- No longer statically accessing environment variables. #32781
- Use
ThreadLocalRandom
instead ofRandom
to better enable static compilation. #32744
- Upgraded
azure-core
from1.34.0
to version1.35.0
.
- Fixed MSI token
expires_in
parsing issue.
- Added user-agent header to Identity requests
- Upgraded
azure-core
from1.33.0
to version1.34.0
. - Upgraded
msal4j
from1.13.2
to1.13.3
GetTokenSync
method implementation/support in Token Credentials.- Read
AZURE_REGIONAL_AUTHORITY_NAME
from the environment to specify region for client credential types.
- Upgraded
msal4j
from1.13.1
to1.13.2
- Upgraded
azure-core
from1.32.0
to version1.33.0
. - Upgraded
azure-core-http-netty
from1.12.5
to version1.12.6
.
EnvironmentCredential
will read the environment variableAZURE_CLIENT_CERTIFICATE_PASSWORD
for apem
/pfx
certificate specified byAZURE_CLIENT_CERTIFICATE_PATH
.- Added support for in-memory token caching in
ManagedIdentityCredential
.
- Removed
VisualStudioCodeCredential
fromDefaultAzureCredential
token chain. Issue 27364 tracks this.
- Added
additionallyAllowedTenants
to the following credential builders to force explicit opt-in behavior for multi-tenant authentication:AuthorizationCodeCredentialBuilder
AzureCliCredentialBuilder
AzurePowerShellCredentialBuilder
ClientAssertionCredentialBuilder
ClientCertificateCredentialBuilder
ClientSecretCredentialBuilder
DefaultAzureCredentialBuilder
OnBehalfOfCredentialBuilder
UsernamePasswordCredentialBuilder
VisualStudioCodeCredentialBuilder
VisualStudioCredentialBuilder
-
Credential types supporting multi-tenant authentication will now throw
ClientAuthenticationException
if the requested tenant ID doesn't match the credential's tenant ID, and is not included in theadditionallyAllowedTenants
option. Applications must now explicitly add additional tenants to theadditionallyAllowedTenants
list, or add '*' to list, to enable acquiring tokens from tenants other than the originally specified tenant ID. See BREAKING_CHANGES.md. -
These beta features in version
1.6.0-beta.1
have been removed from this release and will be added back in version1.7.0-beta.1
:- removed
VisualStudioCodeCredential
fromDefaultAzureCredential
token chain AZURE_CLIENT_CERTIFICATE_PASSWORD
support forEnvironmentCredential
- in-memory token caching support for
ManagedIdentityCredential
.
- removed
- Upgraded
msal4j
from1.13.0
to1.13.1
.
- Upgraded
azure-core
from1.31.0
to version1.32.0
. - Upgraded
azure-core-http-netty
from1.12.4
to version1.12.5
. - Upgraded
msal4j
from1.12.0
to1.13.0
.
EnvironmentCredential
will read the environment variableAZURE_CLIENT_CERTIFICATE_PASSWORD
for apem
/pfx
certificate specified byAZURE_CLIENT_CERTIFICATE_PATH
.- Added support for in-memory token caching in
ManagedIdentityCredential
.
- Removed
VisualStudioCodeCredential
fromDefaultAzureCredential
token chain. Issue 27364 tracks this.
- Upgraded
msal4j
from1.12.0
to version1.13.0
.
- Fixes IntelliJCredential 21150
- Fixes AzureCliCredential to properly respect tenant IDs.
- Upgraded
azure-core
from1.30.0
to version1.31.0
. - Upgraded
azure-core-http-netty
from1.12.3
to version1.12.4
.
- Upgraded
azure-core
dependency to 1.30.0
- Upgraded
azure-core
dependency to 1.29.1
- Upgraded
msal4j
dependency to 1.12.0 - Upgraded
azure-core
dependency to 1.28.0
- Removed
disableAuthorityValidationSafetyCheck
for GA, will reintroduce in next beta. This is not a breaking change from last GA. - Replaced
identityLogOptions
setter with theenableAccountIdentifierLogging
setter on the credential builders. This is not a breaking change from last GA.
- Upgraded
azure-core
dependency to 1.27.0
Correctly use an AppServiceMsiCredential
in the case both IDENTITY_ENDPOINT
and IDENTITY_HEADER
are set.
- Added ability to configure
IdentityLogOptions
on Credential Builders to make account Identifier logging configurable. - Added the option
disableAuthoriyValidaionSafetyCheck
on Credential Builders.
- Upgraded
azure-core
dependency to 1.26.0
- Upgraded
azure-core
dependency to 1.26.0
- Logging level of false positive
ERROR
logs is changed toVERBOSE
/DEBUG
underDefaultAzureCredential
- Added
resourceId
to Managed Identity for Virtual Machines, App Service, and Service Bus. - Added
ClientAssertionCredential
for client assertion based authentication flows.
