Implement support for TokenCredential Auth (Azure#21915)

* Implement support for TokenCredential Auth

Author: christothes

sdk/tables/Azure.Data.Tables/CHANGELOG.md

@@ -4,6 +4,8 @@
 
 ### Features Added
 
+- Support for Azure Active Directory (AAD) authorization has been added to `TableServiceClient` and `TableClient`. This enables use of `TokenCredential` credentials. Note: Only Azure Storage API endpoints currently support AAD authorization.
+
 ### Breaking Changes
 
 ### Key Bugs Fixed

sdk/tables/Azure.Data.Tables/README.md

@@ -51,7 +51,7 @@ az cosmosdb table create --name MyTableName --resource-group MyResourceGroup --a
 
 ### Authenticate the Client
 
-Learn more about options for authentication _(including Connection Strings, Shared Key, and Shared Key Signatures)_ [in our samples.](https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/tables/Azure.Data.Tables/samples/Sample0Auth.md)
+Learn more about options for authentication _(including Connection Strings, Shared Key, Shared Key Signatures, and TokenCredentials)_ [in our samples.](https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/tables/Azure.Data.Tables/samples/Sample0Auth.md)
 
 ## Key concepts
 

sdk/tables/Azure.Data.Tables/api/Azure.Data.Tables.netstandard2.0.cs

@@ -14,6 +14,7 @@ public TableClient(string connectionString, string tableName) { }
         public TableClient(string connectionString, string tableName, Azure.Data.Tables.TableClientOptions options = null) { }
         public TableClient(System.Uri endpoint, Azure.AzureSasCredential credential, Azure.Data.Tables.TableClientOptions options = null) { }
         public TableClient(System.Uri endpoint, Azure.Data.Tables.TableClientOptions options = null) { }
+        public TableClient(System.Uri endpoint, string tableName, Azure.Core.TokenCredential tokenCredential, Azure.Data.Tables.TableClientOptions options = null) { }
         public TableClient(System.Uri endpoint, string tableName, Azure.Data.Tables.TableSharedKeyCredential credential) { }
         public TableClient(System.Uri endpoint, string tableName, Azure.Data.Tables.TableSharedKeyCredential credential, Azure.Data.Tables.TableClientOptions options = null) { }
         public virtual string AccountName { get { throw null; } }
@@ -108,6 +109,7 @@ public TableServiceClient(string connectionString) { }
         public TableServiceClient(string connectionString, Azure.Data.Tables.TableClientOptions options = null) { }
         public TableServiceClient(System.Uri endpoint, Azure.AzureSasCredential credential) { }
         public TableServiceClient(System.Uri endpoint, Azure.AzureSasCredential credential, Azure.Data.Tables.TableClientOptions options = null) { }
+        public TableServiceClient(System.Uri endpoint, Azure.Core.TokenCredential tokenCredential, Azure.Data.Tables.TableClientOptions options = null) { }
         public TableServiceClient(System.Uri endpoint, Azure.Data.Tables.TableClientOptions options = null) { }
         public TableServiceClient(System.Uri endpoint, Azure.Data.Tables.TableSharedKeyCredential credential) { }
         public TableServiceClient(System.Uri endpoint, Azure.Data.Tables.TableSharedKeyCredential credential, Azure.Data.Tables.TableClientOptions options) { }

sdk/tables/Azure.Data.Tables/samples/Sample0Auth.md

@@ -23,13 +23,11 @@ or
 
 ```C# Snippet:TablesAuthConnString
 // Construct a new TableClient using a connection string.
-
 var client = new TableClient(
     connectionString,
     tableName);
 
 // Create the table if it doesn't already exist to verify we've successfully authenticated.
-
 await client.CreateIfNotExistsAsync();
 ```
 
@@ -57,14 +55,12 @@ az cosmosdb list-keys --name <account_name> --resource-group <resource_group>
 
 ```C# Snippet:TablesAuthSharedKey
 // Construct a new TableClient using a TableSharedKeyCredential.
-
 var client = new TableClient(
     new Uri(storageUri),
     tableName,
     new TableSharedKeyCredential(accountName, accountKey));
 
 // Create the table if it doesn't already exist to verify we've successfully authenticated.
-
 await client.CreateIfNotExistsAsync();
 ```
 
