Merge azidentity 1.3 beta branch to main (Azure#20449)

Author: chlowell

sdk/azidentity/CHANGELOG.md

@@ -1,10 +1,8 @@
 # Release History
 
-## 1.3.0-beta.3 (Unreleased)
+## 1.3.0-beta.5 (Unreleased)
 
 ### Features Added
-* `InteractiveBrowserCredentialOptions.LoginHint` enables pre-populating the login
-  prompt with a username ([#15599](https://github.com/Azure/azure-sdk-for-go/pull/15599))
 
 ### Breaking Changes
 
@@ -13,6 +11,41 @@
 
 ### Other Changes
 
+## 1.3.0-beta.4 (2023-03-08)
+
+### Features Added
+* Added `WorkloadIdentityCredentialOptions.AdditionallyAllowedTenants` and `.DisableInstanceDiscovery`
+
+### Bugs Fixed
+* Credentials now synchronize within `GetToken()` so a single instance can be shared among goroutines
+  ([#20044](https://github.com/Azure/azure-sdk-for-go/issues/20044))
+
+### Other Changes
+* Upgraded dependencies
+
+## 1.2.2 (2023-03-07)
+
+### Other Changes
+* Upgraded dependencies
+
+## 1.3.0-beta.3 (2023-02-07)
+
+### Features Added
+* By default, credentials set client capability "CP1" to enable support for
+  [Continuous Access Evaluation (CAE)](https://docs.microsoft.com/azure/active-directory/develop/app-resilience-continuous-access-evaluation).
+  This indicates to Azure Active Directory that your application can handle CAE claims challenges.
+  You can disable this behavior by setting the environment variable "AZURE_IDENTITY_DISABLE_CP1" to "true".
+* `InteractiveBrowserCredentialOptions.LoginHint` enables pre-populating the login
+  prompt with a username ([#15599](https://github.com/Azure/azure-sdk-for-go/pull/15599))
+* Service principal and user credentials support ADFS authentication on Azure Stack.
+  Specify "adfs" as the credential's tenant.
+* Applications running in private or disconnected clouds can prevent credentials from
+  requesting Azure AD instance metadata by setting the `DisableInstanceDiscovery`
+  field on credential options.
+* Many credentials can now be configured to authenticate in multiple tenants. The
+  options types for these credentials have an `AdditionallyAllowedTenants` field
+  that specifies additional tenants in which the credential may authenticate.
+
 ## 1.3.0-beta.2 (2023-01-10)
 
 ### Features Added

sdk/azidentity/azidentity.go

@@ -26,23 +26,30 @@ import (
 )
 
 const (
-	azureAuthorityHost             = "AZURE_AUTHORITY_HOST"
-	azureClientCertificatePassword = "AZURE_CLIENT_CERTIFICATE_PASSWORD"
-	azureClientCertificatePath     = "AZURE_CLIENT_CERTIFICATE_PATH"
-	azureClientID                  = "AZURE_CLIENT_ID"
-	azureClientSecret              = "AZURE_CLIENT_SECRET"
-	azureFederatedTokenFile        = "AZURE_FEDERATED_TOKEN_FILE"
-	azurePassword                  = "AZURE_PASSWORD"
-	azureRegionalAuthorityName     = "AZURE_REGIONAL_AUTHORITY_NAME"
-	azureTenantID                  = "AZURE_TENANT_ID"
-	azureUsername                  = "AZURE_USERNAME"
+	azureAdditionallyAllowedTenants = "AZURE_ADDITIONALLY_ALLOWED_TENANTS"
+	azureAuthorityHost              = "AZURE_AUTHORITY_HOST"
+	azureClientCertificatePassword  = "AZURE_CLIENT_CERTIFICATE_PASSWORD"
+	azureClientCertificatePath      = "AZURE_CLIENT_CERTIFICATE_PATH"
+	azureClientID                   = "AZURE_CLIENT_ID"
+	azureClientSecret               = "AZURE_CLIENT_SECRET"
+	azureFederatedTokenFile         = "AZURE_FEDERATED_TOKEN_FILE"
+	azurePassword                   = "AZURE_PASSWORD"
+	azureRegionalAuthorityName      = "AZURE_REGIONAL_AUTHORITY_NAME"
+	azureTenantID                   = "AZURE_TENANT_ID"
+	azureUsername                   = "AZURE_USERNAME"
 
 	organizationsTenantID   = "organizations"
 	developerSignOnClientID = "04b07795-8ddb-461a-bbee-02f9e1bf7b46"
 	defaultSuffix           = "/.default"
 	tenantIDValidationErr   = "invalid tenantID. You can locate your tenantID by following the instructions listed here: https://docs.microsoft.com/partner-center/find-ids-and-domain-names"
 )
 
+var (
+	// capability CP1 indicates the client application is capable of handling CAE claims challenges
+	cp1        = []string{"CP1"}
+	disableCP1 = strings.ToLower(os.Getenv("AZURE_IDENTITY_DISABLE_CP1")) == "true"
+)
+
 var getConfidentialClient = func(clientID, tenantID string, cred confidential.Credential, co *azcore.ClientOptions, additionalOpts ...confidential.Option) (confidentialClient, error) {
 	if !validTenantID(tenantID) {
 		return confidential.Client{}, errors.New(tenantIDValidationErr)
@@ -51,16 +58,19 @@ var getConfidentialClient = func(clientID, tenantID string, cred confidential.Cr
 	if err != nil {
 		return confidential.Client{}, err
 	}
+	authority := runtime.JoinPaths(authorityHost, tenantID)
 	o := []confidential.Option{
-		confidential.WithAuthority(runtime.JoinPaths(authorityHost, tenantID)),
 		confidential.WithAzureRegion(os.Getenv(azureRegionalAuthorityName)),
 		confidential.WithHTTPClient(newPipelineAdapter(co)),
 	}
+	if !disableCP1 {
+		o = append(o, confidential.WithClientCapabilities(cp1))
+	}
 	o = append(o, additionalOpts...)
 	if strings.ToLower(tenantID) == "adfs" {
 		o = append(o, confidential.WithInstanceDiscovery(false))
 	}
-	return confidential.New(clientID, cred, o...)
+	return confidential.New(authority, clientID, cred, o...)
 }
 
 var getPublicClient = func(clientID, tenantID string, co *azcore.ClientOptions, additionalOpts ...public.Option) (public.Client, error) {
@@ -71,18 +81,18 @@ var getPublicClient = func(clientID, tenantID string, co *azcore.ClientOptions,
 	if err != nil {
 		return public.Client{}, err
 	}
-
 	o := []public.Option{
 		public.WithAuthority(runtime.JoinPaths(authorityHost, tenantID)),
 		public.WithHTTPClient(newPipelineAdapter(co)),
 	}
+	if !disableCP1 {
+		o = append(o, public.WithClientCapabilities(cp1))
+	}
 	o = append(o, additionalOpts...)
 	if strings.ToLower(tenantID) == "adfs" {
 		o = append(o, public.WithInstanceDiscovery(false))
 	}
-	return public.New(clientID,
-		o...,
-	)
+	return public.New(clientID, o...)
 }
 
 // setAuthorityHost initializes the authority host for credentials. Precedence is: