tessl/maven-com-azure--azure-identity
The Azure Identity library provides Microsoft Entra ID token authentication support across the Azure SDK with a comprehensive set of TokenCredential implementations.
—
Pending
service-principal-authentication.mddocs/
Service Principal Authentication
Service Principal authentication enables non-interactive authentication to Azure services using application credentials. Azure Identity supports three types of service principal authentication: client secret, client certificate, and client assertion.
Client Secret Authentication
Authenticate using a service principal with a client secret.
import com.azure.identity.ClientSecretCredential;
import com.azure.identity.ClientSecretCredentialBuilder;
// Basic client secret authentication
TokenCredential credential = new ClientSecretCredentialBuilder()
.tenantId("tenant-id")
.clientId("client-id")
.clientSecret("client-secret")
.build();
// Use with Azure SDK client
BlobServiceClient client = new BlobServiceClientBuilder()
.endpoint("https://mystorageaccount.blob.core.windows.net/")
.credential(credential)
.buildClient();Client Certificate Authentication
Authenticate using a service principal with a client certificate.
import com.azure.identity.ClientCertificateCredential;
import com.azure.identity.ClientCertificateCredentialBuilder;
// From certificate file
TokenCredential credential = new ClientCertificateCredentialBuilder()
.tenantId("tenant-id")
.clientId("client-id")
.pfxCertificate("path/to/certificate.pfx", "certificate-password")
.build();
// From PEM certificate
TokenCredential pemCredential = new ClientCertificateCredentialBuilder()
.tenantId("tenant-id")
.clientId("client-id")
.pemCertificate("path/to/certificate.pem")
.build();Client Assertion Authentication
Authenticate using a signed client assertion.
import com.azure.identity.ClientAssertionCredential;
import com.azure.identity.ClientAssertionCredentialBuilder;
import java.util.function.Supplier;
// Using assertion supplier
Supplier<String> assertionSupplier = () -> {
// Your logic to generate or retrieve the client assertion
return generateJwtAssertion();
};
TokenCredential credential = new ClientAssertionCredentialBuilder()
.tenantId("tenant-id")
.clientId("client-id")
.clientAssertion(assertionSupplier)
.build();Advanced Configuration
// Configure with custom options
TokenCredential credential = new ClientSecretCredentialBuilder()
.tenantId("tenant-id")
.clientId("client-id")
.clientSecret("client-secret")
.authorityHost(AzureAuthorityHosts.AZURE_GOVERNMENT) // Government cloud
.additionallyAllowedTenants("*") // Allow any tenant
.disableInstanceDiscovery() // Disable instance discovery
.executorService(executorService) // Custom executor
.httpClient(httpClient) // Custom HTTP client
.build();Multi-Tenant Authentication
// Configure for multi-tenant scenarios
TokenCredential credential = new ClientSecretCredentialBuilder()
.tenantId("primary-tenant-id")
.clientId("client-id")
.clientSecret("client-secret")
.additionallyAllowedTenants("tenant-1", "tenant-2", "tenant-3")
.build();
// Or allow any tenant
TokenCredential anyTenantCredential = new ClientSecretCredentialBuilder()
.tenantId("primary-tenant-id")
.clientId("client-id")
.clientSecret("client-secret")
.additionallyAllowedTenants("*")
.build();Environment Variables
Service principal credentials can be configured via environment variables:
- AZURE_CLIENT_ID - The client ID of the service principal
- AZURE_CLIENT_SECRET - The client secret
- AZURE_CLIENT_CERTIFICATE_PATH - Path to certificate file
- AZURE_CLIENT_CERTIFICATE_PASSWORD - Certificate password
- AZURE_TENANT_ID - The tenant ID
- AZURE_AUTHORITY_HOST - The Microsoft Entra ID authority host
// EnvironmentCredential reads these automatically
import com.azure.identity.EnvironmentCredential;
import com.azure.identity.EnvironmentCredentialBuilder;
TokenCredential envCredential = new EnvironmentCredentialBuilder().build();Certificate Formats
PFX/PKCS#12 Certificate
// With password
TokenCredential credential = new ClientCertificateCredentialBuilder()
.tenantId("tenant-id")
.clientId("client-id")
.pfxCertificate("path/to/certificate.pfx", "password")
.build();
// Without password
TokenCredential credentialNoPassword = new ClientCertificateCredentialBuilder()
.tenantId("tenant-id")
.clientId("client-id")
.pfxCertificate("path/to/certificate.pfx")
.build();PEM Certificate
