-
Notifications
You must be signed in to change notification settings - Fork 373
[DRAFT] Lab Access with KeyVault #5445
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft
gladjohn
wants to merge
4
commits into
main
Choose a base branch
from
gladjohn/labvault
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
55 changes: 55 additions & 0 deletions
55
src/client/Microsoft.Identity.Client.Labs/Abstractions/AppSecretKeys.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| namespace Microsoft.Identity.Client.Labs | ||
| { | ||
| /// <summary> | ||
| /// Declares the Key Vault secret names for an application's credentials. | ||
| /// Each property is a secret <em>name</em> (not the secret value). | ||
| /// </summary> | ||
| public sealed class AppSecretKeys | ||
| { | ||
| /// <summary> | ||
| /// Initializes a new instance of the <see cref="AppSecretKeys"/> class. | ||
| /// For optional secrets, pass an empty string (<c>""</c>) to indicate "not configured". | ||
| /// </summary> | ||
| /// <param name="clientIdSecret">Key Vault secret name that stores the application's client ID.</param> | ||
| /// <param name="clientSecretSecret">Optional Key Vault secret name that stores the application's client secret. Use <c>""</c> if not used.</param> | ||
| /// <param name="pfxSecret">Optional Key Vault secret name that stores a Base64-encoded PFX certificate. Use <c>""</c> if not used.</param> | ||
| /// <param name="pfxPasswordSecret">Optional Key Vault secret name that stores the password for the PFX. Use <c>""</c> if not used.</param> | ||
| public AppSecretKeys( | ||
| string clientIdSecret, | ||
| string clientSecretSecret = "", | ||
| string pfxSecret = "", | ||
| string pfxPasswordSecret = "") | ||
| { | ||
| ClientIdSecret = clientIdSecret; | ||
| ClientSecretSecret = clientSecretSecret ?? string.Empty; | ||
| PfxSecret = pfxSecret ?? string.Empty; | ||
| PfxPasswordSecret = pfxPasswordSecret ?? string.Empty; | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// Gets the Key Vault secret name that stores the application's client ID. | ||
| /// </summary> | ||
| public string ClientIdSecret { get; } | ||
|
|
||
| /// <summary> | ||
| /// Gets the Key Vault secret name that stores the application's client secret. | ||
| /// Empty string indicates "not configured". | ||
| /// </summary> | ||
| public string ClientSecretSecret { get; } | ||
|
|
||
| /// <summary> | ||
| /// Gets the Key Vault secret name that stores a Base64-encoded PFX certificate. | ||
| /// Empty string indicates "not configured". | ||
| /// </summary> | ||
| public string PfxSecret { get; } | ||
|
|
||
| /// <summary> | ||
| /// Gets the Key Vault secret name that stores the password for the PFX certificate. | ||
| /// Empty string indicates "not configured". | ||
| /// </summary> | ||
| public string PfxPasswordSecret { get; } | ||
| } | ||
| } |
134 changes: 134 additions & 0 deletions
134
src/client/Microsoft.Identity.Client.Labs/Abstractions/Enums.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,134 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| namespace Microsoft.Identity.Client.Labs | ||
| { | ||
| /// <summary> | ||
| /// Represents the authentication style used by a test user. | ||
| /// </summary> | ||
| public enum AuthType | ||
| { | ||
| /// <summary> | ||
| /// A basic username/password account with no federation or multi-factor authentication (MFA). | ||
| /// </summary> | ||
| Basic, | ||
|
|
||
| /// <summary> | ||
| /// A federated account (for example, via ADFS, Ping, or another identity provider). | ||
| /// </summary> | ||
| Federated, | ||
|
|
||
| /// <summary> | ||
| /// An account that requires multi-factor authentication (MFA). | ||
| /// </summary> | ||
| Mfa, | ||
|
|
||
| /// <summary> | ||
| /// A business-to-business (B2B) guest account invited into the tenant. | ||
| /// </summary> | ||
| Guest | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// Identifies the cloud or sovereign environment where identities and applications are hosted. | ||
| /// </summary> | ||
| public enum CloudType | ||
| { | ||
| /// <summary> | ||
| /// Azure Public (global) cloud. | ||
| /// </summary> | ||
| Public, | ||
|
|
||
| /// <summary> | ||
| /// Azure Government (GCC/GCC High) cloud. | ||
| /// </summary> | ||
| Gcc, | ||
|
|
||
| /// <summary> | ||
| /// Azure Government Department of Defense (DoD) environment. | ||
| /// </summary> | ||
| Dod, | ||
|
|
||
| /// <summary> | ||
| /// Azure China cloud (operated by 21Vianet). | ||
