Skip to content

Support azure.keyvault.access-token in azure-security-keyvault-jca#47850

Merged
rujche merged 16 commits intomainfrom
copilot/support-bearer-tokens-auth
Feb 2, 2026
Merged

Support azure.keyvault.access-token in azure-security-keyvault-jca#47850
rujche merged 16 commits intomainfrom
copilot/support-bearer-tokens-auth

Conversation

Copy link
Contributor

Copilot AI commented Jan 29, 2026
edited
Loading

Implementation Complete: ****** Authentication Support

  • Understand current authentication flow and priorities
  • Add access token field to KeyVaultClient
  • Modify obtainAccessToken to support bearer tokens with proper priority (Managed Identity > Access Token > Client Credentials)
  • Update createKeyVaultClientBySystemProperty to read access-token property
  • Update KeyVaultKeyStore constructor to read and pass access-token property
  • Update KeyVaultCertificates to support access-token parameter
  • Update KeyVaultLoadStoreParameter to include access-token
  • Add AccessToken constructor for bearer token support
  • Update README.md documentation with property listing
  • Add comprehensive tests for access token authentication
  • Fix checkstyle issues (make providedAccessToken final)
  • Build and test changes - All 83 tests passing
  • Verify checkstyle and spotbugs pass
  • Update CHANGELOG.md with new feature
  • Address all code review feedback:
    • Set token expiration to effectively infinite to prevent auto-refresh attempts
    • Added empty string validation for providedAccessToken
    • Removed unused constructor
    • Removed usage example section from README (will be added in PR Add Workload Identity Auth Support in KV JCA #47051)
    • Removed authentication priority section from README (will be added in PR Add Workload Identity Auth Support in KV JCA #47051)
    • Kept providedAccessToken field name for clarity
    • Renamed getAccessTokenByHttpRequest to obtainAccessToken for accuracy

Summary

This PR adds support for bearer token authentication via the new azure.keyvault.access-token system property. This enhancement enables users to:

  1. Use pre-obtained access tokens for authentication without providing client credentials
  2. Receive clear authentication errors when tokens expire (no auto-refresh mechanism)
  3. Maintain proper authentication priority: Managed Identity > Access Token > Client Credentials

Changes Made

Core Implementation:

  • Added providedAccessToken field to KeyVaultClient with proper authentication priority logic
  • Implemented empty string validation for access tokens
  • Set expiration to Long.MAX_VALUE / 1000 (effectively infinite) to prevent futile auto-refresh attempts
  • When provided tokens expire on Azure's side, authentication requests fail with runtime exceptions, informing users to provide fresh tokens
  • Updated KeyVaultLoadStoreParameter to accept and pass access tokens through the main constructor
  • Modified KeyVaultCertificates and KeyVaultKeyStore to support the new authentication method
  • Added constructor to AccessToken model for creating instances from provided tokens
  • Renamed getAccessTokenByHttpRequest to obtainAccessToken to accurately reflect its behavior

Documentation:

  • Updated README.md with new property in the configuration list
  • Added CHANGELOG.md entry documenting the new feature

Testing:

  • Added unit tests for access token authentication (testAccessTokenAuthentication)
  • Added tests verifying authentication priority order (testAuthenticationPriority)
  • All 83 existing tests continue to pass

Authentication Priority

The implementation ensures the following priority order in code:

  1. Managed Identity (azure.keyvault.managed-identity) - Highest priority
  2. Access Token (azure.keyvault.access-token) - Middle priority
  3. Client Credentials (azure.keyvault.client-id + azure.keyvault.client-secret) - Lowest priority

Token Lifecycle

Provided access tokens do not auto-refresh. The token is set with effectively infinite expiration to prevent the code from attempting to refresh it. When the actual token expires on Azure's side, authentication requests will fail with runtime exceptions, which correctly informs users they need to provide a fresh token through the azure.keyvault.access-token system property.

Original prompt

This section details on the original issue you should resolve

<issue_title>[FEATURE REQ] azure-security-keyvault-jca should support bearer tokens</issue_title>
<issue_description>Is your feature request related to a problem? Please describe.
I would like to be able to use an Azure accessToken as a means for authentication when using the azure-security-keyvault-jca in the same manner that the azuresigntool allows with the command line -kva option, while not having to supply a client ID and client secret.

Describe the solution you'd like
I would like to have an exposed option for the azure-security-keyvault-jca of azure.keyvault.accesstoken in which I can utilize an access token for authentication, instead of having to supply the client ID and client secret. This would allow me to programmatically utilize multi-factor authentication for my code signing needs by first authenticating my service principal to Azure utilizing only a certificate (something I have), requesting a temporary access token, then utilizing that temporary access token (something I know) to perform my code signings utilizing the azure-security-keyvault-jca.

Describe alternatives you've considered
Utilizing the current azure-security-keyvault-jca authentication option of supplying client ID and client secret works, but it does not provide me with multi-factor authentication. Also my code signing servers are standalone and are not integrated to my Microsoft Entra ID so I cant utilize managed identities.

Additional context
N/A

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • Description Added
  • Expected solution specified
    </issue_description>

<agent_instructions>Support new property: "azure.keyvault.access-token", its priority should below "azure.keyvault.managed-identity", but above "azure.keyvault.client-id" and "azure.keyvault.client-secret".</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@joshfree Hi @GuzDaMan thank you for reaching out to us via GitHub. I've routed your feature request to the KV SDK owner, @vcolin7 to reply with more details. /cc @chlowell @vcolin7 @saragluna, @rujche would you mind taking a look at this issue when you get a chance? Thanks!

