[identity] Add WorkloadIdentityCredential (Azure#24830)

Author: mpodwysocki

common/config/rush/pnpm-lock.yaml

@@ -1,16 +1,12 @@
 # Release History
 
-## 3.2.0-beta.1 (Unreleased)
+## 3.2.0-beta.1 (2023-02-24)
 
 ### Features Added
 
 - Added support to disable instance discovery on AAD credentials.
 - Added `AzureDeveloperCliCredential` [#24180](https://github.com/Azure/azure-sdk-for-js/pull/24180) and added it to the `DefaultAzureCredential` [#24826](https://github.com/Azure/azure-sdk-for-js/pull/24826) auth flow
-### Breaking Changes
-
-### Bugs Fixed
-
-### Other Changes
+- Added support for `WokloadIdentityCredential`[#24830](https://github.com/Azure/azure-sdk-for-js/pull/24830), added it to `DefaultAzureCredential` auth flow and replaced the in-house implementation of `Token Exchange MSI` in `ManagedIdentity` with `WorkloadIdentityCredential`.
 
 ## 3.1.3 (2023-01-12)
 

sdk/identity/identity/CHANGELOG.md

@@ -6,7 +6,7 @@
 %% 2. Run command: mmdc -i DefaultAzureCredentialAuthFlow.md -o DefaultAzureCredentialAuthFlow.svg
 
 flowchart LR;
-    A(Environment):::deployed ==> B(Managed Identity):::deployed ==> C(Azure Developer CLI):::developer ==> D(Azure CLI):::developer ==> E(Azure PowerShell):::developer;
+    A(Environment):::deployed ==> B(Workload Identity):::deployed ==> C(Managed Identity):::deployed ==> D(Azure Developer CLI):::developer ==> E(Azure CLI):::developer ==> F(Azure PowerShell):::developer;
 
     subgraph CREDENTIAL TYPES;
         direction LR;
@@ -22,7 +22,7 @@ flowchart LR;
 
     %% Add API ref links to credential type boxes
     click A "https://learn.microsoft.com/javascript/api/@azure/identity/environmentcredential?view=azure-node-latest" _blank;
-    click B "https://learn.microsoft.com/javascript/api/@azure/identity/managedidentitycredential?view=azure-node-latest" _blank;
-    click D "https://learn.microsoft.com/javascript/api/@azure/identity/azureclicredential?view=azure-node-latest" _blank;
-    click E "https://learn.microsoft.com/javascript/api/@azure/identity/azurepowershellcredential?view=azure-node-latest" _blank;
+    click C "https://learn.microsoft.com/javascript/api/@azure/identity/managedidentitycredential?view=azure-node-latest" _blank;
+    click E "https://learn.microsoft.com/javascript/api/@azure/identity/azureclicredential?view=azure-node-latest" _blank;
+    click F "https://learn.microsoft.com/javascript/api/@azure/identity/azurepowershellcredential?view=azure-node-latest" _blank;
 ```

sdk/identity/identity/images/mermaidjs/DefaultAzureCredentialAuthFlow.md

@@ -24,6 +24,7 @@
     "./dist-esm/src/credentials/azurePowerShellCredential.js": "./dist-esm/src/credentials/azurePowerShellCredential.browser.js",
     "./dist-esm/src/credentials/azureApplicationCredential.js": "./dist-esm/src/credentials/azureApplicationCredential.browser.js",
     "./dist-esm/src/credentials/onBehalfOfCredential.js": "./dist-esm/src/credentials/onBehalfOfCredential.browser.js",
+    "./dist-esm/src/credentials/workloadIdentityCredential.js": "./dist-esm/src/credentials/workloadIdentityCredential.browser.js",
     "./dist-esm/src/util/authHostEnv.js": "./dist-esm/src/util/authHostEnv.browser.js",
     "./dist-esm/src/util/processMultiTenantRequest.js": "./dist-esm/src/util/processMultiTenantRequest.browser.js",
     "./dist-esm/src/tokenCache/TokenCachePersistence.js": "./dist-esm/src/tokenCache/TokenCachePersistence.browser.js",
@@ -158,6 +159,7 @@
     "puppeteer": "^19.2.2",
     "rimraf": "^3.0.0",
     "sinon": "^9.0.2",
+    "ts-node": "^10.9.1",
     "typescript": "~4.8.0",
     "util": "^0.12.1",
     "uuid": "^8.3.2"

sdk/identity/identity/images/mermaidjs/DefaultAzureCredentialAuthFlow.svg

@@ -376,6 +376,19 @@ export interface VisualStudioCodeCredentialOptions extends MultiTenantTokenCrede
     tenantId?: string;
 }
 
+// @public
+export class WorkloadIdentityCredential implements TokenCredential {
+    constructor(options?: WorkloadIdentityCredentialOptions);
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken | null>;
+}
+
+// @public
+export interface WorkloadIdentityCredentialOptions extends MultiTenantTokenCredentialOptions, AuthorityValidationOptions {
+    clientId?: string;
+    federatedTokenFilePath?: string;
+    tenantId?: string;
+}
+
 // (No @packageDocumentation comment for this package)
 
 ```

sdk/identity/identity/package.json

@@ -0,0 +1,39 @@
+import { DefaultAzureCredential, WorkloadIdentityCredential } from "@azure/identity";
+import dotenv from "dotenv";
+
+dotenv.config();
+
+async function testDefaultCredential() {
+  const credential = new DefaultAzureCredential();
+
+  try {
+    const token = await credential.getToken("https://storage.azure.com/.default");
+    console.log(token);
+  } catch (err) {
+    console.log("Error with DefaultAzureCredential:", err);
+  }
+}
+
+async function testWorkloadCredential() {
+  const credential = new WorkloadIdentityCredential({
+    tenantId: process.env.AZURE_TENANT_ID!,
+    clientId: process.env.AZURE_CLIENT_ID!,
+    federatedTokenFilePath: process.env.AZURE_FEDERATED_TOKEN_FILE!,
+  });
+
+  try {
+    const token = await credential.getToken("https://storage.azure.com/.default");
+    console.log(token);
+  } catch (err) {
+    console.log("Error with WorkloadIdentityCredential:", err);
+  }
+}
+
+async function main() {
+  await testDefaultCredential();
+  await testWorkloadCredential();
+}
+
+main().catch((err) => {
+  console.error("The sample encountered an error:", err);
+});