or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

Files

docs

advanced-authentication-flows.mdauthorization-code-authentication.mdazure-developer-cli-authentication.mdazure-pipelines-authentication.mdclient-assertion-authentication.mdconfiguration-and-utilities.mdcredential-chaining.mddefault-azure-credential.mddeveloper-tool-credentials.mdenvironment-credential.mdindex.mdinteractive-user-authentication.mdmanaged-identity-credential.mdservice-principal-authentication.mdshared-token-cache-authentication.mdusername-password-authentication.mdvisual-studio-code-authentication.md

client-assertion-authentication.mddocs/

0
# Client Assertion Authentication
1


2
Authenticates using client assertions (JWT bearer tokens) for service principal authentication, providing a secure and scalable authentication method.
3


4
## Capabilities
5


6
### Client Assertion Credential
7


8
Acquires tokens using client assertion and service principal authentication.
9


10
```java { .api }
11
/**
12
 * Client assertion credential for service principal authentication
13
 */
14
class ClientAssertionCredential implements TokenCredential {
15
    Mono<AccessToken> getToken(TokenRequestContext request);
16
    AccessToken getTokenSync(TokenRequestContext request);
17
}
18


19
class ClientAssertionCredentialBuilder extends AadCredentialBuilderBase<ClientAssertionCredentialBuilder> {
20
    ClientAssertionCredentialBuilder clientAssertion(Supplier<String> clientAssertionSupplier);
21
    ClientAssertionCredentialBuilder tokenCachePersistenceOptions(TokenCachePersistenceOptions tokenCachePersistenceOptions);
22
    ClientAssertionCredential build();
23
}
24
```
25


26
**Usage Examples:**
27


28
```java
29
import com.azure.identity.ClientAssertionCredential;
30
import com.azure.identity.ClientAssertionCredentialBuilder;
31
import java.util.function.Supplier;
32


33
// Create a supplier that generates JWT assertions
34
Supplier<String> assertionSupplier = () -> {
35
    // Your logic to generate JWT assertion
36
    return generateJwtAssertion();
37
};
38


39
// Create credential with client assertion
40
TokenCredential credential = new ClientAssertionCredentialBuilder()
41
    .clientId("your-client-id")
42
    .tenantId("your-tenant-id")
43
    .clientAssertion(assertionSupplier)
44
    .build();
45


46
// Use with Azure SDK clients
47
BlobServiceClient client = new BlobServiceClientBuilder()
48
    .endpoint("https://mystorageaccount.blob.core.windows.net")
49
    .credential(credential)
50
    .buildClient();
51
```
52


53
**JWT Assertion Requirements:**
54


55
The client assertion must be a valid JWT with:
56
- `iss` (issuer): The client ID of the application
57
- `sub` (subject): The client ID of the application  
58
- `aud` (audience): The Azure AD token endpoint
59
- `exp` (expiration): Token expiration time
60
- `nbf` (not before): Token valid from time
61
- `jti` (JWT ID): Unique identifier for the token
62


63
## Advanced Configuration
64


65
```java
66
// With token cache persistence
67
TokenCredential credential = new ClientAssertionCredentialBuilder()
68
    .clientId("your-client-id")  
69
    .tenantId("your-tenant-id")
70
    .clientAssertion(assertionSupplier)
71
    .tokenCachePersistenceOptions(new TokenCachePersistenceOptions()
72
        .setName("MyAppTokenCache"))
73
    .build();
74
```
75


76
## Exception Handling
77


78
Throws `CredentialUnavailableException` when:
79
- Client assertion supplier returns null or invalid JWT
80
- Required configuration parameters are missing
81
- Authentication fails due to invalid assertion