AzurePipelinesCredential
sets an additional OIDC request header so that it receives a 401 instead of a 302 after presenting an invalid system access token- Allow logging of debugging headers for
AzurePipelinesCredential
and include them in error messages
- Added
ObjectID
type forManagedIdentityCredentialOptions.ID
- Removed redundant content from error messages
NewManagedIdentityCredential
now returns an error when a user-assigned identity is specified on a platform whose managed identity API doesn't support that.ManagedIdentityCredential.GetToken()
formerly logged a warning in these cases. Returning an error instead prevents the credential authenticating an unexpected identity, causing a client to act with unexpected privileges. The affected platforms are:- Azure Arc
- Azure ML (when a resource ID is specified; client IDs are supported)
- Cloud Shell
- Service Fabric
- If
DefaultAzureCredential
receives a non-JSON response when probing IMDS before attempting to authenticate a managed identity, it continues to the next credential in the chain instead of immediately returning an error.
- Restored persistent token caching feature
These changes affect only code written against a beta version such as v1.7.0-beta.1
- Redesigned the persistent caching API. Encryption is now required in all cases
and persistent cache construction is separate from credential construction.
The
PersistentUserAuthentication
example in the package docs has been updated to demonstrate the new API.
AzurePipelinesCredential
authenticates an Azure Pipelines service connection with workload identity federation
These changes affect only code written against a beta version such as v1.7.0-beta.1
- Removed the persistent token caching API. It will return in v1.8.0-beta.1
- Restored
AzurePipelinesCredential
and persistent token caching API
These changes affect only code written against a beta version such as v1.6.0-beta.4
- Values which
NewAzurePipelinesCredential
read from environment variables in prior versions are now parameters - Renamed
AzurePipelinesServiceConnectionCredentialOptions
toAzurePipelinesCredentialOptions
- Managed identity bug fixes
NewOnBehalfOfCredentialWithClientAssertions
creates an on-behalf-of credential that authenticates with client assertions such as federated credentials
These changes affect only code written against a beta version such as v1.6.0-beta.4
- Removed
AzurePipelinesCredential
and the persistent token caching API. They will return in v1.7.0-beta.1
- Managed identity bug fixes
AzurePipelinesCredential
authenticates an Azure Pipeline service connection with workload identity federation
DefaultAzureCredential
now sends a probe request with no retries for IMDS managed identity environments to avoid excessive retry delays when the IMDS endpoint is not available. This should improve credential chain resolution for local development scenarios.
ManagedIdentityCredential
now specifies resource IDs correctly for Azure Container Instances
ManagedIdentityCredential
now specifies resource IDs correctly for Azure Container Instances
- Restored v1.4.0 error behavior for empty tenant IDs
- Upgraded dependencies
These changes affect only code written against a beta version such as v1.6.0-beta.1
- Replaced
ErrAuthenticationRequired
withAuthenticationRequiredError
, a struct type that carries theTokenRequestOptions
passed to theGetToken
call which returned the error.
- Fixed more cases in which credential chains like
DefaultAzureCredential
should try their next credential after attempting managed identity authentication in a Docker Desktop container
AzureCLICredential
uses the CLI'sexpires_on
value for token expiration
- Restored persistent token caching API first added in v1.5.0-beta.1
- Added
AzureCLICredentialOptions.Subscription
InteractiveBrowserCredential
handlesAdditionallyAllowedTenants
correctly
These changes affect only code written against a beta version such as v1.5.0-beta.1
- Removed persistent token caching. It will return in v1.6.0-beta.1
- Credentials now preserve MSAL headers e.g. X-Client-Sku
- Upgraded dependencies
DefaultAzureCredential
andManagedIdentityCredential
support Azure ML managed identity- Added spans for distributed tracing.
- Optional persistent token caching for most credentials. Set
TokenCachePersistenceOptions
on a credential's options to enable and configure this. See the package documentation for this version and TOKEN_CACHING.md for more details. AzureDeveloperCLICredential
authenticates with the Azure Developer CLI (azd
). This credential is also part of theDefaultAzureCredential
authentication flow.
