[Identity] What if we accepted the PEM certificate string contents?

sdk/identity/identity/CHANGELOG.md

@@ -4,8 +4,14 @@
 
 ### Features Added
 
+- `ClientCertificateCredential` now accepts the string contents of the PEM certificate besides the path to the PEM certificate through the new type `ClientCertificateCredentialPEMConfiguration`.
+
 ### Breaking Changes
 
+#### Breaking changes from 2.0.0-beta.6 and 1.5.2
+
+- `ClientCertificateCredential` now won't accept a PEM certificate path as its third parameter. It will accept an object with the type `ClientCertificateCredentialPEMConfiguration` containing either a property named `certificate` with the string contents of the PEM certificate, or a property named `certificatePath`, with the path to the PEM certificate.
+
 #### Breaking Changes from 2.0.0-beta.4
 
 - Removed the `allowMultiTenantAuthentication` option from all of the credentials. Multi-tenant authentication is now enabled by default. On Node.js, it can be disabled with the `AZURE_IDENTITY_DISABLE_MULTITENANTAUTH` environment variable.

sdk/identity/identity/review/identity.api.md

@@ -108,7 +108,8 @@ export class ChainedTokenCredential implements TokenCredential {
 
 // @public
 export class ClientCertificateCredential implements TokenCredential {
-    constructor(tenantId: string, clientId: string, certificatePath: string, options?: ClientCertificateCredentialOptions);
+    // Warning: (ae-forgotten-export) The symbol "ClientCertificateCredentialPEMConfiguration" needs to be exported by the entry point index.d.ts
+    constructor(tenantId: string, clientId: string, configuration: ClientCertificateCredentialPEMConfiguration, options?: ClientCertificateCredentialOptions);
     getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
     }
 

sdk/identity/identity/src/credentials/clientCertificateCredential.ts

@@ -9,7 +9,33 @@ import { trace } from "../util/tracing";
 import { MsalFlow } from "../msal/flows";
 import { ClientCertificateCredentialOptions } from "./clientCertificateCredentialOptions";
 
-const logger = credentialLogger("ClientCertificateCredential");
+const credentialName = "ClientCertificateCredential";
+const logger = credentialLogger(credentialName);
+
+/**
+ * Required configuration options for the {@link ClientCertificateCredential}, with either the string contents of a PEM certificate, or the path to a PEM certificate.
+ */
+export type ClientCertificateCredentialPEMConfiguration =
+  | {
+      /**
+       * The PEM-encoded public/private key certificate on the filesystem.
+       */
+      certificate: string;
+      /**
+       * The PEM-encoded public/private key certificate on the filesystem     should not be provided if `certificate` is provided.
+       */
+      certificatePath?: never;
+    }
+  | {
+      /**
+       * The PEM-encoded public/private key certificate on the filesystem should not be provided if `certificatePath` is provided.
+       */
+      certificate?: never;
+      /**
+       * The path to the PEM-encoded public/private key certificate on the filesystem.
+       */
+      certificatePath: string;
+    };
 
 /**
  * Enables authentication to Azure Active Directory using a PEM-encoded
@@ -28,23 +54,26 @@ export class ClientCertificateCredential implements TokenCredential {
    *
    * @param tenantId - The Azure Active Directory tenant (directory) ID.
    * @param clientId - The client (application) ID of an App Registration in the tenant.
-   * @param certificatePath - The path to a PEM-encoded public/private key certificate on the filesystem.
+   * @param configuration - Other parameters required, including the PEM-encoded certificate as a string, or as a path on the filesystem.
    * @param options - Options for configuring the client which makes the authentication request.
    */
   constructor(
     tenantId: string,
     clientId: string,
-    certificatePath: string,
+    configuration: ClientCertificateCredentialPEMConfiguration,
     options: ClientCertificateCredentialOptions = {}
   ) {
-    if (!tenantId || !clientId || !certificatePath) {
+    if (!tenantId || !clientId) {
+      throw new Error(`${credentialName}: tenantId and clientId are required parameters.`);
+    }
+    if (!configuration || !(configuration.certificate || configuration.certificatePath)) {
       throw new Error(
-        "ClientCertificateCredential: tenantId, clientId, and certificatePath are required parameters."
+        `${credentialName}: Provide either a PEM certificate in string form, or the path to that certificate in the filesystem.`
       );
     }
     this.msalFlow = new MsalClientCertificate({
       ...options,
-      certificatePath,
+      configuration,
       logger,
       clientId,
       tenantId,
@@ -62,7 +91,7 @@ export class ClientCertificateCredential implements TokenCredential {
    *                TokenCredential implementation might make.
    */
   async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {
-    return trace(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+    return trace(`${credentialName}.getToken`, options, async (newOptions) => {
       const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
       return this.msalFlow.getToken(arrayScopes, newOptions);
     });