| /// </summary> | ||
| China, | ||
|
|
||
| /// <summary> | ||
| /// Microsoft Cloud for Germany / Azure Germany. | ||
| /// </summary> | ||
| Germany, | ||
|
|
||
| /// <summary> | ||
| /// Integration or pre‑production environment used for testing. | ||
| /// </summary> | ||
| Canary | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// Names the functional test scenario or user pool. | ||
| /// </summary> | ||
| public enum Scenario | ||
| { | ||
| /// <summary> | ||
| /// Basic or smoke-test scenarios. | ||
| /// </summary> | ||
| Basic, | ||
|
|
||
| /// <summary> | ||
| /// On‑Behalf‑Of (OBO) flow scenarios. | ||
| /// </summary> | ||
| Obo, | ||
|
|
||
| /// <summary> | ||
| /// Confidential Client Application (CCA) scenarios. | ||
| /// </summary> | ||
| Cca, | ||
|
|
||
| /// <summary> | ||
| /// Device Code flow scenarios. | ||
| /// </summary> | ||
| DeviceCode, | ||
|
|
||
| /// <summary> | ||
| /// Resource Owner Password Credentials (ROPC) flow scenarios. | ||
| /// </summary> | ||
| Ropc, | ||
|
|
||
| /// <summary> | ||
| /// Daemon (application‑only) scenarios without user interaction. | ||
| /// </summary> | ||
| Daemon | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// Specifies the type of application whose credentials should be resolved. | ||
| /// </summary> | ||
| public enum AppKind | ||
| { | ||
| /// <summary> | ||
| /// A public client application (desktop, mobile, or SPA) that does not use a client secret. | ||
| /// </summary> | ||
| PublicClient, | ||
|
|
||
| /// <summary> | ||
| /// A confidential client application (web app/service) that authenticates with a client secret or certificate. | ||
| /// </summary> | ||
| ConfidentialClient, | ||
|
|
||
| /// <summary> | ||
| /// A headless/background application that runs without user interaction. | ||
| /// </summary> | ||
| Daemon, | ||
|
|
||
| /// <summary> | ||
| /// A protected Web API (resource) that validates tokens issued to clients. | ||
| /// </summary> | ||
| WebApi, | ||
|
|
||
| /// <summary> | ||
| /// A web application (confidential client) that signs in users and can call downstream APIs. | ||
| /// </summary> | ||
| WebApp | ||
| } | ||
| } | ||
25 changes: 25 additions & 0 deletions
25
src/client/Microsoft.Identity.Client.Labs/Abstractions/IAccountMapProvider.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| using System.Collections.Generic; | ||
|
|
||
| namespace Microsoft.Identity.Client.Labs | ||
| { | ||
| /// <summary> | ||
| /// Provides a mapping between a user tuple | ||
| /// (<see cref="AuthType"/>, <see cref="CloudType"/>, <see cref="Scenario"/>) and the | ||
| /// Key Vault secret name that stores the corresponding username. | ||
| /// </summary> | ||
| public interface IAccountMapProvider | ||
| { | ||
| /// <summary> | ||
| /// Gets a map of tuples to username secret names. The value for each key must be a Key Vault | ||
| /// secret name whose value is the username to use for the tuple. | ||
| /// </summary> | ||
| /// <returns> | ||
| /// A read-only dictionary keyed by <c>(authType, cloudType, scenario)</c> whose values are | ||
| /// the Key Vault secret names containing usernames. | ||
| /// </returns> | ||
| IReadOnlyDictionary<(AuthType auth, CloudType cloud, Scenario scenario), string> GetUsernameMap(); | ||
| } | ||
| } |
22 changes: 22 additions & 0 deletions
22
src/client/Microsoft.Identity.Client.Labs/Abstractions/IAppMapProvider.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| namespace Microsoft.Identity.Client.Labs | ||
| { | ||
| /// <summary> | ||
| /// Provides a mapping between an application tuple | ||
| /// (<see cref="CloudType"/>, <see cref="Scenario"/>, <see cref="AppKind"/>) and the | ||
| /// Key Vault secret names that store its client ID and credentials. | ||
| /// </summary> | ||
| public interface IAppMapProvider | ||
| { | ||
| /// <summary> | ||
| /// Gets a map of tuples to application secret-name sets. | ||
| /// </summary> | ||
| /// <returns> | ||
| /// A read-only dictionary keyed by <c>(cloudType, scenario, appKind)</c> whose values | ||
| /// describe which Key Vault secret names hold each application credential. | ||
| /// </returns> | ||
| IReadOnlyDictionary<(CloudType cloud, Scenario scenario, AppKind kind), AppSecretKeys> GetAppMap(); | ||
| } | ||
| } |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should treat the lab API as a public API, since this is how other SDKs consume it. Do we really need to increase the public surface ?