ManagedIdentityCredential
will now retry when IMDS responds 410 or 503
- Service principal credentials can request CAE tokens
These changes affect only code written against a beta version such as v1.4.0-beta.4
- Whether
GetToken
requests a CAE token is now determined byTokenRequestOptions.EnableCAE
. Azure SDK clients which support CAE will set this option automatically. Credentials no longer request CAE tokens by default or observe the environment variable "AZURE_IDENTITY_DISABLE_CP1".
- Credential chains such as
DefaultAzureCredential
now try their next credential, if any, when managed identity authentication fails in a Docker Desktop container (#21417)
- Upgraded dependencies
- Upgraded dependencies
- One invocation of
AzureCLICredential.GetToken()
andOnBehalfOfCredential.GetToken()
can no longer make two authentication attempts
DefaultAzureCredentialOptions.TenantID
applies to workload identity authentication- Upgraded dependencies
- Re-enabled CAE support as in v1.3.0-beta.3
These changes affect only code written against a beta version such as v1.3.0-beta.5
- Renamed
NewOnBehalfOfCredentialFromCertificate
toNewOnBehalfOfCredentialWithCertificate
- Renamed
NewOnBehalfOfCredentialFromSecret
toNewOnBehalfOfCredentialWithSecret
- Upgraded to MSAL v1.0.0
These changes affect only code written against a beta version such as v1.3.0-beta.4
- Moved
NewWorkloadIdentityCredential()
parameters intoWorkloadIdentityCredentialOptions
. The constructor now reads default configuration from environment variables set by the Azure workload identity webhook by default. (#20478) - Removed CAE support. It will return in v1.4.0-beta.1 (#20479)
- Fixed an issue in
DefaultAzureCredential
that could cause the managed identity endpoint check to fail in rare circumstances.
- Added
WorkloadIdentityCredentialOptions.AdditionallyAllowedTenants
and.DisableInstanceDiscovery
- Credentials now synchronize within
GetToken()
so a single instance can be shared among goroutines (#20044)
- Upgraded dependencies
- Upgraded dependencies
- By default, credentials set client capability "CP1" to enable support for Continuous Access Evaluation (CAE). This indicates to Microsoft Entra ID that your application can handle CAE claims challenges. You can disable this behavior by setting the environment variable "AZURE_IDENTITY_DISABLE_CP1" to "true".
InteractiveBrowserCredentialOptions.LoginHint
enables pre-populating the login prompt with a username (#15599)- Service principal and user credentials support ADFS authentication on Azure Stack. Specify "adfs" as the credential's tenant.
- Applications running in private or disconnected clouds can prevent credentials from
requesting Microsoft Entra instance metadata by setting the
DisableInstanceDiscovery
field on credential options. - Many credentials can now be configured to authenticate in multiple tenants. The
options types for these credentials have an
AdditionallyAllowedTenants
field that specifies additional tenants in which the credential may authenticate.
- Added
OnBehalfOfCredential
to support the on-behalf-of flow (#16642)
AzureCLICredential
reports token expiration in local time (should be UTC)
AzureCLICredential
imposes its default timeout only when theContext
passed toGetToken()
has no deadline- Added
NewCredentialUnavailableError()
. This function constructs an error indicating a credential can't authenticate and an encompassingChainedTokenCredential
should try its next credential, if any.
