diff --git a/src/Maestro/Client/src/MaestroApiFactory.cs b/src/Maestro/Client/src/MaestroApiFactory.cs
index 71770fde56..bc60def6d6 100644
--- a/src/Maestro/Client/src/MaestroApiFactory.cs
+++ b/src/Maestro/Client/src/MaestroApiFactory.cs
@@ -13,13 +13,11 @@ public static class MaestroApiFactory
///
/// URI of the build asset registry service to use.
/// Optional BAR token. When provided, will be used as the primary auth method.
- /// Optional federated credentials token.
/// Managed Identity to use for the auth
/// Whether to include interactive login flows
public static IMaestroApi GetAuthenticated(
string baseUri,
string? accessToken,
- string? federatedToken,
string? managedIdentityId,
bool disableInteractiveAuth)
{
@@ -27,7 +25,6 @@ public static IMaestroApi GetAuthenticated(
baseUri,
accessToken,
managedIdentityId,
- federatedToken,
disableInteractiveAuth));
}
@@ -35,12 +32,10 @@ public static IMaestroApi GetAuthenticated(
/// Obtains API client for authenticated access to Maestro.
///
/// Optional BAR token. When provided, will be used as the primary auth method.
- /// Optional federated token. When provided, will be used as the primary auth method.
/// Managed Identity to use for the auth
/// Whether to include interactive login flows
public static IMaestroApi GetAuthenticated(
string? accessToken,
- string? federatedToken,
string? managedIdentityId,
bool disableInteractiveAuth)
{
@@ -48,7 +43,6 @@ public static IMaestroApi GetAuthenticated(
MaestroApiOptions.StagingBuildAssetRegistryBaseUri,
accessToken,
managedIdentityId,
- federatedToken,
disableInteractiveAuth));
}
diff --git a/src/Maestro/Client/src/MaestroApiOptions.cs b/src/Maestro/Client/src/MaestroApiOptions.cs
index 9b98163bd2..bba86e5697 100644
--- a/src/Maestro/Client/src/MaestroApiOptions.cs
+++ b/src/Maestro/Client/src/MaestroApiOptions.cs
@@ -39,9 +39,8 @@ public partial class MaestroApiOptions
/// API base URI
/// Optional BAR token. When provided, will be used as the primary auth method.
/// Managed Identity to use for the auth
- /// Optional federated token. When provided, will be used as the primary auth method.
/// Whether to include interactive login flows
- public MaestroApiOptions(string baseUri, string accessToken, string managedIdentityId, string federatedToken, bool disableInteractiveAuth)
+ public MaestroApiOptions(string baseUri, string accessToken, string managedIdentityId, bool disableInteractiveAuth)
: this(
new Uri(baseUri),
AppCredentialResolver.CreateCredential(
@@ -49,7 +48,6 @@ public MaestroApiOptions(string baseUri, string accessToken, string managedIdent
{
DisableInteractiveAuth = disableInteractiveAuth,
Token = accessToken,
- FederatedToken = federatedToken,
ManagedIdentityId = managedIdentityId,
UserScope = APP_USER_SCOPE,
}))
diff --git a/src/Maestro/Maestro.Common/AppCredentials/AppCredential.cs b/src/Maestro/Maestro.Common/AppCredentials/AppCredential.cs
index 571e4e759e..866a4ed932 100644
--- a/src/Maestro/Maestro.Common/AppCredentials/AppCredential.cs
+++ b/src/Maestro/Maestro.Common/AppCredentials/AppCredential.cs
@@ -116,20 +116,6 @@ private static InteractiveBrowserCredential GetInteractiveCredential(
return credential;
}
- ///
- /// Use this for invocations from pipelines with a federated token
- ///
- public static AppCredential CreateFederatedCredential(string appId, string federatedToken)
- {
- var credential = new ClientAssertionCredential(
- TENANT_ID,
- appId,
- token => Task.FromResult(federatedToken));
-
- var requestContext = new TokenRequestContext([$"api://{appId}/.default"]);
- return new AppCredential(credential, requestContext);
- }
-
///
/// Use this for invocations from services using an MI.
