Documentation ¶
Index ¶
- Variables
- func EnsureLoggedInCredential(ctx context.Context, credential azcore.TokenCredential, cloud *cloud.Cloud) (*azcore.AccessToken, error)
- func GetOidFromAccessToken(token string) (string, error)
- func GetTenantIdFromToken(token string) (string, error)
- func LoginScopes(cloud *cloud.Cloud) []string
- func ShouldUseCloudShellAuth() bool
- type AadErrorResponse
- type AuthFailedError
- type Cache
- type CloudShellCredential
- type CredentialForCurrentUserOptions
- type ExternalAuthConfiguration
- type HttpClient
- type LoggedInGuard
- type LoginInteractiveOptions
- type Manager
- func (m *Manager) CredentialForCurrentUser(ctx context.Context, options *CredentialForCurrentUserOptions) (azcore.TokenCredential, error)
- func (m *Manager) GetLoggedInServicePrincipalTenantID(ctx context.Context) (*string, error)
- func (m *Manager) LoginInteractive(ctx context.Context, scopes []string, options *LoginInteractiveOptions) (azcore.TokenCredential, error)
- func (m *Manager) LoginScopes() []string
- func (m *Manager) LoginWithBrokerAccount() error
- func (m *Manager) LoginWithDeviceCode(ctx context.Context, tenantID string, scopes []string, withOpenUrl WithOpenUrl) (azcore.TokenCredential, error)
- func (m *Manager) LoginWithOneAuth(ctx context.Context, tenantID string, scopes []string) error
- func (m *Manager) LoginWithServicePrincipalCertificate(ctx context.Context, tenantId, clientId string, certData []byte) (azcore.TokenCredential, error)
- func (m *Manager) LoginWithServicePrincipalFederatedTokenProvider(ctx context.Context, tenantId, clientId, provider string) (azcore.TokenCredential, error)
- func (m *Manager) LoginWithServicePrincipalSecret(ctx context.Context, tenantId, clientId, clientSecret string) (azcore.TokenCredential, error)
- func (m *Manager) Logout(ctx context.Context) error
- func (m *Manager) UseExternalAuth() bool
- type MultiTenantCredentialProvider
- type ReLoginRequiredError
- type RemoteCredential
- type TokenFromCloudShell
- type WithOpenUrl
Constants ¶
This section is empty.
Variables ¶
var ErrNoCurrentUser = errors.New("not logged in, run `azd auth login` to login")
ErrNoCurrentUser indicates that the current user is not logged in. This is typically determined by inspecting the stored auth information and credentials on the machine. If the auth information or credentials are not found or invalid, the user is considered not to be logged in.
Functions ¶
func EnsureLoggedInCredential ¶
func EnsureLoggedInCredential( ctx context.Context, credential azcore.TokenCredential, cloud *cloud.Cloud, ) (*azcore.AccessToken, error)
EnsureLoggedInCredential uses the credential's GetToken method to ensure an access token can be fetched. On success, the token we fetched is returned.
func GetOidFromAccessToken ¶
GetOidFromAccessToken extracts a string claim with the name "oid" from an access token. Access Tokens are JWT and the middle component is a base64 encoded string of a JSON object with claims.
func GetTenantIdFromToken ¶
func LoginScopes ¶
LoginScopes returns the scopes that we request an access token for when checking if a user is signed in.
func ShouldUseCloudShellAuth ¶
func ShouldUseCloudShellAuth() bool
Types ¶
type AadErrorResponse ¶
type AadErrorResponse struct { Error string `json:"error"` ErrorDescription string `json:"error_description"` ErrorCodes []int `json:"error_codes"` Timestamp string `json:"timestamp"` TraceId string `json:"trace_id"` CorrelationId string `json:"correlation_id"` ErrorUri string `json:"error_uri"` }
An error response from Azure Active Directory.
See https://www.rfc-editor.org/rfc/rfc6749#section-5.2 for OAuth 2.0 spec See https://learn.microsoft.com/azure/active-directory/develop/reference-aadsts-error-codes for AAD error codes
type AuthFailedError ¶
type AuthFailedError struct { // The HTTP response motivating the error, if available RawResp *http.Response // The unmarshaled error response, if available Parsed *AadErrorResponse // contains filtered or unexported fields }
AuthFailedError indicates an authentication request has failed. This serves as a wrapper around MSAL related errors.
func (*AuthFailedError) Error ¶
func (e *AuthFailedError) Error() string
func (*AuthFailedError) Unwrap ¶
func (e *AuthFailedError) Unwrap() error
type CloudShellCredential ¶
type CloudShellCredential struct {
// contains filtered or unexported fields
}
func NewCloudShellCredential ¶
func NewCloudShellCredential(httpClient httputil.HttpClient) *CloudShellCredential
func (CloudShellCredential) GetToken ¶
func (t CloudShellCredential) GetToken(ctx context.Context, options policy.TokenRequestOptions) (azcore.AccessToken, error)
type ExternalAuthConfiguration ¶
type ExternalAuthConfiguration struct { Endpoint string Key string Client httputil.HttpClient }
type HttpClient ¶
type HttpClient interface { httputil.HttpClient // CloseIdleConnections closes any idle connections in a "keep-alive" state. CloseIdleConnections() }
HttpClient interface as required by MSAL library.
type LoggedInGuard ¶
type LoggedInGuard struct{}
LoggedInGuard doesn't hold anything. It simply represents a type that can be used to expressed the logged in constraint.
func NewLoggedInGuard ¶
func NewLoggedInGuard(manager *Manager, ctx context.Context) (LoggedInGuard, error)
NewLoggedInGuard checks if the user is logged in. An error is returned if the user is not logged in.
type LoginInteractiveOptions ¶
type LoginInteractiveOptions struct { TenantID string RedirectPort int WithOpenUrl WithOpenUrl }
LoginInteractiveOptions holds the optional inputs for interactive login.
