UNPKG

@azure/identity-broker

Version:

A native plugin for Azure Identity credentials to enable broker authentication such as WAM

github.com/Azure/azure-sdk-for-js/tree/main/sdk/identity/identity-broker/README.md

Azure/azure-sdk-for-js

171 lines (108 loc) 8.93 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
# Azure Identity plugin for brokered authentication This package provides a plugin to the Azure Identity library for JavaScript ([`@azure/identity`](https://npmjs.com/package/@azure/identity)) that enables using an authentication broker such as [WAM](https://learn.microsoft.com/entra/identity-platform/scenario-desktop-acquire-token-wam). An authentication broker is an application that runs on a user’s machine that manages the authentication handshakes and token maintenance for connected accounts. Currently, only the Windows authentication broker, Web Account Manager (WAM), is supported. [Source code](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/identity/identity-broker) | [Samples](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity-broker/samples) | [API reference documentation](https://learn.microsoft.com/javascript/api/overview/azure/identity-broker-readme?view=azure-node-latest) | [Microsoft Entra ID documentation](https://learn.microsoft.com/entra/identity/) ## Getting started ```ts snippet:getting_started import { useIdentityPlugin } from "@azure/identity"; import { nativeBrokerPlugin } from "@azure/identity-broker"; useIdentityPlugin(nativeBrokerPlugin); ``` ### Prerequisites - An [Azure subscription](https://azure.microsoft.com/free/nodejs/). > Note: For local development with `@azure/identity-broker`, you may need to install additional tools. [node-gyp](https://github.com/nodejs/node-gyp) is used to compile [addons](https://nodejs.org/api/addons.html) for accessing system APIs. Installation requirements are listed in the [node-gyp README](https://github.com/nodejs/node-gyp#installation). On Linux, the library uses `libsecret` so you may need to install it. Depending on your distribution, you will need to run the following command: - Debian/Ubuntu: `sudo apt-get install libsecret-1-dev` - Red Hat-based: `sudo yum install libsecret-devel` - Arch Linux: `sudo pacman -S libsecret` > [!NOTE] > Brokered authentication is currently only supported on Windows and Linux. macOS isn't yet supported. ### Install the package This package is designed to be used with Azure Identity for JavaScript. Install both `@azure/identity` and this package using `npm`: ```sh npm install --save @azure/identity npm install --save @azure/identity-broker ``` #### Supported environments Azure Identity plugins for JavaScript support stable (even numbered) versions of Node.js starting from v20. While the plugins may run in other Node.js versions, no support is guaranteed. `@azure/identity-broker` **does not** support browser environments. ## Key concepts If this is your first time using `@azure/identity` or Microsoft Entra ID, we recommend that you read [Using `@azure/identity` with Microsoft Entra ID](https://github.com/Azure/azure-sdk-for-js/blob/main/documentation/using-azure-identity.md) first. This document will give you a deeper understanding of the platform and how to configure your Azure account correctly. ### Parent window handles When authenticating with the broker via `InteractiveBrowserCredential`, a parent window handle is required to ensure that the authentication dialog is shown correctly over the requesting window. In the context of graphical user interfaces on devices, a window handle is a unique identifier that the operating system assigns to each window. For the Windows operating system, this handle is an integer value that serves as a reference to a specific window. ## Microsoft account (MSA) passthrough Microsoft accounts (MSA) are personal accounts created by users to access Microsoft services. MSA passthrough is a legacy configuration which enables users to get tokens to resources which normally don't accept MSA logins. This feature is only available to first-party applications. Users authenticating with an application that is configured to use MSA passthrough can set `legacyEnableMsaPassthrough` to `true` inside `InteractiveBrowserCredentialNodeOptions.brokerOptions` to allow these personal accounts to be listed by WAM. ## Redirect URIs Microsoft Entra applications rely on redirect URIs to determine where to send the authentication response after a user has logged in. To enable brokered authentication through WAM, a redirect URI matching