diff --git a/CHANGELOG.md b/CHANGELOG.md index ceabdbb8..e36f4934 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ ### Features +* Added `ActiveDirectoryAzCli` and `ActiveDirectoryDeviceCode` authentication types to `azuread` package * Always Encrypted encryption and decryption with 2 hour key cache (#116) * 'pfx', 'MSSQL_CERTIFICATE_STORE', and 'AZURE_KEY_VAULT' encryption key providers diff --git a/README.md b/README.md index 5b5f363d..9360a50c 100644 --- a/README.md +++ b/README.md @@ -217,6 +217,8 @@ The credential type is determined by the new `fedauth` connection string paramet * `resource id=` - optional resource id of user-assigned managed identity. If empty, system-assigned managed identity or user id are used (if both user id and resource id are provided, resource id will be used) * `fedauth=ActiveDirectoryInteractive` - authenticates using credentials acquired from an external web browser. Only suitable for use with human interaction. * `applicationclientid=` - This guid identifies an Azure Active Directory enterprise application that the AAD admin has approved for accessing Azure SQL database resources in the tenant. This driver does not have an associated application id of its own. +* `fedauth=ActiveDirectoryDeviceCode` - prints a message to stdout giving the user a URL and code to authenticate. Connection continues after user completes the login separately. +* `fedauth=ActiveDirectoryAzCli` - reuses local authentication the user already performed using Azure CLI. ```go diff --git a/azuread/configuration.go b/azuread/configuration.go index f52cee3f..a9421d8c 100644 --- a/azuread/configuration.go +++ b/azuread/configuration.go @@ -30,6 +30,8 @@ const ( ActiveDirectoryApplication = "ActiveDirectoryApplication" ActiveDirectoryServicePrincipal = "ActiveDirectoryServicePrincipal" ActiveDirectoryServicePrincipalAccessToken = "ActiveDirectoryServicePrincipalAccessToken" + ActiveDirectoryDeviceCode = "ActiveDirectoryDeviceCode" + ActiveDirectoryAzCli = "ActiveDirectoryAzCli" scopeDefaultSuffix = "/.default" ) @@ -117,13 +119,12 @@ func (p *azureFedAuthConfig) validateParameters(params map[string]string) error if p.certificatePath == "" && p.clientSecret == "" { return errors.New("Must provide 'password' parameter when using ActiveDirectoryApplication authentication without cert/key credentials") } - case strings.EqualFold(fedAuthWorkflow, ActiveDirectoryDefault): + case strings.EqualFold(fedAuthWorkflow, ActiveDirectoryDefault) || strings.EqualFold(fedAuthWorkflow, ActiveDirectoryAzCli) || strings.EqualFold(fedAuthWorkflow, ActiveDirectoryDeviceCode): p.adalWorkflow = mssql.FedAuthADALWorkflowPassword case strings.EqualFold(fedAuthWorkflow, ActiveDirectoryInteractive): if p.applicationClientID == "" { return errors.New("applicationclientid parameter is required for " + ActiveDirectoryInteractive) } - p.adalWorkflow = mssql.FedAuthADALWorkflowPassword // user is an optional login hint p.user, _ = params["user id"] // we don't really have a password but we need to use some value. @@ -134,12 +135,12 @@ func (p *azureFedAuthConfig) validateParameters(params map[string]string) error p.password, _ = params["password"] if p.password == "" { - return errors.New("Must provide 'password' parameter when using ActiveDirectoryApplicationAuthToken authentication") + return errors.New("Must provide 'password' parameter when using ActiveDirectoryServicePrincipalAccessToken authentication") } default: return fmt.Errorf("Invalid federated authentication type '%s': expected one of %+v", fedAuthWorkflow, - []string{ActiveDirectoryApplication, ActiveDirectoryServicePrincipal, ActiveDirectoryDefault, ActiveDirectoryIntegrated, ActiveDirectoryInteractive, ActiveDirectoryManagedIdentity, ActiveDirectoryMSI, ActiveDirectoryPassword}) + []string{ActiveDirectoryApplication, ActiveDirectoryServicePrincipal, ActiveDirectoryDefault, ActiveDirectoryIntegrated, ActiveDirectoryInteractive, ActiveDirectoryManagedIdentity, ActiveDirectoryMSI, ActiveDirectoryPassword, ActiveDirectoryAzCli, ActiveDirectoryDeviceCode}) } p.fedAuthWorkflow = fedAuthWorkflow return nil @@ -206,6 +207,10 @@ func (p *azureFedAuthConfig) provideActiveDirectoryToken(ctx context.Context, se config := azcore.ClientOptions{Cloud: c} cred, err = azidentity.NewInteractiveBrowserCredential(&azidentity.InteractiveBrowserCredentialOptions{ClientOptions: config, ClientID: p.applicationClientID}) + case ActiveDirectoryDeviceCode: + cred, err = azidentity.NewDeviceCodeCredential(&azidentity.DeviceCodeCredentialOptions{ClientID: p.applicationClientID}) + case ActiveDirectoryAzCli: + cred, err = azidentity.NewAzureCLICredential(&azidentity.AzureCLICredentialOptions{TenantID: p.tenantID}) default: // Integrated just uses Default until azidentity adds Windows-specific authentication cred, err = azidentity.NewDefaultAzureCredential(nil)