Package com.azure.identity

Class ClientCertificateCredential

java.lang.Object
com.azure.identity.ClientCertificateCredential
All Implemented Interfaces:
com.azure.core.credential.TokenCredential
public class ClientCertificateCredential extends Object implements com.azure.core.credential.TokenCredential

The ClientCertificateCredential acquires a token via service principal authentication. It is a type of authentication in Azure that enables a non-interactive login to Microsoft Entra ID, allowing an application or service to authenticate itself with Azure resources. A Service Principal is essentially an identity created for an application in Microsoft Entra ID that can be used to authenticate with Azure resources. It's like a "user identity" for the application or service, and it provides a way for the application to authenticate itself with Azure resources without needing to use a user's credentials. Microsoft Entra ID allows users to register service principals which can be used as an identity for authentication. A client certificate associated with the registered service principal is used as the password when authenticating the service principal. The ClientCertificateCredential acquires an access token with a client certificate for a service principal/registered Microsoft Entra application. The tenantId, clientId and clientCertificate of the service principal are required for this credential to acquire an access token. It can be used both in Azure hosted and local development environments for authentication. For more information refer to the conceptual knowledge and configuration details.

As a pre-requisite, a service principal is required to use this authentication mechanism. If you don't have a service principal, refer to create a service principal with Azure CLI.

Sample: Construct a simple ClientCertificateCredential

The following code sample demonstrates the creation of a ClientCertificateCredential, using the ClientCertificateCredentialBuilder to configure it. The tenantId, clientId and certificate parameters are required to create ClientCertificateCredential. Once this credential is created, it may be passed into the builder of many of the Azure SDK for Java client builders as the 'credential' parameter.

 TokenCredential clientCertificateCredential = new ClientCertificateCredentialBuilder()
     .tenantId(tenantId)
     .clientId(clientId)
     .pemCertificate("<PATH-TO-PEM-CERTIFICATE>")
     .build();

Sample: Construct a ClientCertificateCredential using ByteArrayInputStream

The following code sample demonstrates the creation of a ClientCertificateCredential, using the ClientCertificateCredentialBuilder to configure it. The tenantId, clientId and certificate parameters are required to create ClientSecretCredential. The certificate in this example is configured as a ByteArrayInputStream. This is helpful if the certificate is available in memory via a cert store.

 ByteArrayInputStream certificateStream = new ByteArrayInputStream(certificateBytes);
 TokenCredential certificateCredentialWithStream = new ClientCertificateCredentialBuilder()
     .tenantId(tenantId)
     .clientId(clientId)
     .pemCertificate(certificateStream)
     .build();

Sample: Construct a ClientCertificateCredential behind a proxy

The following code sample demonstrates the creation of a ClientCertificateCredential, using the ClientCertificateCredentialBuilder to configure it. The tenantId, clientId and certificate parameters are required to create ClientSecretCredential. THe proxyOptions can be optionally configured to target a proxy. Once this credential is created, it may be passed into the builder of many of the Azure SDK for Java client builders as the 'credential' parameter.

 TokenCredential certificateCredential = new ClientCertificateCredentialBuilder()
     .tenantId(tenantId)
     .clientId(clientId)
     .pfxCertificate("<PATH-TO-PFX-CERTIFICATE>", "P@s$w0rd")
     .proxyOptions(new ProxyOptions(Type.HTTP, new InetSocketAddress("10.21.32.43", 5465)))
     .build();
See Also:

  • Method Summary

    Modifier and Type
    Method
    Description
    Mono<com.azure.core.credential.AccessToken>
    getToken(com.azure.core.credential.TokenRequestContext request)
    Asynchronously get a token for a given resource/audience.
    com.azure.core.credential.AccessToken
    getTokenSync(com.azure.core.credential.TokenRequestContext request)
    Synchronously get a token for a given resource/audience.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Method Details

    • getToken

      public Mono<com.azure.core.credential.AccessToken> getToken(com.azure.core.credential.TokenRequestContext request)
      Description copied from interface: com.azure.core.credential.TokenCredential
      Asynchronously get a token for a given resource/audience. This method is called automatically by Azure SDK client libraries. You may call this method directly, but you must also handle token caching and token refreshing.
      Specified by:
      getToken in interface com.azure.core.credential.TokenCredential
      Parameters:
      request - the details of the token request
      Returns:
      a Publisher that emits a single access token

    • getTokenSync

      public com.azure.core.credential.AccessToken getTokenSync(com.azure.core.credential.TokenRequestContext request)
      Description copied from interface: com.azure.core.credential.TokenCredential
      Synchronously get a token for a given resource/audience. This method is called automatically by Azure SDK client libraries. You may call this method directly, but you must also handle token caching and token refreshing.
      Specified by:
      getTokenSync in interface com.azure.core.credential.TokenCredential
      Parameters:
      request - the details of the token request
      Returns:
      The Access Token