feat(entraid): add support for azure identity (#2901)

This PR adds support for using Azure Identity's credential classes with Redis Enterprise Entra ID authentication. The main changes include: - Add a new factory method createForDefaultAzureCredential to enable using Azure Identity credentials - Add @azure/identity as a dependency to support the new authentication flow - Add support for DefaultAzureCredential, EnvironmentCredential, and any other TokenCredential implementation - Create a new AzureIdentityProvider to support DefaultAzureCredential - Update documentation and README with usage examples for DefaultAzureCredential - Add integration tests for the new authentication methods - Include a sample application demonstrating interactive browser authentication - Export constants for Redis scopes / credential mappers to simplify authentication configuration
2025-08-06 02:15:48 +03:00 · 2025-03-05 14:47:18 +02:00
parent 69d507a572
commit 8b4ed0059a
9 changed files with 655 additions and 123 deletions
--- a/packages/entraid/lib/entraid-credentials-provider.ts
+++ b/packages/entraid/lib/entraid-credentials-provider.ts
@@ -1,4 +1,5 @@
 import { AuthenticationResult } from '@azure/msal-common/node';
+import { AccessToken } from '@azure/core-auth';
 import {
  BasicAuth, StreamingCredentialsProvider, IdentityProvider, TokenManager,
  ReAuthenticationError, StreamingCredentialsListener, IDPError, Token, Disposable
@@ -9,6 +10,9 @@ import {
 * Please use one of the factory functions in `entraid-credetfactories.ts` to create an instance of this class for the different
 * type of authentication flows.
 */
+
+export type AuthenticationResponse = AuthenticationResult | AccessToken
+
 export class EntraidCredentialsProvider implements StreamingCredentialsProvider {
  readonly type = 'streaming-credentials-provider';

@@ -24,11 +28,11 @@ export class EntraidCredentialsProvider implements StreamingCredentialsProvider
  }> = [];

  constructor(
-    public readonly tokenManager: TokenManager<AuthenticationResult>,
-    public readonly idp: IdentityProvider<AuthenticationResult>,
+    public readonly tokenManager: TokenManager<AuthenticationResponse>,
+    public readonly idp: IdentityProvider<AuthenticationResponse>,
    private readonly options: {
      onReAuthenticationError?: (error: ReAuthenticationError) => void;
-      credentialsMapper?: (token: AuthenticationResult) => BasicAuth;
+      credentialsMapper?: (token: AuthenticationResponse) => BasicAuth;
      onRetryableError?: (error: string) => void;
    } = {}
  ) {
@@ -69,7 +73,7 @@ export class EntraidCredentialsProvider implements StreamingCredentialsProvider

  onReAuthenticationError: (error: ReAuthenticationError) => void;

-  #credentialsMapper: (token: AuthenticationResult) => BasicAuth;
+  #credentialsMapper: (token: AuthenticationResponse) => BasicAuth;

  #createTokenManagerListener(subscribers: Set<StreamingCredentialsListener<BasicAuth>>) {
    return {
@@ -80,7 +84,7 @@ export class EntraidCredentialsProvider implements StreamingCredentialsProvider
          this.options.onRetryableError?.(error.message);
        }
      },
-      onNext: (token: { value: AuthenticationResult }): void => {
+      onNext: (token: { value: AuthenticationResult | AccessToken }): void => {
        const credentials = this.#credentialsMapper(token.value);
        subscribers.forEach(listener => listener.onNext(credentials));
      }
@@ -101,10 +105,10 @@ export class EntraidCredentialsProvider implements StreamingCredentialsProvider
    };
  }

-  async #startTokenManagerAndObtainInitialToken(): Promise<Token<AuthenticationResult>> {
-    const initialResponse = await this.idp.requestToken();
-    const token = this.tokenManager.wrapAndSetCurrentToken(initialResponse.token, initialResponse.ttlMs);
+  async #startTokenManagerAndObtainInitialToken(): Promise<Token<AuthenticationResponse>> {
+    const { ttlMs, token: initialToken } = await this.idp.requestToken();

+    const token = this.tokenManager.wrapAndSetCurrentToken(initialToken, ttlMs);
    this.#tokenManagerDisposable = this.tokenManager.start(
      this.#createTokenManagerListener(this.#listeners),
      this.tokenManager.calculateRefreshTime(token)
@@ -131,10 +135,61 @@ export class EntraidCredentialsProvider implements StreamingCredentialsProvider

 }

-const DEFAULT_CREDENTIALS_MAPPER = (token: AuthenticationResult): BasicAuth => ({
-  username: token.uniqueId,
-  password: token.accessToken
-});
+export const DEFAULT_CREDENTIALS_MAPPER = (token: AuthenticationResponse): BasicAuth => {
+  if (isAuthenticationResult(token)) {
+    return {
+      username: token.uniqueId,
+      password: token.accessToken
+    }
+  } else {
+    return OID_CREDENTIALS_MAPPER(token)
+  }
+};

 const DEFAULT_ERROR_HANDLER = (error: ReAuthenticationError) =>
-  console.error('ReAuthenticationError', error);
+  console.error('ReAuthenticationError', error);
+
+export const OID_CREDENTIALS_MAPPER = (token: (AuthenticationResult | AccessToken)) => {
+
+  if (isAuthenticationResult(token)) {
+    // Client credentials flow is app-only authentication (no user context),
+    // so only access token is provided without user-specific claims (uniqueId, idToken, ...)
+    // this means that we need to extract the oid from the access token manually
+    const accessToken = JSON.parse(Buffer.from(token.accessToken.split('.')[1], 'base64').toString());
+
+    return ({
+      username: accessToken.oid,
+      password: token.accessToken
+    })
+  } else {
+    const accessToken = JSON.parse(Buffer.from(token.token.split('.')[1], 'base64').toString());
+
+    return ({
+      username: accessToken.oid,
+      password: token.token
+    })
+  }
+
+}
+
+/**
+ * Type guard to check if a token is an MSAL AuthenticationResult
+ * 
+ * @param auth - The token to check
+ * @returns true if the token is an AuthenticationResult
+ */
+export function isAuthenticationResult(auth: AuthenticationResult | AccessToken): auth is AuthenticationResult {
+  return typeof (auth as AuthenticationResult).accessToken === 'string' && 
+         !('token' in auth)
+}
+
+/**
+ * Type guard to check if a token is an Azure Identity AccessToken
+ * 
+ * @param auth - The token to check
+ * @returns true if the token is an AccessToken
+ */
+export function isAccessToken(auth: AuthenticationResult | AccessToken): auth is AccessToken {
+  return typeof (auth as AccessToken).token === 'string' && 
+         !('accessToken' in auth);
+}