Add AppServiceCredential.php

Author: phamviet

composer.json

@@ -28,10 +28,5 @@
             "name": "Viet Pham",
             "email": "viet@webonyx.com"
         }
-    ],
-    "config": {
-        "allow-plugins": {
-            "php-http/discovery": true
-        }
-    }
+    ]
 }

src/Client/AadClient.php

@@ -25,7 +25,7 @@ class AadClient
 
     private int $timeout;
 
-    public function __construct(private string $tenantId, private string $clientId, ?HttpClientInterface $httpClient = null, ?LoggerInterface $logger = null, int $timeout = 5)
+    public function __construct(private string $tenantId, private string $clientId, ?HttpClientInterface $httpClient = null, ?LoggerInterface $logger = null, int $timeout = 20)
     {
         $this->logger = $logger ?? new NullLogger();
         $this->httpClient = $httpClient ?? HttpClient::create();

src/Credential/AppServiceCredential.php

@@ -0,0 +1,89 @@
+<?php
+
+namespace Azure\Identity\Credential;
+
+use Azure\Identity\EnvVar;
+use Azure\Identity\Exception\InvalidScopesException;
+use Azure\Identity\Token;
+use Azure\Identity\TokenInterface;
+use Psr\Log\LoggerInterface;
+use Symfony\Component\HttpClient\HttpClient;
+use Symfony\Contracts\HttpClient\Exception\DecodingExceptionInterface;
+use Symfony\Contracts\HttpClient\Exception\HttpExceptionInterface;
+use Symfony\Contracts\HttpClient\Exception\TransportExceptionInterface;
+use Symfony\Contracts\HttpClient\HttpClientInterface;
+
+class AppServiceCredential implements AzureCredentialInterface
+{
+    private HttpClientInterface $httpClient;
+
+    public function __construct(public ?string $clientId = null, ?HttpClientInterface $httpClient = null, private ?LoggerInterface $logger = null)
+    {
+        $this->httpClient = $httpClient ?? HttpClient::create();
+    }
+
+    public function getToken(array $scopes, array $options = []): ?TokenInterface
+    {
+        $url = EnvVar::get('IDENTITY_ENDPOINT');
+        $secret = EnvVar::get('IDENTITY_HEADER');
+
+        if (!$url || !$secret) {
+            $this->logger->warning('App Service managed identity configuration not found in environment');
+
+            return null;
+        }
+
+        $clientId = $this->clientId ?? EnvVar::get('AZURE_CLIENT_ID');
+        $params = [
+            'api-version' => '2019-08-01',
+            'resource' => $this->scopesToResource($scopes),
+        ];
+
+        if ($clientId) {
+            $params['client_id'] = $clientId;
+        }
+
+        try {
+            $response = $this->httpClient->request('GET', $url, [
+                'query' => array_merge($params, $options),
+                'headers' => [
+                    'X-IDENTITY-HEADER' => $secret
+                ]
+            ]);
+
+            $result = $response->toArray();
+        } catch (DecodingExceptionInterface $e) {
+            $this->logger->info('Failed to decode token response.', ['exception' => $e]);
+
+            return null;
+        } catch (TransportExceptionInterface|HttpExceptionInterface $e) {
+            $this->logger->info('Failed to fetch token.', ['exception' => $e]);
+
+            return null;
+        }
+
+        // App service return expires_on instead expires_in
+        $result['expires_in'] = floor($result['expires_on'] - time());
+
+        return Token::fromArray($result);
+    }
+
+    /**
+     * Convert an AADv2 scope to an AADv1 resource
+     * @param array $scopes
+     * @return string
+     */
+    private function scopesToResource(array $scopes): string
+    {
+        if (count($scopes) !== 1) {
+            throw new InvalidScopesException('AppServiceCredential requires exactly one scope per token request.');
+        }
+
+        $resource = $scopes[0];
+        if (str_ends_with($resource, '/.default')) {
+            $resource = substr($resource, 0, strlen('/.default') * -1);
+        }
+
+        return $resource;
+    }
+}

src/Credential/AzureCredentialInterface.php

@@ -0,0 +1,10 @@
+<?php
+
+namespace Azure\Identity\Credential;
+
+use Azure\Identity\TokenInterface;
+
+interface AzureCredentialInterface
+{
+    public function getToken(array $scopes, array $options = []): ?TokenInterface;
+}

src/Credential/CacheCredential.php

@@ -5,14 +5,14 @@
 use Azure\Identity\TokenInterface;
 use Symfony\Contracts\Service\ResetInterface;
 
