the dependencies of `VisualStudioCodeCredential` and enables it.
- If the `@azure/identity-vscode` plugin isn't used through the `useIdentityPlugin` function, the `VisualStudioCodeCredential` exposed by Identity v2 will throw a `CredentialUnavailableError`.
- [@azure/identity-cache-persistence](https://www.npmjs.com/package/@azure/identity-cache-persistence), which provides persistent token caching.

Most credentials on Identity v2 now support the persistent token caching feature. Such credentials include the property [tokenCachePersistenceOptions](https://docs.microsoft.com/javascript/api/@azure/identity/tokencachepersistenceoptions) in the constructor options which can be used to enable this feature.

The following example showcases how to enable persistence caching by first enabling the `@azure/identity-cache-persistence` plugin with `useIdentityPlugin(cachePersistencePlugin)`, and then passing the `tokenCachePersistenceOptions` through the constructor of the `DeviceCodeCredential`:

```ts
sadasant marked this conversation as resolved.
Show resolved Hide resolved
import { cachePersistencePlugin } from "@azure/identity-cache-persistence";
import { useIdentityPlugin, DeviceCodeCredential } from "@azure/identity";

useIdentityPlugin(cachePersistencePlugin);

async function main() {
const credential = new DeviceCodeCredential({
tokenCachePersistenceOptions: {
enabled: true
}
});
}
```

#### New credentials

Identity v2 includes three new credential types:

- `AzurePowerShellCredential`, which re-uses any account previously authenticated with the `Az.Account` PowerShell module.
- `ApplicationCredential`, which is a simplified `DefaultAzureCredential` that only includes `EnvironmentCredential` and `ManagedIdentityCredential`.
- `OnBehalfOfCredential`, which enables the [On-Behalf-Of authentication flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).

#### New features in all credentials

Identity v2 enables:

- Support for claims challenges resulting from [Continuous Access Enforcement (CAE)](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation) and [Conditional Access authentication context](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/granular-conditional-access-for-sensitive-data-and-actions/ba-p/1751775).
- By default, credentials of Identity v2 will produce tokens that can be used to trigger the challenge authentication flows. After these tokens expire, the next HTTP requests to Azure will fail, but the response will contain information to re-authenticate.
- To disable this behavior, set the environment variable `AZURE_IDENTITY_DISABLE_CP1` to any value. For more about claims challenges, see [Claims challenges, claims requests, and client capabilities](https://docs.microsoft.com/azure/active-directory/develop/claims-challenge).
- Support for multi-tenant authentication on all credentials except `ManagedIdentityCredential`.
- At the moment, applications needing multi-tenancy support will need to call to the credentials' `getToken` directly, sending the new `tenantId` property.
- A sample with more context will be provided in a future date.
- To disable it, set the environment variable `AZURE_IDENTITY_DISABLE_MULTITENANTAUTH`. For more about multitenancy, see [Identity management in multitenant apps](https://docs.microsoft.com/azure/architecture/multitenant-identity/).

#### New features in InteractiveBrowserCredential and DeviceCodeCredential

You can now control when the credential requests user input with the new `disableAutomaticAuthentication` option added to the options you pass to the credential constructors.

- When enabled, this option stops the `getToken()` method from requesting user input in case the credential is unable to authenticate silently.
- If `getToken()` fails to authenticate without user interaction, and `disableAutomaticAuthentication` has been set to true, a new error will be thrown: `AuthenticationRequired`. You may use this error to identify scenarios when manual authentication needs to be triggered (with `authenticate()`, as described in the next point).

A new method `authenticate()` is added to these credentials which is similar to `getToken()`, but it does not read the `disableAutomaticAuthentication` option described above.

- Use this to get an `AuthenticationRecord` which you can then use to create new credentials that will re-use the token information.
- The `AuthenticationRecord` object has a `serialize()` method that allows an authenticated account to be stored as a string and re-used in another credential at any time. Use the new helper function `deserializeAuthenticationRecord` to de-serialize this string.
- `authenticate()` might succeed and still return `undefined` if we're unable to pick just one account record from the cache. This might happen if the cache is being used by more than one credential, or if multiple users have authenticated using the same Client ID and Tenant ID. To ensure consistency on a program with many users, please keep track of the `AuthenticationRecord` and provide them in the constructors of the credentials on initialization.

Learn more via the below samples
- [Samples around controlling user interaction]https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#control-user-interaction).
sadasant marked this conversation as resolved.
Show resolved Hide resolved
- [Samples around persisting user authentication data](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#persist-user-authentication-data).

#### New features in ManagedIdentityCredential

In Identity v2, the `ManagedIdentityCredential` retries with exponential back-off when a request for a token fails with a 404 status code. This change only applies to environments with available IMDS endpoints.

Azure Service Fabric support hasn't been added on the initial version 2 of Identity. Subscribe to [issue #12420](https://github.com/Azure/azure-sdk-for-js/issues/12420) for updates on this feature.