- Upgraded App Service Managed Identity endpoint to
2019-08-01
.
- Upgraded
azure-core
dependency to 1.25.0
- Upgraded
azure-core
dependency to 1.24.1
- Fixes the edge case scenario when MSI Tokens return both
expires_on
andexpires_in
fields populated forManagedIdentityCredential
.
- Upgraded
azure-core
dependency to 1.22.0
- The
ManagedIdentityCredential
reads value of AZURE_POD_IDENTITY_TOKEN_URL environment variable from AZURE_POD_IDENTITY_AUTHORITY_HOST now.
- Added
tenantId
setter onAzurePowerShellCredential
andAzureCliCredential
Note the breaking changes below don't apply if you're upgrading from a previous released stable version.
- Removed 'AzureApplicationCredential' and 'AzureApplicationCredentialBuilder'
- Removed 'regionalAuthority' setter on
ClientSecretCredentialBuilder
andClientCertificateCredentialBuilder
- Removed
RegionalAuthority
enum class. - Removed
allowMultiTenantAuthentication
method from Credential Builders. The Multi Tenant Authentication is enabled by default now.
- Upgraded
azure-core
dependency to 1.21.0
- Added support to
ManagedIdentityCredential
for Bridge to Kubernetes local development authentication. - Added regional STS support to client credential types.
- Added the
RegionalAuthority
type, that allows specifying Azure regions. - Added
regionalAuthority()
setter toClientSecretCredentialBuilder
andClientCertificateCredentialBuilder
. - If instead of a region,
RegionalAuthority.AutoDiscoverRegion
is specified as the value forregionalAuthority
, MSAL will be used to attempt to discover the region. - A region can also be specified through the
AZURE_REGIONAL_AUTHORITY_NAME
environment variable.
- Added the
- Added
loginHint()
setter toInteractiveBrowserCredentialBuilder
which allows a username to be pre-selected for interactive logins. - Added support to consume
TenantId
challenges fromTokenRequestContext
. - Added support for AKS Token Exchange support in
ManagedIdentityCredential
- Upgraded
azure-core
dependency to 1.20.0
- Upgraded
azure-core
dependency to 1.19.0
- Dropped
KeePassJava2
dependency
- Pinned
json-smart
dependency to 2.4.7
- Upgraded
azure-core
dependency to 1.18.0
- Upgraded
azure-core
dependency to 1.17.0
- Added
AzurePowerShellCredential
to support authentication using Powershell on development platforms. - Added support to disable CP1 capability in
TokenCredentials
via configuration of environment variableAZURE_IDENTITY_DISABLE_CP1
- Upgraded
azure-core
dependency to 1.16.0 - Upgraded
msal4j
dependency to 1.1.0
- Added the support to enable and configure Persistent Token Cache via
TokenCachePersistenceOptions
API onInteractiveBrowserCredentialBuilder
,AuthorizationCodeCredentialBuilder
,UsernamePasswordCredentialBuilder
,DeviceCodeCredentialBuilderBuilder
ClientSecretCredentialBuilder
,ClientCertificateCredentialBuilder
andSharedTokenCacheCredentialBuilder
. - Added new APIs for authenticating users with
DeviceCodeCredential
,InteractiveBrowserCredential
andUsernamePasswordCredential
.- Added method
authenticate
which pro-actively interacts with the user to authenticate if necessary and returns a serializableAuthenticationRecord
- Added method
- Added following configurable options in classes
DeviceCodeCredentialBuilder
andInteractiveBrowserCredentialBuilder
authenticationRecord
enables initializing a credential with anAuthenticationRecord
returned from a prior call toAuthenticate
disableAutomaticAuthentication
disables automatic user interaction causing the credential to throw anAuthenticationRequiredException
when interactive authentication is necessary.
- Upgraded
azure-core
dependency to 1.14.0 - Upgraded
msal4j
dependency to 1.9.1 - Upgraded
msal4j-persistence-extension
to 1.1.0
- Added the support to consume claims from
TokenRequestContext
send it as part of authentication request.
- Upgraded
azure-core
dependency to 1.13.0 - Upgraded
msal4j
dependency to 1.8.1
- Upgraded
azure-core
dependency to 1.13.0 - Upgraded
msal4j
dependency to 1.8.1
- Upgraded
azure-core
dependency to 1.12.0
- Upgraded
azure-core
dependency to 1.11.0
- Added Azure Service Fabric Managed Identity support to
ManagedIdentityCredential
- Added Azure Arc Managed Identity support to
ManagedIdentityCredential
- Added support for Docker Containers in
DefaultAzureCredential
- Prevent
VisualStudioCodeCredential
using invalid authentication data when no user is signed in to Visual Studio Code
- Upgraded
azure-core
dependency to 1.10.0 - Upgraded
msal4j
dependency to 1.8.0
- Added the methods
pfxCertificate(InputStream certificate, String clientCertificatePassword)
andpemCertificate(InputStream certificate)
inClientCertificateCredentialBuilder
. - Added
includeX5c(boolean)
method inClientCertificateCredentialBuilder
to enable subject name / issuer based authentication. - Added a default
challengeConsumer
inDeviceCodeCredentialBuilder
which prints the device code information to console. ThechallengeConsumer
configuration is no longer required inDeviceCodeCredentialBuilder
.