the following pattern should be registered to the application: ``` ms-appx-web://Microsoft.AAD.BrokerPlugin/{client_id} ``` ### Azure Identity plugins As of `@azure/identity` version 2.0.0, the Identity client library for JavaScript includes a plugin API. This package (`@azure/identity-broker`) exports a plugin object that you must pass as an argument to the top-level `useIdentityPlugin` function from the `@azure/identity` package. Enable native broker in your program as follows: ```ts snippet:using_plugins import { useIdentityPlugin, InteractiveBrowserCredential } from "@azure/identity"; import { nativeBrokerPlugin } from "@azure/identity-broker"; useIdentityPlugin(nativeBrokerPlugin); const credential = new InteractiveBrowserCredential({ brokerOptions: { enabled: true, parentWindowHandle: new Uint8Array(0), // This should be a handle to the parent window }, }); ``` After calling `useIdentityPlugin`, the native broker plugin is registered to the `@azure/identity` package and will be available on the `InteractiveBrowserCredential` that supports WAM broker authentication. This credential has `brokerOptions` in the constructor options. **Notes**: As of `@azure/identity` version 4.11.0-beta.1, `DefaultAzureCredential` provides support to sign-in via the Windows Web Account Manager. Enable native broker in your program as follows: ```ts snippet:using_plugins_dac import { useIdentityPlugin, DefaultAzureCredential } from "@azure/identity"; import { nativeBrokerPlugin } from "@azure/identity-broker"; useIdentityPlugin(nativeBrokerPlugin); const credential = new DefaultAzureCredential(); ``` ## Examples Once the plugin is registered, you can enable WAM broker authentication by passing `brokerOptions` with an `enabled` property set to `true` to a credential constructor. In the following example, we use the `InteractiveBrowserCredential`. ```ts snippet:usage_example import { useIdentityPlugin, InteractiveBrowserCredential } from "@azure/identity"; import { nativeBrokerPlugin } from "@azure/identity-broker"; useIdentityPlugin(nativeBrokerPlugin); const credential = new InteractiveBrowserCredential({ brokerOptions: { enabled: true, parentWindowHandle: new Uint8Array(0), // This should be a handle to the parent window }, }); // We'll use the Microsoft Graph scope as an example const scope = "https://graph.microsoft.com/.default"; // Print out part of the access token console.log((await credential.getToken(scope)).token.substring(0, 10), "..."); ``` For a complete example of using an Electron app for retrieving a window handle, see [this sample](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity-broker/samples/v1/typescript/src/index.ts). ### Use the default account for sign-in When the `useDefaultBrokerAccount` option is set to `true`, the credential will attempt to silently use the default broker account. If using the default account fails, the credential will fall back to interactive authentication. ```ts snippet:use_default_account import { useIdentityPlugin, InteractiveBrowserCredential } from "@azure/identity"; import { nativeBrokerPlugin } from "@azure/identity-broker"; useIdentityPlugin(nativeBrokerPlugin); const credential = new InteractiveBrowserCredential({ brokerOptions: { enabled: true, useDefaultBrokerAccount: true, parentWindowHandle: new Uint8Array(0), // This should be a handle to the parent window }, }); // We'll use the Microsoft Graph scope as an example const scope = "https://graph.microsoft.com/.default"; // Print out part of the access token console.log((await credential.getToken(scope)).token.substr(0, 10), "..."); ``` ## Troubleshooting See the Azure Identity [troubleshooting guide](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/TROUBLESHOOTING.md) for details on how to diagnose various failure scenarios. ### Logging Enabling logging may help uncover useful information about failures. In order to see a log of HTTP requests and responses, set the `AZURE_LOG_LEVEL` environment variable to `info`. Alternatively, logging can be enabled at runtime by calling `setLogLevel` in the `@azure/logger`: ```ts snippet:logging import { setLogLevel } from "@azure/logger"; setLogLevel("info"); ``` ## Next steps ### Provide feedback If you encounter bugs or have suggestions, please [open an issue](https://github.com/Azure/azure-sdk-for-js/issues). ## Contributing If you'd like to contribute to this library, see the [contributing guide](https://github.com/Azure/azure-sdk-for-js/blob/main/CONTRIBUTING.md) to learn more about how to build and test the code.