-class CacheCredential implements TokenCredentialInterface, ResetInterface
+class CacheCredential implements AzureCredentialInterface, ResetInterface
 {
     /**
      * @var (null|TokenInterface)[]
      */
     private array $cache = [];
 
-    public function __construct(private TokenCredentialInterface $decorated)
+    public function __construct(private AzureCredentialInterface $decorated)
     {
 
     }

src/Credential/ChainTokenCredential.php

@@ -7,15 +7,15 @@
 use Symfony\Contracts\HttpClient\HttpClientInterface;
 use Symfony\Contracts\Service\ResetInterface;
 
-class ChainTokenCredential implements TokenCredentialInterface, ResetInterface
+class ChainTokenCredential implements AzureCredentialInterface, ResetInterface
 {
     /**
-     * @var TokenCredentialInterface[]
+     * @var AzureCredentialInterface[]
      */
     private array $credentials;
 
     /**
-     * @var TokenCredentialInterface[]
+     * @var AzureCredentialInterface[]
      */
     private array $lastSuccessfulCredentials = [];
 
@@ -24,7 +24,7 @@ public function __construct(array $credentials)
         $this->credentials = $credentials;
     }
 
-    public static function createDefaultChain(array $config, ?HttpClientInterface $httpClient = null, ?LoggerInterface $logger = null): TokenCredentialInterface
+    public static function createDefaultChain(array $config, ?HttpClientInterface $httpClient = null, ?LoggerInterface $logger = null): AzureCredentialInterface
     {
         return new ChainTokenCredential([
             new EnvironmentCredential($httpClient, $logger),

src/Credential/ClientAssertionCredential.php

@@ -7,7 +7,7 @@
 use Psr\Log\LoggerInterface;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
 
-class ClientAssertionCredential implements TokenCredentialInterface
+class ClientAssertionCredential implements AzureCredentialInterface
 {
     private AadClient $client;
 

src/Credential/ClientSecretCredential.php

@@ -7,7 +7,7 @@
 use Psr\Log\LoggerInterface;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
 
-class ClientSecretCredential implements TokenCredentialInterface
+class ClientSecretCredential implements AzureCredentialInterface
 {
     private AadClient $client;
 

src/Credential/DefaultAzureCredential.php

@@ -6,12 +6,11 @@
 use Azure\Identity\TokenInterface;
 use Psr\Log\LoggerInterface;
 use Psr\Log\NullLogger;
-use Symfony\Component\HttpClient\HttpClient;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
 
-class DefaultAzureCredential implements TokenCredentialInterface
+class DefaultAzureCredential implements AzureCredentialInterface
 {
-    private TokenCredentialInterface $cacheable;
+    private AzureCredentialInterface $cacheable;
 
     public function __construct(array $config = [], ?HttpClientInterface $httpClient = null, ?LoggerInterface $logger = null)
     {

src/Credential/EnvironmentCredential.php

@@ -12,7 +12,7 @@
  * - `AZURE_TENANT_ID`: The Azure Active Directory tenant (directory) ID.
  * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
  */
-class EnvironmentCredential implements TokenCredentialInterface
+class EnvironmentCredential implements AzureCredentialInterface
 {
     private $logger;
 
@@ -26,8 +26,14 @@ public function __construct(?HttpClientInterface $httpClient = null, ?LoggerInte
 
     public function getToken(array $scopes, array $options = []): ?TokenInterface
     {
-        $tenantId = EnvVar::get('AZURE_TENANT_ID');
         $clientId = EnvVar::get('AZURE_CLIENT_ID');
+
+        if (EnvVar::get('IDENTITY_ENDPOINT') && EnvVar::get('IDENTITY_HEADER')) {
+            $client = new AppServiceCredential($clientId, $this->httpClient, $this->logger);
+            return $client->getToken($scopes, $options);
+        }
+
+        $tenantId = EnvVar::get('AZURE_TENANT_ID');
         if (!$tenantId || !$clientId) {
             return null;
         }