- Upgraded
azure-core
dependency to 1.9.0 - Upgraded
jna-platform
dependency to 5.6.0 - Upgraded
msal4j
dependency to 1.7.1
- Added
InteractiveBrowserCredentialBuilder.redirectUrl(String)
to configure the redirect URL - Deprecated
InteractiveBrowserCredentialBuilder.port(int)
- Added support for App Service 2019 MSI Endpoint in
ManagedIdentityCredential
- Added Shared Token cache support for MacOS Keychain, Gnome Keyring, and plain text for other Linux environments
- Added option to write to shared token cache from
InteractiveBrowserCredential
,AuthorizationCodeCredential
,UsernamePasswordCredential
,DeviceCodeCredential
ClientSecretCredential
andClientCertificateCredential
- Added new APIs for authenticating users with
DeviceCodeCredential
,InteractiveBrowserCredential
andUsernamePasswordCredential
.- Added method
authenticate
which pro-actively interacts with the user to authenticate if necessary and returns a serializableAuthenticationRecord
- Added method
- Added following configurable options in classes
DeviceCodeCredentialBuilder
andInteractiveBrowserCredentialBuilder
authenticationRecord
enables initializing a credential with anAuthenticationRecord
returned from a prior call toAuthenticate
disableAutomaticAuthentication
disables automatic user interaction causing the credential to throw anAuthenticationRequiredException
when interactive authentication is necessary.
- Upgraded core dependency to 1.7.0
- Removed the default value of 0 for port in
InteractiveBrowserCredential
.
- Removing Application Authentication APIs for GA release. These will be reintroduced in 1.2.0-beta.1.
- Removed class
AuthenticationRecord
- Removed class
AuthenticationRequiredException
- Removed methods
allowUnencryptedCache()
andenablePersistentCache()
fromClientCertificateCredentialBuilder
,ClientSecretCredentialBuilder
,InteractiveBrowserCredentialBuilder
,DeviceCodeCredentialBuilder
,UsernamePasswordCredentialBuilder
andClientCertificateCredentialBuilder
. - Removed methods
allowUnencryptedCache()
andauthenticationRecord(AuthenticationRecord)
fromSharedTokenCacheCredentialBuilder
. - Removed methods
authenticationRecord(AuthenticationRecord)
anddisableAutomaticAuthentication()
fromDeviceCodeCredentialBuilder
andInteractiveBrowserCredentialBuilder
. - Removed methods
authenticate(TokenRequestContext)
andauthenticate()
fromDeviceCodeCredential
,InteractiveBrowserCredential
andUsernamePasswordCredential
.
- Removed class
- Added support for web apps (confidential apps) for
AuthorizationCodeCredential
. A client secret is required on the builder for web apps. - Added support for user assigned managed identities for
DefaultAzureCredential
with.managedIdentityClientId()
. - Added
AzureAuthorityHosts
to access well knwon authority hosts. - Added
getClientId()
method inAuthenticationRecord
- Removed persistent caching support from
AuthorizationCodeCredential
. - Removed
KnownAuthorityHosts
- Removed
getCredentials()
method inChainedTokenCredential
&DefaultAzureCredential
- Changed return type of
serialize
method inAuthenticationRecord
toMono<OutputStream>
. - Changed method signatures
enablePersistentCache(boolean)
andallowUnencryptedCache(boolean)
on credential builders toenablePersistentCache()
andallowUnencryptedCache()
- Added
.getCredentials()
method toDefaultAzureCredential
andChainedTokenCredential
and added option.addAll(Collection<? extends TokenCredential>)
onChainedtokenCredentialBuilder
. - Added logging information in credentials and improved error messages in
DefaultAzureCredential
.
- Added option to write to shared token cache from
ClientSecretCredential
,ClientCertificateCredential
. - Added new developer credentials
IntelliJCredential
,VsCodeCredential
andAzureCliCredential
. - New APIs for authenticating users with
DeviceCodeCredential
,InteractiveBrowserCredential
andUsernamePasswordCredential
.- Added method
authenticate
which pro-actively interacts with the user to authenticate if necessary and returns a serializableAuthenticationRecord
- Added method
- Added following configurable options in classes
DeviceCodeCredentialBuilder
andInteractiveBrowserCredentialBuilder
authenticationRecord
enables initializing a credential with anAuthenticationRecord
returned from a prior call toAuthenticate
disableAutomaticAuthentication
disables automatic user interaction causing the credential to throw anAuthenticationRequiredException
when interactive authentication is necessary.