@@ -83,29 +79,46 @@ account blade.
 
 ```C# Snippet:TablesAuthSas
 // Construct a new <see cref="TableServiceClient" /> using a <see cref="TableSharedKeyCredential" />.
-
 var credential = new TableSharedKeyCredential(accountName, accountKey);
 
 var serviceClient = new TableServiceClient(
     new Uri(storageUri),
     credential);
 
 // Build a shared access signature with the Write and Delete permissions and access to all service resource types.
-
 var sasUri = serviceClient.GenerateSasUri(
     TableAccountSasPermissions.Write | TableAccountSasPermissions.Delete,
     TableAccountSasResourceTypes.All,
     new DateTime(2040, 1, 1, 1, 1, 0, DateTimeKind.Utc));
 
 // Create the TableServiceClients using the SAS URI.
-
 var serviceClientWithSas = new TableServiceClient(sasUri);
 
 // Validate that we are able to create a table using the SAS URI with Write and Delete permissions.
-
 await serviceClientWithSas.CreateTableIfNotExistsAsync(tableName);
 
 // Validate that we are able to delete a table using the SAS URI with Write and Delete permissions.
-
 await serviceClientWithSas.DeleteTableAsync(tableName);
 ```
+
+## TokenCredential
+
+Azure Tables provides integration with Azure Active Directory (Azure AD) for identity-based authentication of requests
+to the Table service when targeting a Storage endpoint. With Azure AD, you can use role-based access control (RBAC) to
+grant access to your Azure Table resources to users, groups, or applications.
+
+To access a table resource with a `TokenCredential`, the authenticated identity should have either the "Storage Table Data Contributor" or "Storage Table Data Reader" role.
+
+With the `Azure.Identity` package, you can seamlessly authorize requests in both development and production environments.
+To learn more about Azure AD integration in Azure Storage, see the [Azure.Identity README](https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/identity/Azure.Identity/README.md)
+
+```C# Snippet:TablesAuthTokenCredential
+// Construct a new TableClient using a TokenCredential.
+var client = new TableClient(
+    new Uri(storageUri),
+    tableName,
+    new DefaultAzureCredential());
+
+// Create the table if it doesn't already exist to verify we've successfully authenticated.
+await client.CreateIfNotExistsAsync();
+```

sdk/tables/Azure.Data.Tables/src/TableClient.cs

@@ -79,7 +79,7 @@ public virtual string AccountName
         /// <param name="options">
         /// Optional client options that define the transport pipeline policies for authentication, retries, etc., that are applied to every request.
         /// </param>
-        /// <exception cref="ArgumentException"><paramref name="endpoint"/> is not https.</exception>
+        /// <exception cref="ArgumentException"><paramref name="endpoint"/> does not start with 'https'.</exception>
         public TableClient(Uri endpoint, TableClientOptions options = null)
             : this(endpoint, null, default, default, options)
         {
@@ -102,7 +102,8 @@ public TableClient(Uri endpoint, TableClientOptions options = null)
         /// <param name="options">
         /// Optional client options that define the transport pipeline policies for authentication, retries, etc., that are applied to every request.
         /// </param>
-        /// <exception cref="ArgumentException"><paramref name="endpoint"/> is not https.</exception>
+        /// <exception cref="ArgumentException"><paramref name="endpoint"/> does not start with 'https'.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="credential"/> is null.</exception>
         public TableClient(Uri endpoint, AzureSasCredential credential, TableClientOptions options = null)
             : this(endpoint, null, default, credential, options)
         {
@@ -123,6 +124,7 @@ public TableClient(Uri endpoint, AzureSasCredential credential, TableClientOptio
         /// </param>
         /// <param name="tableName">The name of the table with which this client instance will interact.</param>
         /// <param name="credential">The shared key credential used to sign requests.</param>
+        /// <exception cref="ArgumentException"><paramref name="tableName"/> is an empty string.</exception>
         /// <exception cref="ArgumentNullException"><paramref name="tableName"/> or <paramref name="credential"/> is null.</exception>
         public TableClient(Uri endpoint, string tableName, TableSharedKeyCredential credential)
             : this(endpoint, tableName, new TableSharedKeyPipelinePolicy(credential), default, null)
@@ -143,6 +145,7 @@ public TableClient(Uri endpoint, string tableName, TableSharedKeyCredential cred
         /// <param name="options">
         /// Optional client options that define the transport pipeline policies for authentication, retries, etc., that are applied to every request.
         /// </param>
+        /// <exception cref="ArgumentException"><paramref name="tableName"/> is an empty string.</exception>
         /// <exception cref="ArgumentNullException"><paramref name="tableName"/> or <paramref name="credential"/> is null.</exception>
         public TableClient(Uri endpoint, string tableName, TableSharedKeyCredential credential, TableClientOptions options = null)
             : this(endpoint, tableName, new TableSharedKeyPipelinePolicy(credential), default, options)
@@ -164,6 +167,7 @@ public TableClient(Uri endpoint, string tableName, TableSharedKeyCredential cred
         /// Configure Azure Storage connection strings</see>.
         /// </param>
         /// <param name="tableName">The name of the table with which this client instance will interact.</param>
+        /// <exception cref="ArgumentNullException"><paramref name="connectionString"/> or <paramref name="tableName"/> is null.</exception>
         public TableClient(string connectionString, string tableName)
             : this(connectionString, tableName, default)
         { }
@@ -185,9 +189,12 @@ public TableClient(string connectionString, string tableName)
         /// <param name="options">
         /// Optional client options that define the transport pipeline policies for authentication, retries, etc., that are applied to every request.
         /// </param>
+        /// <exception cref="ArgumentException"><paramref name="tableName"/> is an empty string.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="connectionString"/> or <paramref name="tableName"/> is null.</exception>
         public TableClient(string connectionString, string tableName, TableClientOptions options = null)
         {
             Argument.AssertNotNull(connectionString, nameof(connectionString));
+            Argument.AssertNotNullOrEmpty(tableName, nameof(tableName));
 
