ExAzureCore.Auth.TokenSource.ClientAssertion (ex_azure_core v0.2.0)

Copy Markdown

Client assertion token source using Workload Identity Federation.

This source exchanges external identity tokens (from AWS Cognito, GitHub Actions, Kubernetes, etc.) for Azure AD access tokens using the OAuth2 client credentials flow with JWT bearer token assertion.

Configuration

The configuration map must include:

  • :tenant_id (required) - Azure AD tenant ID
  • :client_id (required) - Azure AD application (client) ID
  • :scope (required) - Token scope (e.g., "https://graph.microsoft.com/.default")
  • :provider (required) - Federated token provider (:aws_cognito, etc.)
  • :provider_opts (optional) - Provider-specific options
  • :cloud (optional) - Azure cloud environment (:public, :government, :china, :germany)

Examples

config = %{
  tenant_id: "12345678-1234-1234-1234-123456789012",
  client_id: "87654321-4321-4321-4321-210987654321",
  scope: "https://graph.microsoft.com/.default",
  provider: :aws_cognito,
  provider_opts: [
    identity_id: "us-west-2:12345678-1234-1234-1234-123456789012",
    auth_type: :basic
  ],
  cloud: :public
}

{:ok, token} = ExAzureIdentity.Sources.ClientAssertion.fetch_token(config)

For the AWS Cognito enhanced flow, :identity_id carries the identity pool id and :cognito_identity_id pins the exact Cognito identity that was federated into Azure, so the same subject is reused on every refresh:

provider_opts: [
  identity_id: "us-west-2:pool-guid",
  auth_type: :enhanced,
  logins: %{"your-developer-provider" => "client-id"},
  cognito_identity_id: "us-west-2:12345678-1234-1234-1234-123456789012"
]