| title | description | ms.date | ms.topic | ms.custom | ms.author |
|---|---|---|---|---|---|
Azure authentication with Java and Azure Identity |
An overview of the Azure SDK authentication and identity functionality |
02/02/2021 |
conceptual |
devx-track-java |
vigera |
This article provides an overview of the Java Azure Identity library, which provides Azure Active Directory token authentication support across the Azure SDK for Java. This library provides a set of TokenCredential implementations that you can use to construct Azure SDK clients that support AAD token authentication.
The Azure Identity library currently supports:
- Azure authentication in Java development environments, which enables:
- IDEA IntelliJ authentication, with the login information retrieved from the Azure Toolkit for IntelliJ.
- Visual Studio Code authentication, with the login information saved in Azure plugin for Visual Studio Code.
- Azure CLI authentication, with the login information saved in the Azure CLI
- Authenticating applications hosted in Azure, which enables:
- Default Azure Credential Authentication
- Managed Identity Authentication
- Authentication with service principals, which enables:
- Client Secret Authentication
- Client Certificate Authentication
- Authentication with user credentials, which enables:
- Interactive browser authentication
- Device code authentication
- Username/password authentication
Follow the links above to learn more about the specifics of each of these authentication approaches. In the rest of this article, we'll introduce the commonly used DefaultAzureCredential and related topics.
To add the Maven dependency, include the following XML in the project's pom.xml file. Replace the 1.2.1 version number with the latest released version number shown on the Microsoft Azure Client Library For Identity page.
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity</artifactId>
<version>1.2.1</version>
</dependency>There are two key concepts in understanding the Azure Identity library: the concept of a credential, and the most common implementation of that credential, the DefaultAzureCredential.
A credential is a class that contains or can obtain the data needed for a service client to authenticate requests. Service clients across the Azure SDK accept credentials when they're constructed, and service clients use those credentials to authenticate requests to the service.
The Azure Identity library focuses on OAuth authentication with Azure Active Directory, and it offers various credential classes that can acquire an AAD token to authenticate service requests. All of the credential classes in this library are implementations of the TokenCredential abstract class in azure-core, and you can use any of them to construct service clients that can authenticate with a TokenCredential.
The DefaultAzureCredential is appropriate for most scenarios where the application is intended to ultimately run in the Azure Cloud. DefaultAzureCredential combines credentials that are commonly used to authenticate when deployed, with credentials that are used to authenticate in a development environment. For more information, including examples using DefaultAzureCredential, see the Default Azure credential section of Authenticating Azure-hosted Java applications.
As noted in Use the Azure SDK for Java, the management libraries differ slightly. One of the ways they differ is that there are libraries for consuming Azure services, called client libraries, and libraries for managing Azure services, called management libraries. In the following sections, there's a quick overview of authenticating in both client and management libraries.
The following example below demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using the DefaultAzureCredential.
// Azure SDK client builders accept the credential as a parameter.
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://<your Key Vault name>.vault.azure.net")
.credential(new DefaultAzureCredentialBuilder().build())
.buildClient();The Azure management libraries use the same credential APIs as the Azure client libraries, but also require an Azure subscription ID to manage the Azure resources on that subscription.
You can find the subscription IDs on the Subscriptions page in the Azure portal. Alternatively, use the following Azure CLI command to get subscription IDs:
az account list --output table
You can set the subscription ID in the AZURE_SUBSCRIPTION_ID environment variable. This ID is picked up by AzureProfile as the default subscription ID during the creation of a Manager instance, as shown in the following example:
AzureResourceManager azureResourceManager = AzureResourceManager.authenticate(
new DefaultAzureCredentialBuilder().build(),
new AzureProfile(AzureEnvironment.AZURE))
.withDefaultSubscription();The DefaultAzureCredential used in this example authenticates an AzureResourceManager instance using the DefaultAzureCredential. You can also use other Token Credential implementations offered in the Azure Identity library in place of DefaultAzureCredential.
Credentials raise exceptions either when they fail to authenticate or can't execute authentication. When credentials fail to authenticate, the ClientAuthenticationException is raised and it has a message attribute that describes why authentication failed. When ChainedTokenCredential raises this exception, the chained execution of underlying list of credentials is stopped.
When credentials can't execute authentication because one of the underlying resources required by the credential is unavailable on the machine, theCredentialUnavailableException is raised and it has a message attribute that
describes why the credential is unavailable for authentication execution. When ChainedTokenCredential raises this exception, the message collects error messages from each credential in the chain.
This article introduced the Azure Identity functionality available in the Azure SDK for Java. It described the DefaultAzureCredential as common and appropriate in many cases. The following articles describe other ways to authenticate using the Azure Identity library, and provide more information about the DefaultAzureCredential: