0
# Azure Pipelines Authentication
1

2
Authenticates using Azure Pipelines service connections for CI/CD scenarios, enabling secure authentication in Azure DevOps pipeline environments.
3

4
## Capabilities
5

6
### Azure Pipelines Credential
7

8
Acquires tokens using Azure Pipelines service connection for CI/CD authentication.
9

10
```java { .api }
11
/**
12
 * Azure Pipelines credential for CI/CD environments
13
 */
14
class AzurePipelinesCredential implements TokenCredential {
15
    Mono<AccessToken> getToken(TokenRequestContext request);
16
    AccessToken getTokenSync(TokenRequestContext request);
17
}
18

19
class AzurePipelinesCredentialBuilder extends AadCredentialBuilderBase<AzurePipelinesCredentialBuilder> {
20
    AzurePipelinesCredentialBuilder serviceConnectionId(String serviceConnectionId);
21
    AzurePipelinesCredentialBuilder systemAccessToken(String systemAccessToken);
22
    AzurePipelinesCredentialBuilder tokenCachePersistenceOptions(TokenCachePersistenceOptions tokenCachePersistenceOptions);
23
    AzurePipelinesCredential build();
24
}
25
```
26

27
**Usage Examples:**
28

29
```java
30
import com.azure.identity.AzurePipelinesCredential;
31
import com.azure.identity.AzurePipelinesCredentialBuilder;
32

33
// Basic usage in Azure Pipelines
34
TokenCredential credential = new AzurePipelinesCredentialBuilder()
35
    .clientId("your-client-id")
36
    .tenantId("your-tenant-id")
37
    .serviceConnectionId("your-service-connection-id")
38
    .systemAccessToken(System.getenv("SYSTEM_ACCESSTOKEN"))
39
    .build();
40

41
// Use in pipeline tasks
42
StorageClient client = new StorageClientBuilder()
43
    .endpoint("https://mystorageaccount.blob.core.windows.net")
44
    .credential(credential)
45
    .buildClient();
46
```
47

48
## Azure Pipelines Setup
49

50
### 1. Create Service Connection
51

52
In Azure DevOps:
53
1. Go to Project Settings → Service connections
54
2. Create new Azure Resource Manager connection
55
3. Choose "Service principal (automatic)" or "Service principal (manual)"
56
4. Note the Service Connection ID from the connection details
57

58
### 2. Pipeline Configuration
59

60
```yaml
61
# azure-pipelines.yml
62
trigger:
63
- main
64

65
pool:
66
  vmImage: 'ubuntu-latest'
67

68
variables:
69
  serviceConnectionId: 'your-service-connection-id'
70

71
steps:
72
- task: JavaToolInstaller@0
73
  inputs:
74
    versionSpec: '11'
75
    jdkArchitectureOption: 'x64'
76
    jdkSourceOption: 'PreInstalled'
77

78
- script: |
79
    mvn clean compile exec:java -Dexec.mainClass="com.example.MyApp"
80
  env:
81
    SYSTEM_ACCESSTOKEN: $(System.AccessToken)
82
    SERVICE_CONNECTION_ID: $(serviceConnectionId)
83
  displayName: 'Run Java application'
84
```
85

86
### 3. Java Application Code
87

88
```java
89
public class PipelineApp {
90
    public static void main(String[] args) {
91
        // Get values from environment
92
        String serviceConnectionId = System.getenv("SERVICE_CONNECTION_ID");
93
        String systemAccessToken = System.getenv("SYSTEM_ACCESSTOKEN");
94
        
95
        // Create credential
96
        TokenCredential credential = new AzurePipelinesCredentialBuilder()
97
            .clientId("your-client-id")
98
            .tenantId("your-tenant-id")
99
            .serviceConnectionId(serviceConnectionId)
100
            .systemAccessToken(systemAccessToken)
101
            .build();
102
            
103
        // Use with Azure services
104
        // ... your application logic
105
    }
106
}
107
```
108

109
## Environment Requirements
110

111
**Required Environment Variables:**
112
- `SYSTEM_OIDCREQUESTURI` - Automatically set by Azure Pipelines
113
- Custom variables for client ID, tenant ID, and service connection ID
114

115
**System Access Token:**
116
The pipeline must have access to the system access token:
117

118
```yaml
119
# Enable OAuth token access
120
steps:
121
- script: echo "Using system token"
122
  env:
123
    SYSTEM_ACCESSTOKEN: $(System.AccessToken)
124
```
125

126
## Configuration Options
127

128
```java
129
// With token cache persistence
130
TokenCredential credential = new AzurePipelinesCredentialBuilder()
131
    .clientId("your-client-id")
132
    .tenantId("your-tenant-id")
133
    .serviceConnectionId("service-connection-id")
134
    .systemAccessToken(System.getenv("SYSTEM_ACCESSTOKEN"))
135
    .tokenCachePersistenceOptions(new TokenCachePersistenceOptions()
136
        .setName("PipelineTokenCache"))
137
    .additionallyAllowedTenants("tenant1", "tenant2")
138
    .build();
139
```
140

141
## Security Best Practices
142

143
1. **Store sensitive values in Azure DevOps variables** (mark as secret)
144
2. **Use service connections** instead of hardcoded credentials
145
3. **Limit service principal permissions** to minimum required
146
4. **Enable pipeline restrictions** on service connections
147
5. **Use variable groups** for shared configuration
148

149
## Exception Handling
150

151
Throws `CredentialUnavailableException` when:
152
- `SYSTEM_OIDCREQUESTURI` environment variable is not set
153
- Service connection ID is invalid
154
- System access token is missing or invalid
155
- Pipeline environment is not properly configured
156

157
## Troubleshooting
158

159
**Common Issues:**
160
- **"SYSTEM_OIDCREQUESTURI not found"**: Ensure running in Azure Pipelines environment
161
- **Service connection errors**: Verify service connection exists and has proper permissions
162
- **Token access denied**: Enable OAuth token access in pipeline YAML or classic editor
163
- **Permission errors**: Check service principal permissions on target resources