[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-59820e57-8bf7-4389-8765-c3908dc581fa":3,"$fqvXEDAiWZArMXS3Xtac4bWXmC225JkmDVG0seBRv8XM":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"59820e57-8bf7-4389-8765-c3908dc581fa","azure-identity-java","使用Microsoft Entra ID（Azure AD）通过Azure服务验证Java应用程序。","cat_coding_devops","mod_coding","sickn33,coding","---\nname: azure-identity-java\ndescription: \"Authenticate Java applications with Azure services using Microsoft Entra ID (Azure AD).\"\nrisk: unknown\nsource: community\ndate_added: \"2026-02-27\"\n---\n\n# Azure Identity (Java)\n\nAuthenticate Java applications with Azure services using Microsoft Entra ID (Azure AD).\n\n## Installation\n\n```xml\n\u003Cdependency>\n    \u003CgroupId>com.azure\u003C\u002FgroupId>\n    \u003CartifactId>azure-identity\u003C\u002FartifactId>\n    \u003Cversion>1.15.0\u003C\u002Fversion>\n\u003C\u002Fdependency>\n```\n\n## Key Concepts\n\n| Credential | Use Case |\n|------------|----------|\n| `DefaultAzureCredential` | **Recommended** - Works in dev and production |\n| `ManagedIdentityCredential` | Azure-hosted apps (App Service, Functions, VMs) |\n| `EnvironmentCredential` | CI\u002FCD pipelines with env vars |\n| `ClientSecretCredential` | Service principals with secret |\n| `ClientCertificateCredential` | Service principals with certificate |\n| `AzureCliCredential` | Local dev using `az login` |\n| `InteractiveBrowserCredential` | Interactive login flow |\n| `DeviceCodeCredential` | Headless device authentication |\n\n## DefaultAzureCredential (Recommended)\n\nThe `DefaultAzureCredential` tries multiple authentication methods in order:\n\n1. Environment variables\n2. Workload Identity\n3. Managed Identity\n4. Azure CLI\n5. Azure PowerShell\n6. Azure Developer CLI\n\n```java\nimport com.azure.identity.DefaultAzureCredential;\nimport com.azure.identity.DefaultAzureCredentialBuilder;\n\n\u002F\u002F Simple usage\nDefaultAzureCredential credential = new DefaultAzureCredentialBuilder().build();\n\n\u002F\u002F Use with any Azure client\nBlobServiceClient blobClient = new BlobServiceClientBuilder()\n    .endpoint(\"https:\u002F\u002F\u003Cstorage-account>.blob.core.windows.net\")\n    .credential(credential)\n    .buildClient();\n\nKeyClient keyClient = new KeyClientBuilder()\n    .vaultUrl(\"https:\u002F\u002F\u003Cvault-name>.vault.azure.net\")\n    .credential(credential)\n    .buildClient();\n```\n\n### Configure DefaultAzureCredential\n\n```java\nDefaultAzureCredential credential = new DefaultAzureCredentialBuilder()\n    .managedIdentityClientId(\"\u003Cuser-assigned-identity-client-id>\")  \u002F\u002F For user-assigned MI\n    .tenantId(\"\u003Ctenant-id>\")                                        \u002F\u002F Limit to specific tenant\n    .excludeEnvironmentCredential()                                 \u002F\u002F Skip env vars\n    .excludeAzureCliCredential()                                    \u002F\u002F Skip Azure CLI\n    .build();\n```\n\n## Managed Identity\n\nFor Azure-hosted applications (App Service, Functions, AKS, VMs).