/// ID can be "system" for system-assigned identity or GUID for a user assigned one.
diff --git a/src/Maestro/Maestro.Common/AppCredentials/AppCredentialResolver.cs b/src/Maestro/Maestro.Common/AppCredentials/AppCredentialResolver.cs
index 6feadf090b..bc679f6d32 100644
--- a/src/Maestro/Maestro.Common/AppCredentials/AppCredentialResolver.cs
+++ b/src/Maestro/Maestro.Common/AppCredentials/AppCredentialResolver.cs
@@ -18,25 +18,19 @@ public static TokenCredential CreateCredential(AppCredentialResolverOptions opti
return new ResolvedCredential(options.Token!);
}
- // 2. Federated token that can be used to fetch an app token (for CI scenarios)
- if (!string.IsNullOrEmpty(options.FederatedToken))
- {
- return AppCredential.CreateFederatedCredential(options.AppId, options.FederatedToken!);
- }
-
- // 3. Managed identity (for server-to-server scenarios - e.g. PCS->Maestro)
+ // 2. Managed identity (for server-to-server scenarios - e.g. PCS->Maestro)
if (!string.IsNullOrEmpty(options.ManagedIdentityId))
{
return AppCredential.CreateManagedIdentityCredential(options.AppId, options.ManagedIdentityId!);
}
- // 4. Azure CLI authentication setup by the caller (for CI scenarios)
+ // 3. Azure CLI authentication setup by the caller (for CI scenarios)
if (options.DisableInteractiveAuth)
{
return AppCredential.CreateNonUserCredential(options.AppId);
}
- // 5. Interactive login (user-based scenario)
+ // 4. Interactive login (user-based scenario)
return AppCredential.CreateUserCredential(options.AppId, options.UserScope);
}
}
diff --git a/src/Maestro/Maestro.Common/AppCredentials/CredentialResolverOptions.cs b/src/Maestro/Maestro.Common/AppCredentials/CredentialResolverOptions.cs
index 25871eb8c7..b66ab70969 100644
--- a/src/Maestro/Maestro.Common/AppCredentials/CredentialResolverOptions.cs
+++ b/src/Maestro/Maestro.Common/AppCredentials/CredentialResolverOptions.cs
@@ -15,11 +15,6 @@ public class CredentialResolverOptions
///
public string? Token { get; set; }
- ///
- /// Federated token to use for fetching the token. If none supplied, will try other flows.
- ///
- public string? FederatedToken { get; set; }
-
///
/// Managed Identity to use for the auth
///
diff --git a/src/Maestro/Maestro.Common/AzureDevOpsTokens/AzureDevOpsTokenProvider.cs b/src/Maestro/Maestro.Common/AzureDevOpsTokens/AzureDevOpsTokenProvider.cs
index 0e871de32b..0bb9ed58a8 100644
--- a/src/Maestro/Maestro.Common/AzureDevOpsTokens/AzureDevOpsTokenProvider.cs
+++ b/src/Maestro/Maestro.Common/AzureDevOpsTokens/AzureDevOpsTokenProvider.cs
@@ -126,14 +126,7 @@ private static Dictionary GetCredentials(
continue;
}
- // 2. Federated token that can be used to fetch an app token (for CI scenarios)
- if (!string.IsNullOrEmpty(option.FederatedToken))
- {
- credentials[account] = AppCredential.CreateFederatedCredential(option.AppId, option.FederatedToken!);
- continue;
- }
-
- // 3. Managed identity (for server-to-AzDO scenarios)
+ // 2. Managed identity (for server-to-AzDO scenarios)
if (!string.IsNullOrEmpty(option.ManagedIdentityId))
{
credentials[account] = option.ManagedIdentityId == "system"
@@ -142,14 +135,14 @@ private static Dictionary GetCredentials(
continue;
}
- // 4. Azure CLI authentication setup by the caller (for CI scenarios)
+ // 3. Azure CLI authentication setup by the caller (for CI scenarios)
if (option.DisableInteractiveAuth)
{
credentials[account] = AppCredential.CreateNonUserCredential(option.AppId);
continue;
}
- // 5. Interactive login (user-based scenario)
+ // 4. Interactive login (user-based scenario)
credentials[account] = new DefaultAzureCredential(includeInteractiveCredentials: true);