- Removed support to exclude specific credentials in
DefaultAzureCredential
authentication flow.
- Added
IntelliJCredential
support inDefaultAzureCredential
. - Added
VsCodeCredential
support inDefaultAzureCredential
. - Added support to disable specific credentials in
DefaultAzureCredential
authentication flow. - Added Shared Token cache support for MacOS Keychain, Gnome Keyring, and plain text for other Linux environments
- Added option to write to shared token cache from
InteractiveBrowserCredential
,AuthorizationCodeCredential
,UsernamePasswordCredential
, andDeviceCodeCredential
- Upgraded
azure-core
dependency to 1.5.0 - Fix
MSIToken
expiry time parsing for Azure App Service platforms.
- Added
KnownAuthorityHosts
to enable quick references to public azure authority hosts. - Added methods to allow credential configuration in
DefaultAzureCredentialBuilder
- Added support for authority host to be read from
AZURE_AUTHORITY_HOST
environment variable. - Added support for
ClientCertificateCredential
andUserNamePasswordCredential
in EnvironmentCredential.
- Upgraded
azure-core
dependency to 1.4.0
- Added 'authorityHost' set method in
DefaultAzureCredentialBuilder
- Added
executorService
set method in all the credential builders exceptManagedIdentityCredentialBuilder
- Added
authorityHost
set method toDefaultAzureCredentialBuilder
- Added
tokenRefreshOffset
set method in all the credential builders. - Added
httpClient
set method in all the credential builders. - Updated
DefaultAzureCredential
to enable authenticating through the Azure CLI
- Upgraded
azure-core
dependency to 1.0.4
- All credential builders support setting a pipeline via
httpPipeline
method. - SharedTokenCacheCredentialBuilder supports setting the tenant id via
tenantId
method.
- Support datetime format
M/d/yyyy K:mm:ss a XXX
for tokenexpires_on
property on Windows App Services.
- Fix MSI_ENDPOINT and MSI_SECRET environment variable lookup issue in
ManagedIdentityCredential
when running on App Service
Breaking changes
- The
getToken(TokenRequest tokenRequest)
methods on all the credentials are changed togetToken(TokenRequestContext tokenRequestContext)
. - All credentials are moved from
com.azure.identity.credential
package tocom.azure.identity
package DeviceCodeChallenge
is renamed to rDeviceCodeInfo
, withint expiresIn()
replaced withOffsetDateTime expiresOn()
returning the time of the device code expiration- All methods containing
uri
is renamed to containurl
for consistency
Known issues
- Support connecting to different clouds with
AZURE_CLOUD
environment variable (#5741)
New features
- A new credential
AuthorizationCodeCredential
is added. DeviceCodeCredentialBuilder
,InteractiveBrowserCredentialBuilder
, andUsernamePasswordCredentialBuilder
now supports single tenant apps with.tenantId(String)
method.
Breaking changes
The getToken(String... scopes)
methods on all the credentials are changed to getToken(TokenRequest tokenRequest)
.
New features
A new credential SharedTokenCacheCredential
is added. It's currently only supported on Windows. This credential is capable of authenticating to Azure Active Directory if you are logged in in Visual Studio 2019.
Breaking changes
Credentials are now created through builders instead of setters. For example, in preview 1, a ClientSecretCredential
can be created by
ClientSecretCredential cred = new ClientSecretCredential()
.tenantId(tenant)
.clientId(clientId)
.clientSecret(secret);
In preview 2, it needs to be created through its builder:
ClientSecretCredential clientSecretCredential = new ClientSecretCredentialBuilder()
.tenantId(tenant)
.clientId(clientId)
.clientSecret(secret);
.build();
New features
3 new credentials are added in preview 2, including DeviceCodeCredential
, InteractiveBrowserCredential
and UsernamePasswordCredential
.
DeviceCodeCredential
is useful for IoT devices. InteractiveBrowserCredential
and UsernamePasswordCredential
are mainly used in developer scenarios, to login on a developer's computer.
Deprecated or removed features
No feature was deprecated or removed.
Version 1.0.0-preview.1 is a preview of our efforts in creating an authentication API for Azure SDK client libraries that is developer-friendly, idiomatic to the Java ecosystem, and as consistent across different languages and platforms as possible. The principles that guide our efforts can be found in the Azure SDK Design Guidelines for Java.
For details on the Azure SDK for Java (July 2019 Preview) release, you can refer to the release announcement.
This release supports service principal and managed identity authentication. See the documentation for more details. User authentication will be added in an upcoming preview release.
This release supports only global Azure Active Directory tenants, i.e. those using the https://login.microsoftonline.com authentication endpoint.