\n\n```java\nimport com.azure.identity.ManagedIdentityCredential;\nimport com.azure.identity.ManagedIdentityCredentialBuilder;\n\n\u002F\u002F System-assigned managed identity\nManagedIdentityCredential credential = new ManagedIdentityCredentialBuilder()\n    .build();\n\n\u002F\u002F User-assigned managed identity (by client ID)\nManagedIdentityCredential credential = new ManagedIdentityCredentialBuilder()\n    .clientId(\"\u003Cuser-assigned-client-id>\")\n    .build();\n\n\u002F\u002F User-assigned managed identity (by resource ID)\nManagedIdentityCredential credential = new ManagedIdentityCredentialBuilder()\n    .resourceId(\"\u002Fsubscriptions\u002F\u003Csub>\u002FresourceGroups\u002F\u003Crg>\u002Fproviders\u002FMicrosoft.ManagedIdentity\u002FuserAssignedIdentities\u002F\u003Cname>\")\n    .build();\n```\n\n## Service Principal with Secret\n\n```java\nimport com.azure.identity.ClientSecretCredential;\nimport com.azure.identity.ClientSecretCredentialBuilder;\n\nClientSecretCredential credential = new ClientSecretCredentialBuilder()\n    .tenantId(\"\u003Ctenant-id>\")\n    .clientId(\"\u003Cclient-id>\")\n    .clientSecret(\"\u003Cclient-secret>\")\n    .build();\n```\n\n## Service Principal with Certificate\n\n```java\nimport com.azure.identity.ClientCertificateCredential;\nimport com.azure.identity.ClientCertificateCredentialBuilder;\n\n\u002F\u002F From PEM file\nClientCertificateCredential credential = new ClientCertificateCredentialBuilder()\n    .tenantId(\"\u003Ctenant-id>\")\n    .clientId(\"\u003Cclient-id>\")\n    .pemCertificate(\"\u003Cpath-to-cert.pem>\")\n    .build();\n\n\u002F\u002F From PFX file with password\nClientCertificateCredential credential = new ClientCertificateCredentialBuilder()\n    .tenantId(\"\u003Ctenant-id>\")\n    .clientId(\"\u003Cclient-id>\")\n    .pfxCertificate(\"\u003Cpath-to-cert.pfx>\", \"\u003Cpfx-password>\")\n    .build();\n\n\u002F\u002F Send certificate chain for SNI\nClientCertificateCredential credential = new ClientCertificateCredentialBuilder()\n    .tenantId(\"\u003Ctenant-id>\")\n    .clientId(\"\u003Cclient-id>\")\n    .pemCertificate(\"\u003Cpath-to-cert.pem>\")\n    .sendCertificateChain(true)\n    .build();\n```\n\n## Environment Credential\n\nReads credentials from environment variables.\n\n```java\nimport com.azure.identity.EnvironmentCredential;\nimport com.azure.identity.EnvironmentCredentialBuilder;\n\nEnvironmentCredential credential = new EnvironmentCredentialBuilder().build();\n```\n\n### Required Environment Variables\n\n**For service principal with secret:**\n```bash\nAZURE_TENANT_ID=\u003Ctenant-id>\nAZURE_CLIENT_ID=\u003Cclient-id>\nAZURE_CLIENT_SECRET=\u003Cclient-secret>\n```\n\n**For service principal with certificate:**\n```bash\nAZURE_TENANT_ID=\u003Ctenant-id>\nAZURE_CLIENT_ID=\u003Cclient-id>\nAZURE_CLIENT_CERTIFICATE_PATH=\u002Fpath\u002Fto\u002Fcert.pem\nAZURE_CLIENT_CERTIFICATE_PASSWORD=\u003Coptional-password>\n```\n\n**For username\u002Fpassword:**\n```bash\nAZURE_TENANT_ID=\u003Ctenant-id>\nAZURE_CLIENT_ID=\u003Cclient-id>\nAZURE_USERNAME=\u003Cusername>\nAZURE_PASSWORD=\u003Cpassword>\n```\n\n## Azure CLI Credential\n\nFor local development using `az login`.\n\n```java\nimport com.azure.identity.AzureCliCredential;\nimport com.azure.identity.AzureCliCredentialBuilder;\n\nAzureCliCredential credential = new AzureCliCredentialBuilder()\n    .tenantId(\"\u003Ctenant-id>\")  \u002F\u002F Optional: specific tenant\n    .build();\n```\n\n## Interactive Browser\n\nFor desktop applications requiring user login.