Package com.azure.identity

Class ClientAssertionCredential

java.lang.Object
com.azure.identity.ClientAssertionCredential
All Implemented Interfaces:
com.azure.core.credential.TokenCredential
public class ClientAssertionCredential extends Object implements com.azure.core.credential.TokenCredential

The ClientAssertionCredential acquires a token via client assertion and service principal authentication. This authentication method provides a secure and scalable way for client applications to access Azure resources without the need for users to provide their credentials. It is often used in scenarios where a client application needs to access Azure resources on behalf of a user, such as in a multi-tier application architecture. In this authentication method, the client application creates a JSON Web Token (JWT) that includes information about the service principal (such as its client ID and tenant ID) and signs it using a client secret. The client then sends this token to Microsoft Entra ID as proof of its identity. Microsoft Entra ID verifies the token signature and checks that the service principal has the necessary permissions to access the requested Azure resource. If the token is valid and the service principal is authorized, Microsoft Entra ID issues an access token that the client application can use to access the requested resource. The ClientAssertionCredential acquires an access token with a client client assertion for a service principal/registered Microsoft Entra application. The tenantId, clientId, and clientAssertion of the service principal are required for this credential to acquire an access token. It can be used both in Azure-hosted and local development environments for authentication.

As a pre-requisite, a service principal is required to use this authentication mechanism. If you don't have a service principal, refer to create a service principal with Azure CLI.

Sample: Construct a simple ClientAssertionCredential

The following code sample demonstrates the creation of a ClientAssertionCredential, using the ClientAssertionCredentialBuilder to configure it. The tenantId, clientId and certificate parameters are required to create ClientAssertionCredential. Once this credential is created, it may be passed into the builder of many of the Azure SDK for Java client builders as the 'credential' parameter.

 TokenCredential clientAssertionCredential = new ClientAssertionCredentialBuilder()
     .tenantId(tenantId)
     .clientId(clientId)
     .clientAssertion(() -> "<Client-Assertion>")
     .build();

Sample: Construct a ClientAssertionCredential behind a proxy

The following code sample demonstrates the creation of a ClientAssertionCredential, using the ClientAssertionCredentialBuilder to configure it. The tenantId, clientId and clientAssertion parameters are required to create ClientAssertionCredential. THe proxyOptions can be optionally configured to target a proxy. Once this credential is created, it may be passed into the builder of many of the Azure SDK for Java client builders as the 'credential' parameter.

 TokenCredential assertionCredential = new ClientAssertionCredentialBuilder()
     .tenantId(tenantId)
     .clientId(clientId)
     .clientAssertion(() -> "<Client-Assertion>")
     .proxyOptions(new ProxyOptions(Type.HTTP, new InetSocketAddress("10.21.32.43", 5465)))
     .build();
See Also:

  • Method Summary

    Modifier and Type
    Method
    Description
    Mono<com.azure.core.credential.AccessToken>
    getToken(com.azure.core.credential.TokenRequestContext request)
    Asynchronously get a token for a given resource/audience.
    com.azure.core.credential.AccessToken
    getTokenSync(com.azure.core.credential.TokenRequestContext request)
    Synchronously get a token for a given resource/audience.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Method Details

    • getToken

      public Mono<com.azure.core.credential.AccessToken> getToken(com.azure.core.credential.TokenRequestContext request)
      Description copied from interface: com.azure.core.credential.TokenCredential
      Asynchronously get a token for a given resource/audience. This method is called automatically by Azure SDK client libraries. You may call this method directly, but you must also handle token caching and token refreshing.
      Specified by:
      getToken in interface com.azure.core.credential.TokenCredential
      Parameters:
      request - the details of the token request
      Returns:
      a Publisher that emits a single access token

    • getTokenSync

      public com.azure.core.credential.AccessToken getTokenSync(com.azure.core.credential.TokenRequestContext request)
      Description copied from interface: com.azure.core.credential.TokenCredential
      Synchronously get a token for a given resource/audience. This method is called automatically by Azure SDK client libraries. You may call this method directly, but you must also handle token caching and token refreshing.
      Specified by:
      getTokenSync in interface com.azure.core.credential.TokenCredential
      Parameters:
      request - the details of the token request
      Returns:
      The Access Token