Class ClientCertificateCredentialBuilder
- All Implemented Interfaces:
com.azure.core.client.traits.HttpTrait<ClientCertificateCredentialBuilder>
ClientCertificateCredential
.
The ClientCertificateCredential acquires a token via service principal authentication. It is a type of
authentication in Azure that enables a non-interactive login to
Microsoft Entra ID, allowing an
application or service to authenticate itself with Azure resources.
A Service Principal is essentially an identity created for an application in Microsoft Entra ID that can be used to
authenticate with Azure resources. It's like a "user identity" for the application or service, and it provides
a way for the application to authenticate itself with Azure resources without needing to use a user's credentials.
Microsoft Entra ID allows users to
register service principals which can be used as an identity for authentication.
A client certificate associated with the registered service principal is used as the password when authenticating
the service principal.
The ClientCertificateCredentialBuilder
acquires an access token with a client certificate for a service
principal/registered Microsoft Entra application. The tenantId, clientId and clientCertificate of the service principal are
required for this credential to acquire an access token. It can be used both in Azure hosted and local development
environments for authentication. For more information refer to the
conceptual knowledge and configuration
details.
Sample: Construct a simple ClientCertificateCredential
The following code sample demonstrates the creation of a ClientCertificateCredential
,
using the ClientCertificateCredentialBuilder
to configure it. The tenantId
,
clientId
and certificate
parameters are required to create
ClientCertificateCredential
. Once this credential is created, it may be passed into the
builder of many of the Azure SDK for Java client builders as the 'credential' parameter.
TokenCredential clientCertificateCredential = new ClientCertificateCredentialBuilder() .tenantId(tenantId) .clientId(clientId) .pemCertificate("<PATH-TO-PEM-CERTIFICATE>") .build();
Sample: Construct a ClientCertificateCredential using ByteArrayInputStream
The following code sample demonstrates the creation of a ClientCertificateCredential
,
using the ClientCertificateCredentialBuilder
to configure it. The tenantId
,
clientId
and certificate
parameters are required to create
ClientSecretCredential
. The certificate
in this example is configured as
a ByteArrayInputStream
. This is helpful if the certificate is available in memory via a cert store.
ByteArrayInputStream certificateStream = new ByteArrayInputStream(certificateBytes); TokenCredential certificateCredentialWithStream = new ClientCertificateCredentialBuilder() .tenantId(tenantId) .clientId(clientId) .pemCertificate(certificateStream) .build();
Sample: Construct a ClientCertificateCredential behind a proxy
The following code sample demonstrates the creation of a ClientCertificateCredential
,
using the ClientCertificateCredentialBuilder
to configure it. The tenantId
,
clientId
and certificate
parameters are required to create
ClientSecretCredential
. The proxyOptions
can be optionally configured to target
a proxy. Once this credential is created, it may be passed into the builder of many of the Azure SDK for Java
client builders as the 'credential' parameter.