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 4 commits January 29, 2026 06:52
@rujche
Add bearer token authentication support with azure.keyvault.access-to…
c094cd3 
…ken property

Co-authored-by: rujche <171773178+rujche@users.noreply.github.com>
@rujche
Add tests for bearer token authentication and fix checkstyle issues
8312b07 
Co-authored-by: rujche <171773178+rujche@users.noreply.github.com>
@rujche
Update CHANGELOG.md with bearer token authentication feature
c7440f6 
Co-authored-by: rujche <171773178+rujche@users.noreply.github.com>
@rujche
Address code review feedback: fix token expiration, add validation, i…
5caa342 
…mprove docs

Co-authored-by: rujche <171773178+rujche@users.noreply.github.com>
Copilot AI changed the title [WIP] Add support for bearer tokens in azure-security-keyvault-jca Add bearer token authentication support via azure.keyvault.access-token Jan 29, 2026
Copilot AI requested a review from rujche January 29, 2026 07:05
@rujche
Remove unused KeyVaultLoadStoreParameter constructor with boolean par…
b3ebe9f 
…ameter

Co-authored-by: rujche <171773178+rujche@users.noreply.github.com>
Copilot AI requested a review from rujche January 29, 2026 07:57
rujche
rujche reviewed Jan 29, 2026
View reviewed changes
rujche
rujche reviewed Jan 29, 2026
View reviewed changes
@rujche rujche mentioned this pull request Jan 29, 2026
Merged
@rujche
Remove Authentication with Access Token section from README per revie…
6cf79db 
…w feedback

Co-authored-by: rujche <171773178+rujche@users.noreply.github.com>
Copilot AI requested a review from rujche January 29, 2026 08:02
@rujche
Remove Authentication Priority section from README and simplify varia…
a878e9d 
…ble naming

Co-authored-by: rujche <171773178+rujche@users.noreply.github.com>
Copilot AI requested a review from rujche January 29, 2026 08:12
@rujche rujche requested review from a team, Netyyyy, moarychan and saragluna as code owners January 29, 2026 09:10
Copilot AI review requested due to automatic review settings January 29, 2026 09:10
@rujche
Copy link
Member

rujche commented Jan 29, 2026

/azp run java - keyvault tests

@azure-pipelines
Copy link

azure-pipelines bot commented Jan 29, 2026

No pipelines are associated with this pull request.

@rujche rujche added azure-spring All azure-spring related issues azure-spring-jca labels Jan 29, 2026
@rujche rujche moved this from Todo to In Progress in Spring Cloud Azure Jan 29, 2026
@rujche rujche added this to the 2026-02 milestone Jan 29, 2026
@rujche
Copy link
Member

rujche commented Jan 29, 2026

Confirmed the unit test work as expected:

Image
Image
Image

@rujche rujche changed the title Add bearer token authentication support via azure.keyvault.access-token Support azure.keyvault.access-token in azure-security-keyvault-jca Jan 29, 2026
Copilot AI reviewed Jan 29, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request adds support for bearer token authentication via the new azure.keyvault.access-token system property to the Azure Key Vault JCA library. This enhancement enables users to provide pre-obtained access tokens for authentication without requiring client credentials, supporting multi-factor authentication scenarios.

Changes:

  • Added bearer token authentication support with proper authentication priority: Managed Identity > Access Token > Client Credentials
  • Implemented token lifecycle management where provided tokens don't auto-refresh, and expiration is handled by Azure returning authentication errors
  • Consolidated and improved test coverage for Key Vault client authentication scenarios

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/KeyVaultClient.java Added providedAccessToken field and authentication priority logic in obtainAccessToken method; renamed getAccessTokenByHttpRequest to obtainAccessToken
sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultLoadStoreParameter.java Added accessToken field and constructor parameter to support passing access tokens
sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java Updated to read azure.keyvault.access-token system property and pass to KeyVaultCertificates
sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/certificates/KeyVaultCertificates.java Added accessToken parameter to constructors and updateKeyVaultClient methods
sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/model/AccessToken.java Added constructor accepting accessToken and expiresIn parameters for creating AccessToken instances from provided tokens
sdk/keyvault/azure-security-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/implementation/KeyVaultClientTest.java Added comprehensive tests for access token authentication and authentication priority; consolidated integration tests from removed file
sdk/keyvault/azure-security-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/KeyVaultClientTest.java Removed duplicate test file; tests consolidated into implementation package
sdk/keyvault/azure-security-keyvault-jca/README.md Added documentation for the new azure.keyvault.access-token property
sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md Added feature entry describing bearer token authentication support

@github-actions
Copy link
Contributor

github-actions bot commented Feb 2, 2026

API Change Check

APIView identified API level changes in this PR and created the following API reviews

com.azure:azure-security-keyvault-jca

@rujche rujche merged commit 9e40de0 into main Feb 2, 2026
19 checks passed
@rujche rujche deleted the copilot/support-bearer-tokens-auth branch February 2, 2026 02:25
@github-project-automation github-project-automation bot moved this from In Progress to Done in Spring Cloud Azure Feb 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rujche rujche rujche left review comments

Copilot code review Copilot Copilot left review comments

@Netyyyy Netyyyy Netyyyy approved these changes

@saragluna saragluna Awaiting requested review from saragluna

@moarychan moarychan Awaiting requested review from moarychan

Assignees

@rujche rujche

Copilot code review Copilot

Labels

azure-spring All azure-spring related issues azure-spring-jca

Projects

Spring Cloud Azure
Status: Done

Milestone

2026-02

Development

Successfully merging this pull request may close these issues.

[FEATURE REQ] azure-security-keyvault-jca should support bearer tokens

3 participants

@rujche @Netyyyy

Comments