feat: Add device code and Az CLI auth types to azuread (#149)

* feat:add Az CLI and device code auth
microsoft · Aug 31, 2023 · 77786ad · 77786ad
1 parent eb38425
commit 77786ad
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@
 
 ### Features
 
+* Added `ActiveDirectoryAzCli` and `ActiveDirectoryDeviceCode` authentication types to `azuread` package
 * Always Encrypted encryption and decryption with 2 hour key cache (#116)
 * 'pfx', 'MSSQL_CERTIFICATE_STORE', and 'AZURE_KEY_VAULT' encryption key providers
 

diff --git a/README.md b/README.md
@@ -217,6 +217,8 @@ The credential type is determined by the new `fedauth` connection string paramet
   * `resource id=<resource id>` - optional resource id of user-assigned managed identity.  If empty, system-assigned managed identity or user id are used (if both user id and resource id are provided, resource id will be used)
 * `fedauth=ActiveDirectoryInteractive` - authenticates using credentials acquired from an external web browser. Only suitable for use with human interaction.
   * `applicationclientid=<application id>` - This guid identifies an Azure Active Directory enterprise application that the AAD admin has approved for accessing Azure SQL database resources in the tenant. This driver does not have an associated application id of its own.
+* `fedauth=ActiveDirectoryDeviceCode` - prints a message to stdout giving the user a URL and code to authenticate. Connection continues after user completes the login separately.
+* `fedauth=ActiveDirectoryAzCli` - reuses local authentication the user already performed using Azure CLI.
 
 ```go
 

diff --git a/azuread/configuration.go b/azuread/configuration.go
@@ -30,6 +30,8 @@ const (
 	ActiveDirectoryApplication                 = "ActiveDirectoryApplication"
 	ActiveDirectoryServicePrincipal            = "ActiveDirectoryServicePrincipal"
 	ActiveDirectoryServicePrincipalAccessToken = "ActiveDirectoryServicePrincipalAccessToken"
+	ActiveDirectoryDeviceCode                  = "ActiveDirectoryDeviceCode"
+	ActiveDirectoryAzCli                       = "ActiveDirectoryAzCli"
 	scopeDefaultSuffix                         = "/.default"
 )
 
@@ -117,13 +119,12 @@ func (p *azureFedAuthConfig) validateParameters(params map[string]string) error
 		if p.certificatePath == "" && p.clientSecret == "" {
 			return errors.New("Must provide 'password' parameter when using ActiveDirectoryApplication authentication without cert/key credentials")
 		}
-	case strings.EqualFold(fedAuthWorkflow, ActiveDirectoryDefault):
+	case strings.EqualFold(fedAuthWorkflow, ActiveDirectoryDefault) || strings.EqualFold(fedAuthWorkflow, ActiveDirectoryAzCli) || strings.EqualFold(fedAuthWorkflow, ActiveDirectoryDeviceCode):
 		p.adalWorkflow = mssql.FedAuthADALWorkflowPassword
 	case strings.EqualFold(fedAuthWorkflow, ActiveDirectoryInteractive):
 		if p.applicationClientID == "" {
 			return errors.New("applicationclientid parameter is required for " + ActiveDirectoryInteractive)
 		}
-		p.adalWorkflow = mssql.FedAuthADALWorkflowPassword
 		// user is an optional login hint
 		p.user, _ = params["user id"]
 		// we don't really have a password but we need to use some value.
@@ -134,12 +135,12 @@ func (p *azureFedAuthConfig) validateParameters(params map[string]string) error
 		p.password, _ = params["password"]
 
 		if p.password == "" {
-			return errors.New("Must provide 'password' parameter when using ActiveDirectoryApplicationAuthToken authentication")
+			return errors.New("Must provide 'password' parameter when using ActiveDirectoryServicePrincipalAccessToken authentication")
 		}
 	default:
 		return fmt.Errorf("Invalid federated authentication type '%s': expected one of %+v",
 			fedAuthWorkflow,
-			[]string{ActiveDirectoryApplication, ActiveDirectoryServicePrincipal, ActiveDirectoryDefault, ActiveDirectoryIntegrated, ActiveDirectoryInteractive, ActiveDirectoryManagedIdentity, ActiveDirectoryMSI, ActiveDirectoryPassword})
+			[]string{ActiveDirectoryApplication, ActiveDirectoryServicePrincipal, ActiveDirectoryDefault, ActiveDirectoryIntegrated, ActiveDirectoryInteractive, ActiveDirectoryManagedIdentity, ActiveDirectoryMSI, ActiveDirectoryPassword, ActiveDirectoryAzCli, ActiveDirectoryDeviceCode})
 	}
 	p.fedAuthWorkflow = fedAuthWorkflow
 	return nil
@@ -206,6 +207,10 @@ func (p *azureFedAuthConfig) provideActiveDirectoryToken(ctx context.Context, se
 		config := azcore.ClientOptions{Cloud: c}
 		cred, err = azidentity.NewInteractiveBrowserCredential(&azidentity.InteractiveBrowserCredentialOptions{ClientOptions: config, ClientID: p.applicationClientID})
 
+	case ActiveDirectoryDeviceCode:
+		cred, err = azidentity.NewDeviceCodeCredential(&azidentity.DeviceCodeCredentialOptions{ClientID: p.applicationClientID})
+	case ActiveDirectoryAzCli:
+		cred, err = azidentity.NewAzureCLICredential(&azidentity.AzureCLICredentialOptions{TenantID: p.tenantID})
 	default:
 		// Integrated just uses Default until azidentity adds Windows-specific authentication
 		cred, err = azidentity.NewDefaultAzureCredential(nil)