TokenCredential certificateCredential = new ClientCertificateCredentialBuilder() .tenantId(tenantId) .clientId(clientId) .pfxCertificate("<PATH-TO-PFX-CERTIFICATE>", "P@s$w0rd") .proxyOptions(new ProxyOptions(Type.HTTP, new InetSocketAddress("10.21.32.43", 5465))) .build();
- See Also:
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionbuild()
Creates a newClientCertificateCredential
with the current configurations.clientCertificatePassword
(String clientCertificatePassword) Sets the password of the client certificate for authenticating to Microsoft Entra ID.pemCertificate
(InputStream certificate) Sets the input stream holding the PEM certificate for authenticating to Microsoft Entra ID.pemCertificate
(String certificatePath) Sets the path of the PEM certificate for authenticating to Microsoft Entra ID.pfxCertificate
(InputStream certificate) Sets the input stream holding the PFX certificate for authenticating to Microsoft Entra ID.pfxCertificate
(String certificatePath) Sets the path of the PFX certificate for authenticating to Microsoft Entra ID.pfxCertificate
(String certificatePath, String clientCertificatePassword) Deprecated.This API is deprecated and will be removed.sendCertificateChain
(boolean sendCertificateChain) Specifies if the x5c claim (public key of the certificate) should be sent as part of the authentication request and enable subject name / issuer based authentication.tokenCachePersistenceOptions
(TokenCachePersistenceOptions tokenCachePersistenceOptions) Configures the persistent shared token cache options and enables the persistent token cache which is disabled by default.Methods inherited from class com.azure.identity.AadCredentialBuilderBase
additionallyAllowedTenants, additionallyAllowedTenants, authorityHost, clientId, disableInstanceDiscovery, enableUnsafeSupportLogging, executorService, tenantId
Methods inherited from class com.azure.identity.CredentialBuilderBase
addPolicy, clientOptions, configuration, enableAccountIdentifierLogging, httpClient, httpLogOptions, httpPipeline, maxRetry, pipeline, proxyOptions, retryOptions, retryPolicy, retryTimeout
-
Constructor Details
-
ClientCertificateCredentialBuilder
public ClientCertificateCredentialBuilder()
-
-
Method Details
-
pemCertificate
Sets the path of the PEM certificate for authenticating to Microsoft Entra ID.- Parameters:
certificatePath
- the PEM file containing the certificate- Returns:
- An updated instance of this builder.
-
pemCertificate
Sets the input stream holding the PEM certificate for authenticating to Microsoft Entra ID.- Parameters:
certificate
- the input stream containing the PEM certificate- Returns:
- An updated instance of this builder.
-
pfxCertificate
@Deprecated public ClientCertificateCredentialBuilder pfxCertificate(String certificatePath, String clientCertificatePassword) Deprecated.This API is deprecated and will be removed. Specify the PFX certificate viapfxCertificate(String)
API and client certificate password via theclientCertificatePassword(String)
API as applicable.Sets the path and password of the PFX certificate for authenticating to Microsoft Entra ID.- Parameters:
certificatePath
- the password protected PFX file containing the certificateclientCertificatePassword
- the password protecting the PFX file- Returns:
- An updated instance of this builder.
-
pfxCertificate
Sets the path of the PFX certificate for authenticating to Microsoft Entra ID.- Parameters:
certificatePath
- the password protected PFX file containing the certificate- Returns:
- An updated instance of this builder.
-
pfxCertificate
Sets the input stream holding the PFX certificate for authenticating to Microsoft Entra ID.- Parameters:
certificate
- the input stream containing the password protected PFX certificate- Returns:
- An updated instance of this builder.
-
clientCertificatePassword
public ClientCertificateCredentialBuilder clientCertificatePassword(String clientCertificatePassword) Sets the password of the client certificate for authenticating to Microsoft Entra ID.- Parameters:
clientCertificatePassword
- the password protecting the certificate- Returns:
- An updated instance of this builder.
-
tokenCachePersistenceOptions
public ClientCertificateCredentialBuilder tokenCachePersistenceOptions(TokenCachePersistenceOptions tokenCachePersistenceOptions) Configures the persistent shared token cache options and enables the persistent token cache which is disabled by default. If configured, the credential will store tokens in a cache persisted to the machine, protected to the current user, which can be shared by other credentials and processes.- Parameters:
tokenCachePersistenceOptions
- the token cache configuration options- Returns:
- An updated instance of this builder with the token cache options configured.
-
sendCertificateChain
Specifies if the x5c claim (public key of the certificate) should be sent as part of the authentication request and enable subject name / issuer based authentication. The default value is false.- Parameters:
sendCertificateChain
- the flag to indicate if certificate chain should be sent as part of authentication request.- Returns:
- An updated instance of this builder.
-
build
Creates a newClientCertificateCredential
with the current configurations.- Returns:
- a
ClientCertificateCredential
with the current configurations.
-