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager manages the authentication system of azd. It allows a user to log in, either as a user principal or service principal. Manager stores information so that the user can stay logged in across invocations of the CLI. When logged in as a user (either interactively or via a device code flow), we provide a durable cache to MSAL which is used to cache information to allow silent logins across process runs. This cache is stored inside the user's home directory, ACL'd such that it can only be read by the current user. In addition, on Windows, this cache is encrypted, using CryptProtectData. The home account id of the signed in user is stored as a property under [cCurrentUserKey]. This behavior matches the AZ CLI.
When logged in as a service principal, the same cache strategy that backed the MSAL cache is used to store the private key or secret and the public components (the client ID and tenant ID) are stored under [cCurrentUserKey].
Logging out removes this cached authentication data.
You can configure azd to ignore its native credential system and instead delegate to AZ CLI (useful for cases where azd does not yet support your preferred method of authentication by setting [cUseLegacyAzCliAuthKey] in config to true.
func NewManager ¶
func NewManager( configManager config.FileConfigManager, userConfigManager config.UserConfigManager, cloud *cloud.Cloud, httpClient HttpClient, console input.Console, externalAuthCfg ExternalAuthConfiguration, ) (*Manager, error)
func (*Manager) CredentialForCurrentUser ¶
func (m *Manager) CredentialForCurrentUser( ctx context.Context, options *CredentialForCurrentUserOptions, ) (azcore.TokenCredential, error)
CredentialForCurrentUser returns a TokenCredential instance for the current user. If `auth.useLegacyAzCliAuth` is set to a truthy value in config, an instance of azidentity.AzureCLICredential is returned instead. To accept the default options, pass nil.
func (*Manager) GetLoggedInServicePrincipalTenantID ¶
GetLoggedInServicePrincipalTenantID returns the stored service principal's tenant ID.
Service principals are fixed to a particular tenant.
This can be used to determine if the tenant is fixed, and if so short circuit performance intensive tenant-switching for service principals.
func (*Manager) LoginInteractive ¶
func (m *Manager) LoginInteractive( ctx context.Context, scopes []string, options *LoginInteractiveOptions) (azcore.TokenCredential, error)
LoginInteractive opens a browser for authenticate the user.
func (*Manager) LoginScopes ¶
func (*Manager) LoginWithBrokerAccount ¶
LoginWithBrokerAccount logs in an account provided by the system authentication broker via OneAuth. For example, it will log in the user currently signed in to Windows. This method never prompts for user interaction and returns an error when the broker doesn't provide an account.
func (*Manager) LoginWithDeviceCode ¶
func (m *Manager) LoginWithDeviceCode( ctx context.Context, tenantID string, scopes []string, withOpenUrl WithOpenUrl) (azcore.TokenCredential, error)
func (*Manager) LoginWithOneAuth ¶
LoginWithOneAuth starts OneAuth's interactive login flow.
func (*Manager) LoginWithServicePrincipalCertificate ¶
func (*Manager) LoginWithServicePrincipalFederatedTokenProvider ¶
func (*Manager) LoginWithServicePrincipalSecret ¶
func (*Manager) Logout ¶
Logout signs out the current user and removes any cached authentication information
func (*Manager) UseExternalAuth ¶
type MultiTenantCredentialProvider ¶
type MultiTenantCredentialProvider interface { // Gets an authenticated token credential for the given tenant. If tenantId is empty, uses the default home tenant. GetTokenCredential(ctx context.Context, tenantId string) (azcore.TokenCredential, error) }
MultiTenantCredentialProvider provides token credentials for different tenants.
Only use this if you need to perform multi-tenant operations.
func NewMultiTenantCredentialProvider ¶
func NewMultiTenantCredentialProvider(auth *Manager) MultiTenantCredentialProvider
type ReLoginRequiredError ¶
type ReLoginRequiredError struct {
// contains filtered or unexported fields
}
ReLoginRequiredError indicates that the logged in user needs to perform a log in to reauthenticate. This typically means that while the credentials stored on the machine are valid, the server has rejected the credentials due to expired credentials, or additional challenges being required.
func (*ReLoginRequiredError) Error ¶
func (e *ReLoginRequiredError) Error() string
type RemoteCredential ¶
type RemoteCredential struct {
// contains filtered or unexported fields
}
RemoteCredential implements azcore.TokenCredential by using the remote credential protocol.
func (*RemoteCredential) GetToken ¶
func (rc *RemoteCredential) GetToken(ctx context.Context, options policy.TokenRequestOptions) (azcore.AccessToken, error)
GetToken implements azcore.TokenCredential.
type TokenFromCloudShell ¶
type TokenFromCloudShell struct { AccessToken string `json:"access_token"` RefreshToken string `json:"refresh_token"` ExpiresIn json.Number `json:"expires_in" type:"integer"` ExpiresOn json.Number `json:"expires_on" type:"integer"` NotBefore json.Number `json:"not_before" type:"integer"` Resource string `json:"resource"` TokenType string `json:"token_type"` }
type WithOpenUrl ¶
WithOpenUrl defines a custom strategy for browsing to the url.