}
diff --git a/src/Maestro/Maestro.Web/Startup.cs b/src/Maestro/Maestro.Web/Startup.cs
index 8990475448..9cfda66ace 100644
--- a/src/Maestro/Maestro.Web/Startup.cs
+++ b/src/Maestro/Maestro.Web/Startup.cs
@@ -263,7 +263,6 @@ public override void ConfigureServices(IServiceCollection services)
targetUri,
accessToken: token,
managedIdentityId: managedIdentityId,
- federatedToken: null,
disableInteractiveAuth: !IsLocalKestrelDevMode));
}
diff --git a/src/Maestro/Microsoft.DotNet.Maestro.Tasks/src/PushMetadataToBuildAssetRegistry.cs b/src/Maestro/Microsoft.DotNet.Maestro.Tasks/src/PushMetadataToBuildAssetRegistry.cs
index b3e6dd4fc6..9037e4c2b3 100644
--- a/src/Maestro/Microsoft.DotNet.Maestro.Tasks/src/PushMetadataToBuildAssetRegistry.cs
+++ b/src/Maestro/Microsoft.DotNet.Maestro.Tasks/src/PushMetadataToBuildAssetRegistry.cs
@@ -145,7 +145,6 @@ public async Task PushMetadataAsync(CancellationToken cancellationToken)
IMaestroApi client = MaestroApiFactory.GetAuthenticated(
MaestroApiEndpoint,
BuildAssetRegistryToken,
- federatedToken: null,
managedIdentityId: null,
!AllowInteractive);
diff --git a/src/Microsoft.DotNet.Darc/Darc/Helpers/RemoteFactory.cs b/src/Microsoft.DotNet.Darc/Darc/Helpers/RemoteFactory.cs
index a94452e498..f077080842 100644
--- a/src/Microsoft.DotNet.Darc/Darc/Helpers/RemoteFactory.cs
+++ b/src/Microsoft.DotNet.Darc/Darc/Helpers/RemoteFactory.cs
@@ -28,7 +28,6 @@ public static IRemote GetRemote(ICommandLineOptions options, string repoUrl, ILo
public static IBarApiClient GetBarClient(ICommandLineOptions options, ILogger logger)
=> new BarApiClient(
options.BuildAssetRegistryToken,
- options.FederatedToken,
managedIdentityId: null,
options.IsCi,
options.BuildAssetRegistryBaseUri);
diff --git a/src/Microsoft.DotNet.Darc/Darc/Options/CommandLineOptions.cs b/src/Microsoft.DotNet.Darc/Darc/Options/CommandLineOptions.cs
index 02600260d5..2ea7184e39 100644
--- a/src/Microsoft.DotNet.Darc/Darc/Options/CommandLineOptions.cs
+++ b/src/Microsoft.DotNet.Darc/Darc/Options/CommandLineOptions.cs
@@ -33,11 +33,6 @@ public abstract class CommandLineOptions : ICommandLineOptions
[RedactFromLogging]
public string BuildAssetRegistryToken { get; set; }
- [Option('t', "federated-token",
- HelpText = "Federated credentials token used to authenticate to BAR. If it or the generic token are omitted, auth falls back to Azure CLI or an interactive browser login flow.")]
- [RedactFromLogging]
- public string FederatedToken { get; set; }
-
[Option("github-pat", HelpText = "Token used to authenticate GitHub.")]
[RedactFromLogging]
public string GitHubPat { get; set; }
@@ -158,7 +153,6 @@ public virtual IServiceCollection RegisterServices(IServiceCollection services)
o["default"] = new AzureDevOpsCredentialResolverOptions
{
Token = AzureDevOpsPat,
- FederatedToken = FederatedToken,
DisableInteractiveAuth = IsCi,
};
});
diff --git a/src/Microsoft.DotNet.Darc/Darc/Options/ICommandLineOptions.cs b/src/Microsoft.DotNet.Darc/Darc/Options/ICommandLineOptions.cs
index eec3ce231e..b7054ada55 100644
--- a/src/Microsoft.DotNet.Darc/Darc/Options/ICommandLineOptions.cs
+++ b/src/Microsoft.DotNet.Darc/Darc/Options/ICommandLineOptions.cs
@@ -13,7 +13,6 @@ public interface ICommandLineOptions
{
string AzureDevOpsPat { get; set; }
string BuildAssetRegistryBaseUri { get; set; }
- string FederatedToken { get; set; }
string BuildAssetRegistryToken { get; set; }
string GitHubPat { get; set; }
string GitLocation { get; set; }
diff --git a/src/Microsoft.DotNet.Darc/DarcLib/BarApiClient.cs b/src/Microsoft.DotNet.Darc/DarcLib/BarApiClient.cs
index c760331a64..4a3d29fc99 100644
