|
| 1 | +//go:build go1.18 |
| 2 | +// +build go1.18 |
| 3 | + |
| 4 | +// Copyright (c) Microsoft Corporation. All rights reserved. |
| 5 | +// Licensed under the MIT License. |
| 6 | + |
| 7 | +package azidentity |
| 8 | + |
| 9 | +import ( |
| 10 | + "encoding/json" |
| 11 | + "errors" |
| 12 | + "fmt" |
| 13 | + "net/url" |
| 14 | + "strings" |
| 15 | + |
| 16 | + "github.com/AzureAD/microsoft-authentication-library-for-go/apps/public" |
| 17 | +) |
| 18 | + |
| 19 | +var supportedAuthRecordVersions = []string{"1.0"} |
| 20 | + |
| 21 | +// AuthenticationRecord is non-secret account information about an authenticated user that user credentials such as |
| 22 | +// [DeviceCodeCredential] and [InteractiveBrowserCredential] can use to access previously cached authentication |
| 23 | +// data. Call these credentials' Authenticate method to get an AuthenticationRecord for a user. |
| 24 | +type AuthenticationRecord struct { |
| 25 | + // Authority is the URL of the authority that issued the token. |
| 26 | + Authority string `json:"authority"` |
| 27 | + |
| 28 | + // ClientID is the ID of the application that authenticated the user. |
| 29 | + ClientID string `json:"clientId"` |
| 30 | + |
| 31 | + // HomeAccountID uniquely identifies the account. |
| 32 | + HomeAccountID string `json:"homeAccountId"` |
| 33 | + |
| 34 | + // TenantID identifies the tenant in which the user authenticated. |
| 35 | + TenantID string `json:"tenantId"` |
| 36 | + |
| 37 | + // Username is the user's preferred username. |
| 38 | + Username string `json:"username"` |
| 39 | + |
| 40 | + // Version of the AuthenticationRecord. |
| 41 | + Version string `json:"version"` |
| 42 | +} |
| 43 | + |
| 44 | +// UnmarshalJSON implements json.Unmarshaler for AuthenticationRecord |
| 45 | +func (a *AuthenticationRecord) UnmarshalJSON(b []byte) error { |
| 46 | + // Default unmarshaling is fine but we want to return an error if the record's version isn't supported i.e., we |
| 47 | + // want to inspect the unmarshalled values before deciding whether to return an error. Unmarshaling a formally |
| 48 | + // different type enables this by assigning all the fields without recursing into this method. |
| 49 | + type r AuthenticationRecord |
| 50 | + err := json.Unmarshal(b, (*r)(a)) |
| 51 | + if err != nil { |
| 52 | + return err |
| 53 | + } |
| 54 | + if a.Version == "" { |
| 55 | + return errors.New("AuthenticationRecord must have a version") |
| 56 | + } |
| 57 | + for _, v := range supportedAuthRecordVersions { |
| 58 | + if a.Version == v { |
| 59 | + return nil |
| 60 | + } |
| 61 | + } |
| 62 | + return fmt.Errorf("unsupported AuthenticationRecord version %q. This module supports %v", a.Version, supportedAuthRecordVersions) |
| 63 | +} |
| 64 | + |
| 65 | +// account returns the AuthenticationRecord as an MSAL Account. The account is zero-valued when the AuthenticationRecord is zero-valued. |
| 66 | +func (a *AuthenticationRecord) account() public.Account { |
| 67 | + return public.Account{ |
| 68 | + Environment: a.Authority, |
| 69 | + HomeAccountID: a.HomeAccountID, |
| 70 | + PreferredUsername: a.Username, |
| 71 | + } |
| 72 | +} |
| 73 | + |
| 74 | +func newAuthenticationRecord(ar public.AuthResult) (AuthenticationRecord, error) { |
| 75 | + u, err := url.Parse(ar.IDToken.Issuer) |
| 76 | + if err != nil { |
| 77 | + return AuthenticationRecord{}, fmt.Errorf("Authenticate expected a URL issuer but got %q", ar.IDToken.Issuer) |
| 78 | + } |
| 79 | + tenant := ar.IDToken.TenantID |
| 80 | + if tenant == "" { |
| 81 | + tenant = strings.Trim(u.Path, "/") |
| 82 | + } |
| 83 | + username := ar.IDToken.PreferredUsername |
| 84 | + if username == "" { |
| 85 | + username = ar.IDToken.UPN |
| 86 | + } |
| 87 | + return AuthenticationRecord{ |
| 88 | + Authority: fmt.Sprintf("%s://%s", u.Scheme, u.Host), |
| 89 | + ClientID: ar.IDToken.Audience, |
| 90 | + HomeAccountID: ar.Account.HomeAccountID, |
| 91 | + TenantID: tenant, |
| 92 | + Username: username, |
| 93 | + Version: "1.0", |
| 94 | + }, nil |
| 95 | +} |
0 commit comments