WorkloadIdentityCredential
andDefaultAzureCredential
support Workload Identity Federation on Kubernetes.DefaultAzureCredential
support requires environment variable configuration as set by the Workload Identity webhook. (#15615)
- This version includes all fixes and features from 1.2.0-beta.*
ManagedIdentityCredential
caches tokens in memory
ClientCertificateCredential
sends only the leaf cert for SNI authentication
- Added
ClientAssertionCredential
to enable applications to authenticate with custom client assertions
- Updated AuthenticationFailedError with links to TROUBLESHOOTING.md for relevant errors
- Upgraded
microsoft-authentication-library-for-go
requirement to v0.6.0
EnvironmentCredential
reads certificate passwords fromAZURE_CLIENT_CERTIFICATE_PASSWORD
(#17099)
ClientCertificateCredential
andClientSecretCredential
support ESTS-R. First-party applications can set environment variableAZURE_REGIONAL_AUTHORITY_NAME
with a region name. (#15605)
- Upgrade
microsoft-authentication-library-for-go
requirement to v0.5.1 (#18176)
DefaultAzureCredential
reads environment variableAZURE_CLIENT_ID
for the client ID of a user-assigned managed identity (#17293)
- Removed
AuthorizationCodeCredential
. UseInteractiveBrowserCredential
instead to authenticate a user with the authorization code flow. - Instances of
AuthenticationFailedError
are now returned by pointer. GetToken()
returnsazcore.AccessToken
by value
AzureCLICredential
panics after receiving an unexpected error type (#17490)
GetToken()
returns an error when the caller specifies no scope- Updated to the latest versions of
golang.org/x/crypto
,azcore
andinternal
- This module now requires Go 1.18
- Removed
AuthorityHost
. Credentials are now configured for sovereign or private clouds with the API inazcore/cloud
, for example:// before opts := azidentity.ClientSecretCredentialOptions{AuthorityHost: azidentity.AzureGovernment} cred, err := azidentity.NewClientSecretCredential(tenantID, clientID, secret, &opts) // after import "github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud" opts := azidentity.ClientSecretCredentialOptions{} opts.Cloud = cloud.AzureGovernment cred, err := azidentity.NewClientSecretCredential(tenantID, clientID, secret, &opts)
- Prevented a data race in
DefaultAzureCredential
andChainedTokenCredential
(#17144)
- Upgraded App Service managed identity version from 2017-09-01 to 2019-08-01 (#17086)
EnvironmentCredential
supports certificate SNI authentication whenAZURE_CLIENT_SEND_CERTIFICATE_CHAIN
is "true". (#16851)
ManagedIdentityCredential.GetToken()
now returns an error when configured for a user assigned identity in Azure Cloud Shell (which doesn't support such identities) (#16946)
NewDefaultAzureCredential()
logs non-fatal errors. These errors are also included in the error returned byDefaultAzureCredential.GetToken()
when it's unable to acquire a token from any source. (#15923)
- Replaced
AuthenticationFailedError.RawResponse()
with a field having the same name - Unexported
CredentialUnavailableError
- Instances of
ChainedTokenCredential
will now skip looping through the list of source credentials and re-use the first successful credential on subsequent calls toGetToken
.- If
ChainedTokenCredentialOptions.RetrySources
is true,ChainedTokenCredential
will continue to try all of the originally provided credentials each time theGetToken
method is called. ChainedTokenCredential.successfulCredential
will contain a reference to the last successful credential.DefaultAzureCredenial
will also re-use the first successful credential on subsequent calls toGetToken
.DefaultAzureCredential.chain.successfulCredential
will also contain a reference to the last successful credential.
- If
ManagedIdentityCredential
no longer probes IMDS before requesting a token from it. Also, an error response from IMDS no longer disables a credential instance. Following an error, a credential instance will continue to send requests to IMDS as necessary.- Adopted MSAL for user and service principal authentication
- Updated
azcore
requirement to 0.21.0
- Raised minimum go version to 1.16
- Removed
NewAuthenticationPolicy()
from credentials. Clients should instead use azcore'sruntime.NewBearerTokenPolicy()
to construct a bearer token authorization policy. - The
AuthorityHost
field in credential options structs is now a custom type,AuthorityHost
, with underlying typestring
NewChainedTokenCredential
has a new signature to accommodate a placeholder options struct:// before cred, err := NewChainedTokenCredential(credA, credB) // after cred, err := NewChainedTokenCredential([]azcore.TokenCredential{credA, credB}, nil)