--- a/src/Microsoft.DotNet.Darc/DarcLib/BarApiClient.cs
+++ b/src/Microsoft.DotNet.Darc/DarcLib/BarApiClient.cs
@@ -20,11 +20,11 @@ public class BarApiClient : IBarApiClient
{
private readonly IMaestroApi _barClient;
- public BarApiClient(string? buildAssetRegistryPat, string? federatedToken, string? managedIdentityId, bool disableInteractiveAuth, string? buildAssetRegistryBaseUri = null)
+ public BarApiClient(string? buildAssetRegistryPat, string? managedIdentityId, bool disableInteractiveAuth, string? buildAssetRegistryBaseUri = null)
{
_barClient = !string.IsNullOrEmpty(buildAssetRegistryBaseUri)
- ? MaestroApiFactory.GetAuthenticated(buildAssetRegistryBaseUri, buildAssetRegistryPat, federatedToken, managedIdentityId, disableInteractiveAuth)
- : MaestroApiFactory.GetAuthenticated(buildAssetRegistryPat, managedIdentityId, federatedToken, disableInteractiveAuth);
+ ? MaestroApiFactory.GetAuthenticated(buildAssetRegistryBaseUri, buildAssetRegistryPat, managedIdentityId, disableInteractiveAuth)
+ : MaestroApiFactory.GetAuthenticated(buildAssetRegistryPat, managedIdentityId, disableInteractiveAuth);
}
#region Channel Operations
diff --git a/src/ProductConstructionService/ProductConstructionService.Api/Configuration/PcsConfiguration.cs b/src/ProductConstructionService/ProductConstructionService.Api/Configuration/PcsConfiguration.cs
index be7b6ee53c..f646899be8 100644
--- a/src/ProductConstructionService/ProductConstructionService.Api/Configuration/PcsConfiguration.cs
+++ b/src/ProductConstructionService/ProductConstructionService.Api/Configuration/PcsConfiguration.cs
@@ -91,7 +91,6 @@ public static void ConfigurePcs(
uri,
accessToken: null,
managedIdentityId: managedIdentityId,
- federatedToken: null,
disableInteractiveAuth: true);
});
diff --git a/src/ProductConstructionService/ProductConstructionService.Client/ProductConstructionServiceApiOptions.cs b/src/ProductConstructionService/ProductConstructionService.Client/ProductConstructionServiceApiOptions.cs
index 1dbfe0212f..e27da4b9d6 100644
--- a/src/ProductConstructionService/ProductConstructionService.Client/ProductConstructionServiceApiOptions.cs
+++ b/src/ProductConstructionService/ProductConstructionService.Client/ProductConstructionServiceApiOptions.cs
@@ -30,7 +30,6 @@ public ProductConstructionServiceApiOptions(string baseUri, string accessToken,
{
DisableInteractiveAuth = true, // the client is only used in Maestro for now
Token = accessToken,
- FederatedToken = null,
ManagedIdentityId = managedIdentityId,
}))
{
diff --git a/test/Maestro.ScenarioTests/TestParameters.cs b/test/Maestro.ScenarioTests/TestParameters.cs
index 1717cd5f34..378b73c1b3 100644
--- a/test/Maestro.ScenarioTests/TestParameters.cs
+++ b/test/Maestro.ScenarioTests/TestParameters.cs
@@ -66,7 +66,6 @@ public static async Task GetAsync(bool useNonPrimaryEndpoint = f
maestroBaseUri,
maestroToken,
managedIdentityId: null,
- federatedToken: null,
disableInteractiveAuth: isCI);
string? darcRootDir = darcDir;
diff --git a/test/Microsoft.DotNet.Darc.VirtualMonoRepo.E2E.Tests/VmrTestsBase.cs b/test/Microsoft.DotNet.Darc.VirtualMonoRepo.E2E.Tests/VmrTestsBase.cs
index fe40bfdab9..47b7647995 100644
--- a/test/Microsoft.DotNet.Darc.VirtualMonoRepo.E2E.Tests/VmrTestsBase.cs
+++ b/test/Microsoft.DotNet.Darc.VirtualMonoRepo.E2E.Tests/VmrTestsBase.cs
@@ -84,7 +84,6 @@ public void DeleteCurrentTestDirectory()
.AddVmrManagers("git", VmrPath, TmpPath, null, null)
.AddSingleton(new BarApiClient(
buildAssetRegistryPat: null,
- federatedToken: null,
managedIdentityId: null,
disableInteractiveAuth: true,
buildAssetRegistryBaseUri: MaestroApiOptions.StagingBuildAssetRegistryBaseUri));