sdk/identity/identity/src/credentials/environmentCredential.ts

@@ -114,7 +114,7 @@ export class EnvironmentCredential implements TokenCredential {
       this._credential = new ClientCertificateCredential(
         tenantId,
         clientId,
-        certificatePath,
+        { certificatePath },
         options
       );
       return;

sdk/identity/identity/src/msal/nodeFlows/msalClientCertificate.ts

@@ -9,6 +9,7 @@ import { AccessToken } from "@azure/core-auth";
 import { MsalNodeOptions, MsalNode } from "./nodeCommon";
 import { formatError } from "../../util/logging";
 import { CredentialFlowGetTokenOptions } from "../credentials";
+import { ClientCertificateCredentialPEMConfiguration } from "../../credentials/clientCertificateCredential";
 
 const readFileAsync = promisify(readFile);
 
@@ -20,7 +21,7 @@ export interface MSALClientCertificateOptions extends MsalNodeOptions {
   /**
    * Location of the PEM certificate.
    */
-  certificatePath: string;
+  configuration: ClientCertificateCredentialPEMConfiguration;
   /**
    * Option to include x5c header for SubjectName and Issuer name authorization.
    * Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim
@@ -50,18 +51,19 @@ interface CertificateParts {
 /**
  * Tries to asynchronously load a certificate from the given path.
  *
- * @param certificatePath - Path to the certificate.
+ * @param configuration - Either the PEM value or the path to the certificate.
  * @param sendCertificateChain - Option to include x5c header for SubjectName and Issuer name authorization.
  * @returns - The certificate parts, or `undefined` if the certificate could not be loaded.
  * @internal
  */
 export async function parseCertificate(
-  certificatePath: string,
+  configuration: ClientCertificateCredentialPEMConfiguration,
   sendCertificateChain?: boolean
 ): Promise<CertificateParts> {
   const certificateParts: Partial<CertificateParts> = {};
 
-  certificateParts.certificateContents = await readFileAsync(certificatePath, "utf8");
+  certificateParts.certificateContents =
+    configuration.certificate || (await readFileAsync(configuration.certificatePath!, "utf8"));
   if (sendCertificateChain) {
     certificateParts.x5c = certificateParts.certificateContents;
   }
@@ -95,20 +97,20 @@ export async function parseCertificate(
  * @internal
  */
 export class MsalClientCertificate extends MsalNode {
-  private certificatePath: string;
+  private configuration: ClientCertificateCredentialPEMConfiguration;
   private sendCertificateChain?: boolean;
 
   constructor(options: MSALClientCertificateOptions) {
     super(options);
     this.requiresConfidential = true;
-    this.certificatePath = options.certificatePath;
+    this.configuration = options.configuration;
     this.sendCertificateChain = options.sendCertificateChain;
   }
 
   // Changing the MSAL configuration asynchronously
   async init(options?: CredentialFlowGetTokenOptions): Promise<void> {
     try {
-      const parts = await parseCertificate(this.certificatePath, this.sendCertificateChain);
+      const parts = await parseCertificate(this.configuration, this.sendCertificateChain);
       this.msalConfig.auth.clientCertificate = {
         thumbprint: parts.thumbprint,
         privateKey: parts.certificateContents,

sdk/identity/identity/src/msal/nodeFlows/msalOnBehalfOf.ts

@@ -55,7 +55,10 @@ export class MsalOnBehalfOf extends MsalNode {
   async init(options?: CredentialFlowGetTokenOptions): Promise<void> {
     if (this.certificatePath) {
       try {
-        const parts = await parseCertificate(this.certificatePath, this.sendCertificateChain);
+        const parts = await parseCertificate(
+          { certificatePath: this.certificatePath },
+          this.sendCertificateChain
+        );
         this.msalConfig.auth.clientCertificate = {
           thumbprint: parts.thumbprint,
           privateKey: parts.certificateContents,