#### Other features

- The Node.js version of `InteractiveBrowserCredential` has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default.
- `InteractiveBrowserCredential` has a new `loginHint` constructor option, which allows a username to be pre-selected for interactive logins.
- In `AzureCliCredential`, we allow specifying a `tenantId` in the parameters through the `AzureCliCredentialOptions`.
- A new error, named `AuthenticationRequiredError`, has been added. This error shows up when a credential fails to authenticate silently.
- Errors and logged exceptions may point to the new [troubleshooting guidelines](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/).
- On all of the credentials we're providing, the initial authentication attempt in the lifetime of your app will include an additional request to first discover relevant endpoint metadata information from Azure.

### Breaking changes

#### Breaking changes from v1

- For `ClientCertificateCredential` specifically, the validity of the PEM certificate is evaluated on `getToken` and not on the constructor.
- We have also renamed the error `CredentialUnavailable` to `CredentialUnavailableError`, to align with the naming convention used for error classes in the Azure SDKs in JavaScript.
- In v1 of Identity some `getToken` calls could resolve with `null` in the case the authentication request succeeded with a malformed output. In v2, issues with the `getToken` method will always throw errors.
- Breaking changes to InteractiveBrowserCredential
- The `InteractiveBrowserCredential` will use the [Auth Code Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) with [PKCE](https://tools.ietf.org/html/rfc7636) rather than [Implicit Grant Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-implicit-grant-flow) to better support browsers with enhanced security restrictions. Learn how to migrate in the [migration guide](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/migration-v1-v2.md). Read more about the latest `InteractiveBrowserCredential` [here](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/interactive-browser-credential.md).
- The default client ID used for `InteractiveBrowserCredential` was viable only in Node.js and not for the browser. Therefore, on v2 client ID is a required parameter when using this credential in browser apps.
- Identity v2 also removes the `postLogoutRedirectUri` from the options to the constructor for `InteractiveBrowserCredential`. This option wasn't being used. Instead of using this option, use MSAL directly. For more information, see [Authenticating with the @azure/msal-browser Public Client](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-with-the-azuremsal-browser-public-client).
- In Identity v2, `VisualStudioCodeCredential` throws a `CredentialUnavailableError` unless the new [@azure/identity-vscode](https://www.npmjs.com/package/@azure/identity-vscode) plugin is used.

#### Breaking Changes from 2.0.0-beta.4

- Removed the `allowMultiTenantAuthentication` option from all of the credentials. Multi-tenant authentication is now enabled by default. On Node.js, it can be disabled with the `AZURE_IDENTITY_DISABLE_MULTITENANTAUTH` environment variable.
- Removed support for specific Azure regions on `ClientSecretCredential` and `ClientCertificateCredential. This feature will be added back on the next beta.


### Bugs Fixed

- `ClientSecretCredential`, `ClientCertificateCredential`, and `UsernamePasswordCredential` throw if the required parameters aren't provided (even in JavaScript).
- Fixed a bug that caused `AzureCliCredential` to fail when a custom tenant ID was provided.
- Caught up with the bug fixes for Azure POD Identity that were implemented on version 1.5.1.

### Other Changes

Identity v2 no longer includes native dependencies (neither ordinary, peer, nor optional dependencies). Previous distributions of `@azure/identity` included an optional dependency on `keytar`, which caused issues for some users in restrictive environments.

Identity v2 for JavaScript now also depends on the latest available versions of `@azure/msal-common`, `@azure/msal-node`, and `@azure/msal-browser`. Our goal is to always be up-to-date with the MSAL versions.

## 2.0.0-beta.6 (2021-09-09)

### Features Added
Expand Down Expand Up @@ -176,7 +274,7 @@ This update marks the preview for the first major version update of the `@azure/
- This feature uses DPAPI on Windows, it tries to use the Keychain on OSX and the Keyring on Linux.
- To learn more on the usage, please refer to our docs on the `TokenCachePersistenceOptions` interface.
- **IMPORTANT:** As part of this beta, this feature is only supported in Node 10, 12 and 14.
- Changes to `InteractiveBrowserCredential`, `DeviceCodeCredential`, and `UsernamePasswordCredential`:
- Changes to `InteractiveBrowserCredential` and `DeviceCodeCredential`:
- You can now control when the credential requests user input with the new `disableAutomaticAuthentication` option added to the options you pass to the credential constructors.
- When enabled, this option stops the `getToken()` method from requesting user input in case the credential is unable to authenticate silently.
- If `getToken()` fails to authenticate without user interaction, and `disableAutomaticAuthentication` has been set to true, a new error will be thrown: `AuthenticationRequired`. You may use this error to identify scenarios when manual authentication needs to be triggered (with `authenticate()`, as described in the next point).
Expand Down
4 changes: 4 additions & 0 deletions sdk/identity/identity/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ Key links:

## Getting started

### Migrate from v1 to v2 of @azure/identity

If you're using v1 of `@azure/identity`, see the [migration guide](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/migration-v1-v2.md) to update to v2.

### Currently supported environments

- [LTS versions of Node.js](https://nodejs.org/about/releases/)
Expand Down
Loading