             TableConnectionString connString = TableConnectionString.Parse(connectionString);
             _accountName = connString._accountName;
@@ -212,6 +219,52 @@ public TableClient(string connectionString, string tableName, TableClientOptions
             Name = tableName;
         }
 
+        /// <summary>
+        /// Initializes a new instance of the <see cref="TableClient"/> using the specified <see cref="Uri" /> and <see cref="TokenCredential"/>.
+        /// </summary>
+        /// <param name="endpoint">
+        /// A <see cref="Uri"/> referencing the table service account.
+        /// This is likely to be similar to "https://{account_name}.table.core.windows.net/{table_name}"
+        /// or "https://{account_name}.table.cosmos.azure.com/{table_name}".
+        /// </param>
+        /// <param name="tableName">The name of the table with which this client instance will interact.</param>
+        /// <param name="tokenCredential">The <see cref="TokenCredential"/> used to authorize requests.</param>
+        /// <param name="options">
+        /// Optional client options that define the transport pipeline policies for authentication, retries, etc., that are applied to every request.
+        /// </param>
+        /// <exception cref="ArgumentException"><paramref name="endpoint"/> does not start with 'https'. or <paramref name="tableName"/> is an empty string.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="tableName"/>, <paramref name="endpoint"/>, or <paramref name="tokenCredential"/> is null.</exception>
+        public TableClient(Uri endpoint, string tableName, TokenCredential tokenCredential, TableClientOptions options = default)
+        {
+            Argument.AssertNotNull(endpoint, nameof(endpoint));
+            Argument.AssertNotNull(tokenCredential, nameof(tokenCredential));
+
+            // If we were provided no tableName, try to parse it from the endpoint.
+            if (string.IsNullOrEmpty(tableName))
+            {
+                tableName = new TableSasBuilder(endpoint).TableName;
+            }
+
+            Argument.AssertNotNullOrEmpty(tableName, nameof(tableName));
+
+            _endpoint = endpoint;
+            _isCosmosEndpoint = TableServiceClient.IsPremiumEndpoint(endpoint);
+            options ??= TableClientOptions.DefaultOptions;
+
+            var perCallPolicies = _isCosmosEndpoint ? new[] { new CosmosPatchTransformPolicy() } : Array.Empty<HttpPipelinePolicy>();
+
+            _pipeline = HttpPipelineBuilder.Build(
+                options,
+                perCallPolicies,
+                new[] { new BearerTokenAuthenticationPolicy(tokenCredential, TableConstants.StorageScope) },
+                new ResponseClassifier());
+
+            _version = options.VersionString;
+            _diagnostics = new TablesClientDiagnostics(options);
+            _tableOperations = new TableRestClient(_diagnostics, _pipeline, endpoint.AbsoluteUri, _version);
+            Name = tableName;
+        }
+
         internal TableClient(Uri endpoint, string tableName, TableSharedKeyPipelinePolicy policy, AzureSasCredential sasCredential, TableClientOptions options)
         {
             Argument.AssertNotNull(endpoint, nameof(endpoint));

sdk/tables/Azure.Data.Tables/src/TableConstants.cs

@@ -7,6 +7,7 @@ internal static class TableConstants
     {
         internal const string LegacyCosmosTableDomain = ".table.cosmosdb.";
         internal const string CosmosTableDomain = ".table.cosmos.";
+        internal const string StorageScope = "https://storage.azure.com/.default";
 
         internal static class HeaderNames
         {