Skip to content

How to use ests r support in code

Jump to bottom
Abhidnya edited this page Apr 26, 2022 · 2 revisions

Enabling ESTS Regional support

As of 2021 May, regional service is only available for AcquireTokenByCredential() sent by any of the following scenarios::

  1. An app with managed identity, which is formerly known as MSI. (However MSAL Go does not support managed identity, so this one does not apply.)
  2. An app authenticated by Subject Name/Issuer (SNI). This can be enabled using confidential.WithX5C() on application initialization.
  3. An app which already onboard to the region's allow-list. MSAL's default value is None, which means region behavior remains off. If enabled, the relevant traffic would remain inside that region. App developer can opt in to a regional endpoint, by provide its region name, such as "westus", "eastus2". You can find a full list of regions by running az account list-locations -o table, or referencing to this doc. An app running inside Azure Functions and Azure VM can use a special keyword confidential.AutoDetectRegion() to auto-detect region.

Specify region

app, err := confidential.New("your_client_id", credential,
		confidential.WithAuthority("your_authority"),
		confidential.WithAzureRegion("your_region"),
if err != nil {
	log.Fatal(err)
}
result, err := app.AcquireTokenByCredential(context.Background(), []string{"your_scope"})
if err != nil {
	log.Fatal(err)
}

Auto detect region

app, err := confidential.New("your_client_id", credential,
		confidential.WithAuthority("your_authority"),
		confidential.WithAzureRegion(confidential.AutoDetectRegion()))
if err != nil {
	log.Fatal(err)
}
result, err := app.AcquireTokenByCredential(context.Background(), []string{"your_scope"})
if err != nil {
	log.Fatal(err)
}

Getting Started with MSAL Go

  1. Home
  2. Build and Test
Clone this wiki locally