diff --git a/sdk/core/azure-core/src/main/java/com/azure/core/util/Configuration.java b/sdk/core/azure-core/src/main/java/com/azure/core/util/Configuration.java index 9094c37ab690..8b2d627902d4 100644 --- a/sdk/core/azure-core/src/main/java/com/azure/core/util/Configuration.java +++ b/sdk/core/azure-core/src/main/java/com/azure/core/util/Configuration.java @@ -112,6 +112,11 @@ public class Configuration implements Cloneable { */ public static final String PROPERTY_AZURE_CLIENT_CERTIFICATE_PASSWORD = "AZURE_CLIENT_CERTIFICATE_PASSWORD"; + /** + * Flag to enable sending the certificate chain in x5c header to support subject name / issuer based authentication. + */ + public static final String PROPERTY_AZURE_CLIENT_SEND_CERTIFICATE_CHAIN = "AZURE_CLIENT_SEND_CERTIFICATE_CHAIN"; + /** * Flag to disable the CP1 client capabilities in Azure Identity Token credentials. */ diff --git a/sdk/identity/azure-identity/CHANGELOG.md b/sdk/identity/azure-identity/CHANGELOG.md index 798df8b28ed8..2e72c383a378 100644 --- a/sdk/identity/azure-identity/CHANGELOG.md +++ b/sdk/identity/azure-identity/CHANGELOG.md @@ -3,6 +3,7 @@ ## 1.14.0-beta.1 (Unreleased) ### Features Added +- Added support in `EnvironmentCredential` (and thus `DefaultAzureCredential` when it chooses `EnvironmentCredential`) for using subject name / issuer authentication with client certificates by setting `AZURE_CLIENT_SEND_CERTIFICATE_CHAIN` to `1` or `true`. [#40013](https://github.com/Azure/azure-sdk-for-java/issues/40013) ### Breaking Changes diff --git a/sdk/identity/azure-identity/TROUBLESHOOTING.md b/sdk/identity/azure-identity/TROUBLESHOOTING.md index 609eb2d718cd..9e087d6e6ccd 100644 --- a/sdk/identity/azure-identity/TROUBLESHOOTING.md +++ b/sdk/identity/azure-identity/TROUBLESHOOTING.md @@ -90,9 +90,9 @@ The underlying MSAL library, MSAL4J, also has detailed logging. It is highly ver ## Troubleshoot `EnvironmentCredential` authentication issues `CredentialUnavailableException` -| Error Message |Description| Mitigation | -|---|---|---| -|Environment variables aren't fully configured.|A valid combination of environment variables wasn't set.|Ensure the appropriate environment variables are set **prior to application startup** for the intended authentication method.

| +| Error Message | Description | Mitigation | +|------------------------------------------------|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Environment variables aren't fully configured. | A valid combination of environment variables wasn't set. | Ensure the appropriate environment variables are set **prior to application startup** for the intended authentication method.

| ## Troubleshoot `ClientSecretCredential` authentication issues `ClientAuthenticationException` diff --git a/sdk/identity/azure-identity/pom.xml b/sdk/identity/azure-identity/pom.xml index bf39f31453b3..3a6d4c030af7 100644 --- a/sdk/identity/azure-identity/pom.xml +++ b/sdk/identity/azure-identity/pom.xml @@ -31,7 +31,7 @@ com.azure azure-core - 1.49.1 + 1.50.0-beta.1 com.azure diff --git a/sdk/identity/azure-identity/src/main/java/com/azure/identity/EnvironmentCredential.java b/sdk/identity/azure-identity/src/main/java/com/azure/identity/EnvironmentCredential.java index d9712129de1e..f54f2fcb3e20 100644 --- a/sdk/identity/azure-identity/src/main/java/com/azure/identity/EnvironmentCredential.java +++ b/sdk/identity/azure-identity/src/main/java/com/azure/identity/EnvironmentCredential.java @@ -89,6 +89,8 @@ public class EnvironmentCredential implements TokenCredential { String certPassword = configuration.get(Configuration.PROPERTY_AZURE_CLIENT_CERTIFICATE_PASSWORD); String username = configuration.get(Configuration.PROPERTY_AZURE_USERNAME); String password = configuration.get(Configuration.PROPERTY_AZURE_PASSWORD); + String sendCertificateChain = configuration.get(Configuration.PROPERTY_AZURE_CLIENT_SEND_CERTIFICATE_CHAIN, "false"); + if (CoreUtils.isNullOrEmpty(identityClientOptions.getAdditionallyAllowedTenants())) { identityClientOptions .setAdditionallyAllowedTenants(IdentityUtil.getAdditionalTenantsFromEnvironment(configuration)); @@ -106,6 +108,11 @@ public class EnvironmentCredential implements TokenCredential { } else if (verifyNotNull(certPath)) { // 1.2 Attempt ClientCertificateCredential LOGGER.info("Azure Identity => EnvironmentCredential invoking ClientCertificateCredential"); + + if ("true".equalsIgnoreCase(sendCertificateChain) || "1".equals(sendCertificateChain)) { + identityClientOptions.setIncludeX5c(true); + } + targetCredential = new ClientCertificateCredential(tenantId, clientId, certPath, null, certPassword, identityClientOptions); } else {