// PEM certificate with private key
TokenCredential credential = new ClientCertificateCredentialBuilder()
.tenantId("tenant-id")
.clientId("client-id")
.pemCertificate("path/to/certificate.pem")
.build();
// Send certificate chain in token request
TokenCredential credentialWithChain = new ClientCertificateCredentialBuilder()
.tenantId("tenant-id")
.clientId("client-id")
.pemCertificate("path/to/certificate.pem")
.sendCertificateChain(true)
.build();Error Handling
try {
TokenCredential credential = new ClientSecretCredentialBuilder()
.tenantId("tenant-id")
.clientId("client-id")
.clientSecret("client-secret")
.build();
AccessToken token = credential.getTokenSync(
new TokenRequestContext().addScopes("https://management.azure.com/.default")
);
System.out.println("Authentication successful");
} catch (ClientAuthenticationException e) {
System.err.println("Authentication failed: " + e.getMessage());
// Common causes:
// - Invalid client ID, secret, or tenant ID
// - Service principal doesn't exist or is disabled
// - Insufficient permissions for requested scope
} catch (Exception e) {
System.err.println("Unexpected error: " + e.getMessage());
}API Reference
class ClientSecretCredential implements TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
AccessToken getTokenSync(TokenRequestContext request);
}
class ClientSecretCredentialBuilder extends AadCredentialBuilderBase<ClientSecretCredentialBuilder> {
ClientSecretCredentialBuilder clientSecret(String clientSecret);
ClientSecretCredential build();
}
class ClientCertificateCredential implements TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
AccessToken getTokenSync(TokenRequestContext request);
}
class ClientCertificateCredentialBuilder extends AadCredentialBuilderBase<ClientCertificateCredentialBuilder> {
ClientCertificateCredentialBuilder pfxCertificate(String certificatePath);
ClientCertificateCredentialBuilder pfxCertificate(String certificatePath, String clientCertificatePassword);
ClientCertificateCredentialBuilder pfxCertificate(InputStream certificate, String clientCertificatePassword);
ClientCertificateCredentialBuilder pemCertificate(String certificatePath);
ClientCertificateCredentialBuilder pemCertificate(InputStream certificate);
ClientCertificateCredentialBuilder sendCertificateChain(boolean sendCertificateChain);
ClientCertificateCredential build();
}
class ClientAssertionCredential implements TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
AccessToken getTokenSync(TokenRequestContext request);
}
class ClientAssertionCredentialBuilder extends AadCredentialBuilderBase<ClientAssertionCredentialBuilder> {
ClientAssertionCredentialBuilder clientAssertion(Supplier<String> clientAssertionSupplier);
ClientAssertionCredential build();
}
class EnvironmentCredential implements TokenCredential {
Mono<AccessToken> getToken(TokenRequestContext request);
AccessToken getTokenSync(TokenRequestContext request);
}
class EnvironmentCredentialBuilder extends CredentialBuilderBase<EnvironmentCredentialBuilder> {
EnvironmentCredential build();
}Best Practices
- Secure Secret Storage: Never hardcode client secrets in source code. Use Azure Key Vault or environment variables
- Certificate Over Secret: Prefer client certificates over client secrets for enhanced security
- Short-Lived Secrets: Rotate client secrets regularly and use short expiration times
- Least Privilege: Grant service principals only the minimum required permissions
- Multi-Tenant Configuration: Explicitly configure allowed tenants to prevent unauthorized access
- Certificate Chain: Include the full certificate chain when using intermediate certificates
- Error Handling: Implement retry logic for transient authentication failures
- Token Caching: All service principal credentials automatically cache and refresh tokens
Install with Tessl CLI
npx tessl i tessl/maven-com-azure--azure-identitydocs
advanced-authentication-flows.mdauthorization-code-authentication.mdazure-developer-cli-authentication.mdazure-pipelines-authentication.mdclient-assertion-authentication.mdconfiguration-and-utilities.mdcredential-chaining.mddefault-azure-credential.mddeveloper-tool-credentials.mdenvironment-credential.mdindex.mdinteractive-user-authentication.mdmanaged-identity-credential.mdservice-principal-authentication.mdshared-token-cache-authentication.mdusername-password-authentication.mdvisual-studio-code-authentication.md