- Removed
ExcludeAzureCLICredential
,ExcludeEnvironmentCredential
, andExcludeMSICredential
fromDefaultAzureCredentialOptions
NewClientCertificateCredential
requires a[]*x509.Certificate
andcrypto.PrivateKey
instead of a path to a certificate file. AddedParseCertificates
to simplify getting these in common cases:// before cred, err := NewClientCertificateCredential("tenant", "client-id", "/cert.pem", nil) // after certData, err := os.ReadFile("/cert.pem") certs, key, err := ParseCertificates(certData, password) cred, err := NewClientCertificateCredential(tenantID, clientID, certs, key, nil)
- Removed
InteractiveBrowserCredentialOptions.ClientSecret
and.Port
- Removed
AADAuthenticationFailedError
- Removed
id
parameter ofNewManagedIdentityCredential()
. User assigned identities are now specified byManagedIdentityCredentialOptions.ID
:// before cred, err := NewManagedIdentityCredential("client-id", nil) // or, for a resource ID opts := &ManagedIdentityCredentialOptions{ID: ResourceID} cred, err := NewManagedIdentityCredential("/subscriptions/...", opts) // after clientID := ClientID("7cf7db0d-...") opts := &ManagedIdentityCredentialOptions{ID: clientID} // or, for a resource ID resID: ResourceID("/subscriptions/...") opts := &ManagedIdentityCredentialOptions{ID: resID} cred, err := NewManagedIdentityCredential(opts)
DeviceCodeCredentialOptions.UserPrompt
has a new type:func(context.Context, DeviceCodeMessage) error
- Credential options structs now embed
azcore.ClientOptions
. In addition to changing literal initialization syntax, this change renamesHTTPClient
fields toTransport
. - Renamed
LogCredential
toEventCredential
AzureCLICredential
no longer reads the environment variableAZURE_CLI_PATH
NewManagedIdentityCredential
no longer reads environment variablesAZURE_CLIENT_ID
andAZURE_RESOURCE_ID
. UseManagedIdentityCredentialOptions.ID
instead.- Unexported
AuthenticationFailedError
andCredentialUnavailableError
structs. In their place are two interfaces having the same names.
AzureCLICredential.GetToken
no longer mutates itsopts.Scopes
- Added connection configuration options to
DefaultAzureCredentialOptions
AuthenticationFailedError.RawResponse()
returns the HTTP response motivating the error, if available
NewDefaultAzureCredential()
returns*DefaultAzureCredential
instead of*ChainedTokenCredential
- Added
TenantID
field toDefaultAzureCredentialOptions
andAzureCLICredentialOptions
- Unexported
AzureCLICredentialOptions.TokenProvider
and its type,AzureCLITokenProvider
ManagedIdentityCredential.GetToken
returnsCredentialUnavailableError
when IMDS has no assigned identity, signalingDefaultAzureCredential
to try other credentials
- Update based on
azcore
refactor #15383
ManagedIdentityCredential.GetToken
no longer mutates itsopts.Scopes
- Bumps version of
azcore
tov0.18.1
- Adding support for Service Fabric environment in
ManagedIdentityCredential
- Adding an option for using a resource ID instead of client ID in
ManagedIdentityCredential
- Add LICENSE.txt and bump version information
- Add support for authenticating in Azure Stack environments
- Enable user assigned identities for the IMDS scenario in
ManagedIdentityCredential
- Add scope to resource conversion in
GetToken()
onManagedIdentityCredential
- Updating documentation
- Adding port option to
InteractiveBrowserCredential
- Add
redirectURI
parameter back to authentication code flow
- Updating query parameter in
ManagedIdentityCredential
and updating datetime string for parsing managed identity access tokens.
- Remove
RedirectURL
parameter from auth code flow to align with the MSAL implementation which relies on the native client redirect URL.
- Flattening credential options
- Adding Azure Arc support in
ManagedIdentityCredential
- Typo fixes
- Ensure authority hosts are only HTTPs
- Adding options structs for credentials
- Update
DeviceCodeCredential
callback
- Add
AuthorizationCodeCredential
- Add
InteractiveBrowserCredential
- Refactor
azidentity
on top ofazcore
refactor - Updated policies to conform to
policy.Policy
interface changes. - Updated non-retriable errors to conform to
azcore.NonRetriableError
. - Fixed calls to
Request.SetBody()
to include content type. - Switched endpoints to string types and removed extra parsing code.
- Add
AzureCLICredential
toDefaultAzureCredential
chain
- Initial Release. Azure Identity library that provides Microsoft Entra token authentication support for the SDK.