tessl/npm-azure--core-rest-pipeline
Isomorphic client library for making HTTP requests in node.js and browser with flexible middleware-style pipeline architecture.
—
Pending
authentication.mddocs/
Authentication Policies
Bearer token authentication and auxiliary authentication header policies for Azure services, supporting token refresh, challenge handling, and multi-credential scenarios.
Capabilities
Bearer Token Authentication
Primary authentication policy for Azure services using bearer tokens with automatic refresh and challenge handling.
/**
* Creates a policy that can request a token from a TokenCredential implementation and then apply it to the Authorization header of a request
* @param options - Options for configuring the bearer token policy
* @returns PipelinePolicy that handles bearer token authentication
*/
function bearerTokenAuthenticationPolicy(
options: BearerTokenAuthenticationPolicyOptions
): PipelinePolicy;
/**
* The programmatic identifier of the bearerTokenAuthenticationPolicy
*/
const bearerTokenAuthenticationPolicyName: string;
interface BearerTokenAuthenticationPolicyOptions {
/**
* The TokenCredential implementation that can supply the access token
*/
credential: TokenCredential;
/**
* The scopes for which the bearer token applies
*/
scopes: string[];
/**
* Callbacks for handling authentication challenges
*/
challengeCallbacks?: ChallengeCallbacks;
}
interface ChallengeCallbacks {
/**
* Allows for the authorization of the main request after a 401 response with a valid WWW-Authenticate challenge
*/
authorizeRequestOnChallenge?: (
options: AuthorizeRequestOnChallengeOptions
) => Promise<boolean>;
/**
* Allows to customize the authorization of any request after a 401 response with a valid WWW-Authenticate challenge
*/
authorizeRequest?: (options: AuthorizeRequestOptions) => Promise<void>;
}Usage Examples:
import {
bearerTokenAuthenticationPolicy,
type BearerTokenAuthenticationPolicyOptions,
type ChallengeCallbacks
} from "@azure/core-rest-pipeline";
import { DefaultAzureCredential } from "@azure/identity";
// Basic bearer token policy
const credential = new DefaultAzureCredential();
const authPolicy = bearerTokenAuthenticationPolicy({
credential,
scopes: ["https://management.azure.com/.default"]
});
// Advanced policy with challenge handling
const challengeCallbacks: ChallengeCallbacks = {
authorizeRequestOnChallenge: async (options) => {
console.log("Handling auth challenge");
// Custom challenge handling logic
return true;
},
authorizeRequest: async (options) => {
console.log("Authorizing request");
// Custom authorization logic
}
};
const advancedAuthPolicy = bearerTokenAuthenticationPolicy({
credential,
scopes: ["https://vault.azure.net/.default"],
challengeCallbacks
});
// Add to pipeline
pipeline.addPolicy(authPolicy, { phase: "Sign" });Authorization Request Options
Interfaces for customizing authorization behavior during request processing.
/**
* Options sent to the authorizeRequest callback
*/
interface AuthorizeRequestOptions {
/**
* The scopes for which the bearer token applies
*/
scopes: string[];
/**
* Function that retrieves either a cached access token or a new access token
*/
getAccessToken: (scopes: string[], options: GetTokenOptions) => Promise<AccessToken | null>;
/**
* Request that the policy is trying to fulfill
*/
request: PipelineRequest;
/**
* A logger, if one was sent through the HTTP pipeline
*/
logger?: AzureLogger;
}
/**
* Options sent to the authorizeRequestOnChallenge callback
*/
interface AuthorizeRequestOnChallengeOptions {
/**
* The scopes for which the bearer token applies
*/
scopes: string[];
/**
* Function that retrieves either a cached access token or a new access token
*/
getAccessToken: (scopes: string[], options: GetTokenOptions) => Promise<AccessToken | null>;
/**
* Request that the policy is trying to fulfill
*/
request: PipelineRequest;
/**
* Response that came back from the service with an authorization challenge
*/
response: PipelineResponse;
/**
* A logger, if one was sent through the HTTP pipeline
*/
logger?: AzureLogger;
}Usage Examples:
import {
type AuthorizeRequestOptions,
type AuthorizeRequestOnChallengeOptions
} from "@azure/core-rest-pipeline";
const customChallengeCallbacks: ChallengeCallbacks = {
authorizeRequest: async (options: AuthorizeRequestOptions) => {
// Get fresh token for the request
const token = await options.getAccessToken(options.scopes, {});
if (token) {
options.request.headers.set("Authorization", `Bearer ${token.token}`);
options.logger?.info("Added authorization header");
}
},
authorizeRequestOnChallenge: async (options: AuthorizeRequestOnChallengeOptions) => {
// Handle specific challenge responses
if (options.response.status === 401) {
const challengeHeader = options.response.headers.get("WWW-Authenticate");
if (challengeHeader?.includes("Bearer")) {
// Parse challenge and get appropriate token
const token = await options.getAccessToken(options.scopes, {});
if (token) {
options.request.headers.set("Authorization", `Bearer ${token.token}`);
return true; // Retry the request
}
}
}
return false; // Don't retry
}
};Auxiliary Authentication Headers
Policy for adding auxiliary authentication headers, typically used for cross-tenant scenarios or additional authentication context.
/**
* Creates a policy that can apply auxiliary authentication headers to requests
* @param options - Options for configuring the auxiliary auth policy
* @returns PipelinePolicy that adds auxiliary authentication headers
*/
function auxiliaryAuthenticationHeaderPolicy(
options: AuxiliaryAuthenticationHeaderPolicyOptions
): PipelinePolicy;
/**
* The programmatic identifier of the auxiliaryAuthenticationHeaderPolicy
*/
const auxiliaryAuthenticationHeaderPolicyName: string;
interface AuxiliaryAuthenticationHeaderPolicyOptions {
/**
* TokenCredentials used to get tokens for auxiliary authentication
*/
credentials: {
scopes: string[];
credential: TokenCredential;
}[];
/**
* A logger instance for logging authentication operations
*/
logger?: AzureLogger;
}Usage Examples:
import {
auxiliaryAuthenticationHeaderPolicy,
type AuxiliaryAuthenticationHeaderPolicyOptions
} from "@azure/core-rest-pipeline";
import { DefaultAzureCredential, ManagedIdentityCredential } from "@azure/identity";
// Multiple credential configuration for cross-tenant scenarios
const auxiliaryAuthOptions: AuxiliaryAuthenticationHeaderPolicyOptions = {
credentials: [
{
scopes: ["https://management.azure.com/.default"],
credential: new DefaultAzureCredential()
},
{
scopes: ["https://graph.microsoft.com/.default"],
credential: new ManagedIdentityCredential()
}
],
logger: console
};
const auxiliaryAuthPolicy = auxiliaryAuthenticationHeaderPolicy(auxiliaryAuthOptions);
// Add to pipeline after the main auth policy
pipeline.addPolicy(auxiliaryAuthPolicy, {
afterPolicies: [bearerTokenAuthenticationPolicyName]
});Authentication Flow
The authentication policies work together to provide comprehensive authentication:
- Bearer Token Policy handles primary authentication with token refresh
- Challenge Handling responds to 401/403 responses with WWW-Authenticate headers
- Auxiliary Headers add additional authentication context when needed
- Token Caching automatically caches and refreshes tokens as needed
Policy Names
/**
* Policy name constants for use in pipeline configuration
*/
const bearerTokenAuthenticationPolicyName: string;
const auxiliaryAuthenticationHeaderPolicyName: string;These constants are used for policy ordering and identification in pipeline configuration.
Install with Tessl CLI
npx tessl i tessl/npm-azure--core-rest-pipeline