\n\n```java\nimport com.azure.identity.InteractiveBrowserCredential;\nimport com.azure.identity.InteractiveBrowserCredentialBuilder;\n\nInteractiveBrowserCredential credential = new InteractiveBrowserCredentialBuilder()\n    .clientId(\"\u003Cclient-id>\")\n    .redirectUrl(\"http:\u002F\u002Flocalhost:8080\")  \u002F\u002F Must match app registration\n    .build();\n```\n\n## Device Code\n\nFor headless devices (IoT, CLI tools).\n\n```java\nimport com.azure.identity.DeviceCodeCredential;\nimport com.azure.identity.DeviceCodeCredentialBuilder;\n\nDeviceCodeCredential credential = new DeviceCodeCredentialBuilder()\n    .clientId(\"\u003Cclient-id>\")\n    .challengeConsumer(challenge -> {\n        \u002F\u002F Display to user\n        System.out.println(challenge.getMessage());\n    })\n    .build();\n```\n\n## Chained Credential\n\nCreate custom authentication chains.\n\n```java\nimport com.azure.identity.ChainedTokenCredential;\nimport com.azure.identity.ChainedTokenCredentialBuilder;\n\nChainedTokenCredential credential = new ChainedTokenCredentialBuilder()\n    .addFirst(new ManagedIdentityCredentialBuilder().build())\n    .addLast(new AzureCliCredentialBuilder().build())\n    .build();\n```\n\n## Workload Identity (AKS)\n\nFor Azure Kubernetes Service with workload identity.\n\n```java\nimport com.azure.identity.WorkloadIdentityCredential;\nimport com.azure.identity.WorkloadIdentityCredentialBuilder;\n\n\u002F\u002F Reads from AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_FEDERATED_TOKEN_FILE\nWorkloadIdentityCredential credential = new WorkloadIdentityCredentialBuilder().build();\n\n\u002F\u002F Or explicit configuration\nWorkloadIdentityCredential credential = new WorkloadIdentityCredentialBuilder()\n    .tenantId(\"\u003Ctenant-id>\")\n    .clientId(\"\u003Cclient-id>\")\n    .tokenFilePath(\"\u002Fvar\u002Frun\u002Fsecrets\u002Fazure\u002Ftokens\u002Fazure-identity-token\")\n    .build();\n```\n\n## Token Caching\n\nEnable persistent token caching for better performance.\n\n```java\n\u002F\u002F Enable token caching (in-memory by default)\nDefaultAzureCredential credential = new DefaultAzureCredentialBuilder()\n    .enableAccountIdentifierLogging()\n    .build();\n\n\u002F\u002F With shared token cache (for multi-credential scenarios)\nSharedTokenCacheCredential credential = new SharedTokenCacheCredentialBuilder()\n    .clientId(\"\u003Cclient-id>\")\n    .build();\n```\n\n## Sovereign Clouds\n\n```java\nimport com.azure.identity.AzureAuthorityHosts;\n\n\u002F\u002F Azure Government\nDefaultAzureCredential govCredential = new DefaultAzureCredentialBuilder()\n    .authorityHost(AzureAuthorityHosts.AZURE_GOVERNMENT)\n    .build();\n\n\u002F\u002F Azure China\nDefaultAzureCredential chinaCredential = new DefaultAzureCredentialBuilder()\n    .authorityHost(AzureAuthorityHosts.AZURE_CHINA)\n    .build();\n```\n\n## Error Handling\n\n```java\nimport com.azure.identity.CredentialUnavailableException;\nimport com.azure.core.exception.ClientAuthenticationException;\n\ntry {\n    DefaultAzureCredential credential = new DefaultAzureCredentialBuilder().build();\n    AccessToken token = credential.getToken(new TokenRequestContext()\n        .addScopes(\"https:\u002F\u002Fmanagement.azure.com\u002F.default\"));\n} catch (CredentialUnavailableException e) {\n    \u002F\u002F No credential could authenticate\n    System.out.println(\"Authentication failed: \" + e.getMessage());\n} catch (ClientAuthenticationException e) {\n    \u002F\u002F Authentication error (wrong credentials, expired, etc.)\n    System.out.println(\"Auth error: \" + e.getMessage());\n}\n```\n\n## Logging\n\nEnable authentication logging for debugging.\n\n```java\n\u002F\u002F Via environment variable\n\u002F\u002F AZURE_LOG_LEVEL=verbose\n\n\u002F\u002F Or programmatically\nDefaultAzureCredential credential = new DefaultAzureCredentialBuilder()\n    .enableAccountIdentifierLogging()  \u002F\u002F Log account info\n    .build();\n```\n\n## Environment Variables\n\n```bash\n# DefaultAzureCredential configuration\nAZURE_TENANT_ID=\u003Ctenant-id>\nAZURE_CLIENT_ID=\u003Cclient-id>\nAZURE_CLIENT_SECRET=\u003Cclient-secret>\n\n# Managed Identity\nAZURE_CLIENT_ID=\u003Cuser-assigned-mi-client-id>\n\n# Workload Identity (AKS)\nAZURE_FEDERATED_TOKEN_FILE=\u002Fvar\u002Frun\u002Fsecrets\u002Fazure\u002Ftokens\u002Fazure-identity-token\n\n# Logging\nAZURE_LOG_LEVEL=verbose\n\n# Authority host\nAZURE_AUTHORITY_HOST=https:\u002F\u002Flogin.microsoftonline.com\u002F\n```\n\n## Best Practices\n\n1. **Use DefaultAzureCredential** - Works seamlessly from dev to production\n2. **Managed Identity in Production** - No secrets to manage, automatic rotation\n3. **Azure CLI for Local Dev** - Run `az login` before running your app\n4. **Least Privilege** - Grant only required permissions to service principals\n5. **Token Caching** - Enabled by default, reduces auth round-trips\n6. **Environment Variables** - Use for CI\u002FCD, not hardcoded secrets\n\n## Credential Selection Matrix\n\n| Environment | Recommended Credential |\n|-------------|----------------------|\n| Local Development | `DefaultAzureCredential` (uses Azure CLI) |\n| Azure App Service | `DefaultAzureCredential` (uses Managed Identity) |\n| Azure Functions | `DefaultAzureCredential` (uses Managed Identity) |\n| Azure Kubernetes Service | `WorkloadIdentityCredential` |\n| Azure VMs | `DefaultAzureCredential` (uses Managed Identity) |\n| CI\u002FCD Pipeline | `EnvironmentCredential` |\n| Desktop App | `InteractiveBrowserCredential` |\n| CLI Tool | `DeviceCodeCredential` |\n\n## Trigger Phrases\n\n- \"Azure authentication Java\", \"DefaultAzureCredential Java\"\n- \"managed identity Java\", \"service principal Java\"\n- \"Azure login Java\", \"Azure credentials Java\"\n- \"AZURE_CLIENT_ID\", \"AZURE_TENANT_ID\"\n\n## When to Use\nThis skill is applicable to execute the workflow or actions described in the overview.\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,141,521,"2026-05-16 13:06:28",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"编程开发","coding","mdi-code-braces","代码生成、调试、审查，提升开发效率",2,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"DevOps","devops","mdi-cog-outline","CI\u002FCD、容器化、部署运维",3,162,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"c63f0504-8ce3-473c-a94f-3fd012a723f2","1.0.0","azure-identity-java.zip",3171,"uploads\u002Fskills\u002F59820e57-8bf7-4389-8765-c3908dc581fa\u002Fazure-identity-java.zip","aa7fc3d30217397c91a7f5a76b14586069c09e3752bd54b161b26a9b01f8e056","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":11338}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]